Network Working Group M. Miller
Internet-Draft P. Saint-Andre
Obsoletes: 3923 (if approved) Cisco
Intended status: Standards Track March 1, 2010
Expires: September 2, 2010
End-to-End Object Encryption for the Extensible Messaging and Presence
Protocol (XMPP)
draft-miller-3923bis-00
Abstract
This document defines a method of end-to-end object encryption for
the Extensible Messaging and Presence Protocol (XMPP). The protocol
defined herein is a simplified version of the protocol defined in RFC
3923.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Miller & Saint-Andre Expires September 2, 2010 [Page 1]
Internet-Draft XMPP E2E March 2010
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Securing XMPP Stanzas . . . . . . . . . . . . . . . . . . . . . 3
3.1. Example of Securing Messages . . . . . . . . . . . . . . . 4
4. Handling of Inbound Stanzas . . . . . . . . . . . . . . . . . . 5
5. Inclusion and Checking of Timestamps . . . . . . . . . . . . . 6
6. Mandatory-to-Implement Cryptographic Algorithms . . . . . . . . 7
7. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
9.1. XML Namespace Name for e2e Data in XMPP . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Schema for urn:ietf:params:xml:ns:xmpp-objenc . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Miller & Saint-Andre Expires September 2, 2010 [Page 2]
Internet-Draft XMPP E2E March 2010
1. Introduction
End-to-end encryption of traffic sent over the Extensible Messaging
and Presence Protocol [XMPP-CORE] is a desirable goal. Requirements
and a threat analysis for XMPP encryption are provided in [E2E-REQ].
Many possible approaches to meet those (or similar) requirements have
been proposed over the years, including methods based on PGP, S/MIME,
SIGMA, and TLS.
The S/MIME approach defined in RFC 3923 has never been implemented in
XMPP clients to the best of our knowledge, but has some attractive
features, especially the ability to store-and-forward an encrypted
message at a user's server if the user is not online when the message
is received (in the XMPP community this is called "offline storage"
and the message is referred to as an "offline message"). The authors
surmise that RFC 3923 has not been implemented mainly because it adds
several new dependencies to XMPP clients, especially MIME (along with
the CPIM and MSGFMT media types). Therefore this document explores
the possibility of an approach that is similar to but simpler than
RFC 3923, but that retains the same basic object encryption model.
2. Terminology
This document inherits terminology defined in [XMPP-CORE].
The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14, RFC 2119 [TERMS].
3. Securing XMPP Stanzas
The process a sending agent follows for securing stanzas is very
similar regardless of the form of stanza (i.e., , , or
).
1. Constructs a cleartext version of the stanza, S.
2. Notes the current UTC date and time N when this stanza is
constructed, formatted as per [DATETIME] and always including the
seconds (resulting in a datetime string 20 characters in length).
3. Converts the stanza to a UTF-8 encoded string, optionally
removing line breaks and other insignificant whitespace between
elements and attributes, i.e., UTF8-encode(S) = S'. We call S' a
"stanza-string" because for purposes of encryption and decryption
it is not treated as XML but as an opaque string (this avoids the
need for complex canonicalization of the XML input).
Miller & Saint-Andre Expires September 2, 2010 [Page 3]
Internet-Draft XMPP E2E March 2010
4. Creates a Message Authentication Code "M" for the stanza-string
S' using [HMAC]. The algorithm is SHA256 and the sender's public
key (R) is the secret. The input to HMAC-SHA256 MUST be the
timestamp from step 2 (conforming to [DATETIME] and always
including seconds) appended by the cleartext sanza-string S', as
follows:
HMAC-SHA256( SHA256(R), UTF8-encode(N+S') )
5. Prepends M (which will be 32 octets in length) to the stanza-
string S' to create a bytestring B.
6. Encrypts the bytestring B using the recipient's public key to
produce encrypted data T. (Note: This step is under-specified and
will be expanded in the next version of this document.)
7. Base64-encodes T to produce the encrypted data T'.
8. Constructs an element qualified by the
"urn:ietf:params:xml:ns:xmpp-objenc" namespace, with the
attribute 'stamp' set to the timestamp N from step 2, and with
the XML character data as T' from step 7.
9. Sends the element as the payload of a stanza that matches
the stanza from step 1 in both kind (e.g., ) and type
(e.g., "chat").
3.1. Example of Securing Messages
The sender begins with the cleartext version of the stanza
"S":
8996aef0-061d-012d-347a-549a200771aa
Wherefore art thou, Romeo?
The Message Authentication Code is constructed from (line endings are
included only for the sake of readability):
2010-02-28T18:00:00Z
8996aef0-061d-012d-347a-549a200771aa
Wherefore art thou, Romeo?
The sender then performs the steps from above, and sends the
following:
Miller & Saint-Andre Expires September 2, 2010 [Page 4]
Internet-Draft XMPP E2E March 2010
460f0da0-0628-012d-347b-549a200771aa
oOb/huFlvC17+XxZdye4BAj4jN2yWiSQZts7BctqZB+wo1tCfHE0w
BMQlof4\nC7KLn6+ktILqX6k5/IgQrwGF0hxKjