Ai-Fi/Counterseal Identities

 

 

To Sign-Up (or Not to Sign-Up)

No Sign-Up Required?

Ai-Fi.net maintains no records or accounting on individual users; hence there is no sign-up required.

Instead, your requests for various Ai-Fi services are fully anonymous involving only a few PKI key pairs you maintain in your Ai-Fi Central app or Counterseal app for the express purpose of service payment, much like that in Bitcoin trading. Your fees to Ai-Fi.net, when required, are transacted through those crypto accounts dedicated to their specific functions without the known risk of attacks known as de-anonymizing heuristic in Bitcoin environment. It is not tied to any of your PII (Personally Identifiable Information) and with the Tor Onion Routing option not even to your IP addresses. (Currently this "Ai-Fi principle of payment" is not much more than a pledge from Ai-Fi.net. We commit to this pledge by not keeping track of any PII of our users.)

User Identities in Social Networks

While by design there is no need to be represented by an account in dealing with Ai-Fi.net, in almost all other social interactions the participants do need to be represented with some appropriately defined identity. As the SecureEmail/PlexiMail is an integral part of Ai-Fi.net, all Counterseal email addresses are published on the "Ai-Fi Blockchain Registry", which resides physically on the Stellar Blockchain and is fully transparent. Each entry, namely the associated SecureEmail/PlexiMail address, is vetted by Ai-Fi.net by requiring the original requester to demonstrate its ownership of the email address when it is initially entered into the registry. The requester, or the owner of the email address, is then allowed to attach a cryptographic key pair from their Ai-Fi Identity Wallet with the entry. After their creations, all transactions or changes affecting their ownership or associated resources (such as the location pre-key store) are publicly disclosed on the same blockchain registry and monitorable publicly by all visitors. Only the owner with verifiable possession of the key pair is allowed to make modifications.

Currently each Counterseal app is allowed to bind with a single email address.

Bind to Ai-Fi Blockchain Registry

To all the popular email service providers, the Ai-Fi SecureEmail/PlexiMail app is considered a 3rd party email client, through which you access your emails stored with your chosen email provider like gmail, outlook, aol, yahoo, etc.. To protect the security of your emails and to avoid any 3rd parties misusing your password or other credentials, your email providers typically require the 3rd party to follow the OAuth2 standard for email access authorization, which requires them to go through the OAuth2 certification process. Ai-Fi Central is committed to this standard, which takes time to conform. For now, we only work with those email providers as a "legacy" app and ask the users to allow us to use their password to sign in, except for gmail, which permits us to run pre-certified OAuth2 (with lots of warning messages). Please look for the appropriate sections below for working with your email provider.

Gmail

If you choose to bind a gmail mailbox to Ai-Fi, the binding process is actually done through OAuth2 except that our implementation is not yet certified. For now, answer all gmail questions correctly and ignore all warnings about the fact we are not yet established as a recognized Google application. The bind would succeed if your Google credentials are correctly entered. On your gmail client on PC, there will be two "Security alert" messages.

Outlook

The free Outlook email account remains to be our favorite email service that doesn't force her users to reveal their PII. It is reliable, reasonable in performance and at 400 million subscribers ranked the third in its email client market share (after gmail and apple iPhone mail). It offers a large crowd for any burner email account to blend in.

For accessing outlook email service, use your Outlook password to login. Depending on how you've sketched out your profile and the security procedure you've defined for your account, you may need to answer a few questions on your outlook client, upon receiving a security notification from Outlook, at your PC to authenticate your access from Ai-Fi PlexiMail/SecureEmail.

Aol & Yahoo

Before we complete the OAuth2 certification with Aol or Yahoo Mail, the only option is to use an "app specific password" to log into their email services. It is a long, randomly generated code that gives us permission to access your Yahoo or Aol account. The step for generating it is well documented at Generate and manage third-party app passwords. (Specifically, for Aol Mail, go to inbox, select "Options" on the upper right under account ID, select "Account Security", select "Manage app passwords", select "Other App", and create "custom name" to identify this instance of app, and finally "Generate". For Yahoo!mail, select "Account Info" under your Yahoo account ID on the upper right, select "Account Security", log in if required, and follow the "Manage app passwords" instruction path. The rest is similar to the case for Aol Mail.)

Others

For other email services, if your entering the password doesn't get you through your email service, you may need to specify many complicated questions specific to your email server, including possibly the nonstandard IMAP ports and server address. As mentioned previously, it may not be to your advantage to stick to your old email address, which most likely has been "pwned" and unquestionably would lead back to all your other cyber footprints in the past. Adopting a new email address may be in order.

Pay with Cryptocurrencies

Consistent with its privacy focus and the aversion to any apparatus incurring possible trackability, even without requiring user sign-up, Ai-Fi.net collects service fees only through cryptocurrencies per service requests, which also enables our fee collecting scheme for the microscale. If you are not experienced in cryptocurrency, this is the opportunity to get your feet wet with very limited financial exposure. With the governments worldwide printing paper money like there's no tomorrow, diluting our wealth without representation, cryptocurrencies will be increasingly critical in their role of protecting our financial interests.

During the installation and trial-out period for Ai-Fi Central, an expense of around 10 Stellar Lumens/XLMs (less than $1) is incurred to "bind" one of your email addresses to the Ai-Fi Blockchain Registry during the SecureEmail start-up process, which becomes your Ai-Fi identity. This expense goes to Stellar Open Network for establishing ownership of your email address on the Stellar blockchain inexpensively and permanently (immutability in the Blockchain lingo). The rationale behind this registration requirement is explained in great length in our blog "How Secure Is Your Secure Email".

There are many channels available to purchase Stellar XLM coins. For example, sign up for an account with Paybis and use your personal debit card, you can instantly purchase XLMs (minimal purchase of $15). Use the Stellar ID/Address copied from one of the Ai-Fi Central installation steps to receive it. These first 10 XLMs are non-recurring charges to establish your first Ai-Fi SecureEmail "identity" on Ai-Fi Blockchain Registry. Once purchased and received, the remaining coins can be moved around freely. Any future "re-binding" will incur half of the charges, such as in the case of losing your mobile phone or accidental deletion of Ai-Fi Central app and losing the recovery passphrase. The binding to a new SecureEmail address would incur the full 10 XLMs if never used before.

Acquire Anonymity

If the binding is for a "burner" email address, you may want to do a bit more work in procuring your Stellar XLM coins anonymously. Otherwise, your SecureEmail address would be linked to some of your PII through the first payment in purchasing the crypto coins. There are plenty of tips around on the web for this purpose, including digital currencies such as Monero, DASH and Verge. For a small fee, find a Bitcoin ATM which skips verification.

Please be cautioned that cryptocurrencies in general are on the radar of many government agencies, with Monero and its ilk more so than others. Engage in this anonymization effort only to protect your privacy, not to commit illegal activities. The tiny amount of fees we sometimes charge probably don't attract much unwanted attention.

Go Incognito with Ai-Fi Cloud

There are two documents giving more details on how to safekeep your secrets through Ai-Fi:

Manage Secret Crypton Tokens

Ai-Fi Secret Tokens are data blobs that are not only privately encrypted but also totally untraceable to their original owners. It turns the public Ai-Fi cloud into a private repository. It is popularly used for anonymously storing passwords, mnemonic passphrases, and many other secret texts.

To manage the Incognito tokens:

  1. Tap the SuperLock shortcut on Main.
  2. Select "Ai-Fi Crypton Tokens in Incognito Cloud".
  3. "Creating New Tokens" or "Editing Tokens" per your needs. Identify the tokens by entering your private email address (as salt) and a Passphrase (of minimally 100-bit entropy), which uniquely defines/identifies the token containing multiple content sections indexed by their "labels".

The creation, admin, and payment for Ai-Fi Crypton Tokens are anonymous, impervious even to Ai-Fi.net as a service provider.

Multi-Share Secret Distribution

TBD

Bitcoin/Crypto-Wallet Seed Passphrases

Ai-Fi.net provides a number of ways for keeping your seed passphrases safe. Those protection schemes are designed for protecting any text files, not needing to conform to BIP39, BIP44, or any other crypto-wallet standards. Many cryptocurrency owners find Ai-Fi's SuperLock highly useful as an alternative to keeping the secret passphrase on paper. Bitcoin is indicated here for its popularity. The tools described here apply to many other crypto-wallets. Learn more about Ai-Fi Tokens and Multi-Share Secret Distribution here.

Lock Secrets into Ai-Fi Incognito Cloud

The complete passphrase may be stored as an Ai-Fi portable token:

  1. Tap the SuperLock shortcut on Main.
  2. Select "Ai-Fi Crypton Tokens in Incognito Cloud".
  3. "Creating New Tokens" if the secret is to be entered into a new portable token, or "Editing Tokens" if to be part of an existing token.
  4. Enter your secret texts, email, token passphrase and a label for the newly entered secret.

If you are not comfortable in writing down your secret on a piece of paper but not ready to commit it to the Ai-Fi Incognito Cloud, there is a mechanism below that splits your secret into multiple independent parts and stores them separately.

Split the Secret into Multiple Parts

The technology behind the "Multi-Share Secret Distribution" or "Shamir's Secret Sharing" is detailed in a separate help document.

  1. Tap the SuperLock shortcut.

  2. Select "Multi-Share Secret Distribution".

  3. Give your secret to be transformed into a multi-share secret named "Multi-Share ID" and enter your secret text.

  4. Although Shamir's Secret Sharing scheme allows splitting the secret into any number of secret shares (Recovery Keys), currently only 3 is allowed for simplicity.

    • Key #1 is always stored locally with the Ai-Fi Central app.
    • Key #2 and #3 may be stored as portable tokens to the Ai-Fi Incognito Cloud, exported as files, or simply displayed for copying purposes. Make sure they are kept separately away from the phone.

To recover the original secret from the same phone where the Ai-Fi Central runs on, you need one of the keys: Key #2 or Key #3, depending on how they are stored. In the unfortunate event that the phone is lost, you need both Key #2 and Key #3 to recover. In other words, losing one of the 3 keys will not defeat you.

Counterseal Wallet & Threshold Signature

There is a Ai-Fi utility specifically designed for the signing of Bitcoin transactions based on the latest Threshold Signature Technology involving two independent signing parties. The Crypton token foundational support greatly enhances its usability, even when multiple software components running on separate platforms are involved.

Due to its specialized use case a separate document is provided.

Wallet Recovery

Recover from Losing Your Phone

Download and re-install a new version of Ai-Fi Central. Launch the app and select the "Recover ..." option on start-up screen.

If the original recovery passphrase was recorded on a piece of paper, you need to type the full version of the passphrase precisely as originally entered. If you lose your paper record, we can't help you recover it.

If the original recovery passphrase was saved as a Portable Token in Ai-Fi Incognito Cloud, enter the original Email Address used and the passphrase for the token. Once the token is retrieved, select the correct label originally entered to retrieve the recovery passphrase.

If the original recovery passphrase was protected by the Multi-Share Secret Distribution scheme or Shamir's Secret Sharing, you need the recover those two secret shares (Key #2 and Key #3 originally) not physically stored with the original phone.

If any of your crypto accounts is based on Threshold Signature with multiple signers, you need to take additional steps to recover those. Due to its complexity, please refer to its specific documentation.

Once the wallet is recovered, the keys for previous or older versions of Ai-Fi SecureEmails may be automatically restored by retrieving their Hosted Tokens from the Ai-Fi Incognito Cloud. Similar recovery is carried out for DigiVault as well if the Auto-Sync option was enabled.

Recover After Deleting the App

Same as losing your phone.

Change Wallet Recovery Option

TBD

DigiVault/CryptoVault Backup and Sync

Auto-Sync to an Hosted Crypton Token

The DigiVault is physically hosted on your Ai-Fi Central app/phone. To avoid its loss, you may back it up to the Ai-Fi Incognito cloud as a hosted Crypton Token and keep it synced with your DigiVault app by:

  1. "Settings"
  2. Under "AI-FI DIGIVAULT", enable "Auto-Sync"

If you are not comfortable with the Ai-Fi Incognito Cloud, select "Databases Import/Export" under "AI-FI DIGIVAULT" to place it to any of your home servers.

Export/Import DigiVault Database

  1. Click on Ai-Fi Central Main "Settings" on the upper right.
  2. Under "AI-FI DIGIVAULT", enter into "Import/Export"
  3. A network link is displayed over a dark background, indicating the Ai-Fi Central is now dedicated for the "Import/Export" commands.
  4. Run the browser from a separate PC where you want to recover or store the DigiVault database files. Enter the network link displayed on the dark screen of Ai-Fi Central.
  5. On PC, the Ai-Fi Central upload/download/folder-management screen is displayed with a list of existing database files. Follow the on-screen instruction: "Upload" to recover an older version (typically) of the DigiVault, and the "Download" command icon to the left of the file to download from the Ai-Fi Central for backup or archiving functions.
  6. When completed on the PC, go back to Ai-Fi Central and exit the dark screen by pressing the "Stop" button.

SecureEmail

Bind Your Email Addresses

Ai-Fi Services adopts the Signal Protocol for establishing end-to-end encryption with Future Secrecy, which is considered stronger in strength in protecting the communication between end points than TLS. The identity of the end points of a Signal Protocol session is established by registering the owner of the email addresses, as represented by one of their PKC key pairs, to the Ai-Fi Blockchain Registry after ownership verification, without the need to trust the credentials issued by a third party Certificate Authority.

Send Email to Non Ai-Fi Recipients

You will be alerted when sending a SecureEmail to a non-Ai-Fi recipient. As the recipient lacks an Ai-Fi Wallet, an end-to-end secure channel is not possible to establish. However, Ai-Fi.net offers a temporary repository to store your email and will send a notification email to the recipient about your attempt. You need to prepare a "password" and communicate that to your intended recipient so they can retrieve the email confidentially by visiting the Ai-Fi repository with the password. Obviously the communication is no longer end to end. This mechanism is typically used to invite your friends to join the Ai-Fi community.

Anonymize thru Cover Address

Any emails sent to a cover address will be encrypted by Ai-Fi.net after reception and forwarded to the specified destination email address as below. Your email service provider will not be able to read it and the sender does not have a record of your private email address. If your email provider is Gmail, this would put a damper on its attempt to record all your shopping transactions, which go back as far as 15 years as widely reported.

Set up a confidential email address with an e-merchant:

  1. Enter into settings.
  2. Select "Mailboxes".
  3. Select the destination email address entry.
  4. Select "Cover Addresses"
  5. "+" to create a new cover address, which is a unique 12-char mailbox ID (local part) with the domain "ai-fi.net".
  6. Enter this newly created "cover address" to your e-merchants (e.g. amazon.com, target.com).

To further strengthen the safety of email delivery and avoid man-in-the-middle attacks, the email transport may be encrypted end-to-end if the sender (e-merchant) opts to run the Ai-Fi SecureEmail Enterprise Edition.

Archive your SecureEmail Keys

  1. Tap the SuperLock shortcut .
  2. Select "Secure Email"
  3. Enable "Auto-Upload keys"

Learn more about Secure Email Archive.

Archive your SecureEmail Contents

The keys for your SecureEmails are secured separately from their content, which are kept in the repositories of your email providers. A popular request is to archive those emails from your email providers before deleting them from the providers:

  1. "Settings"
  2. Under "AI-FI Mail", select "Emails Backup/Restore"
  3. TBD

Cleanly deleting those emails from your email providers is not always attainable. Go here to find out more about this issue.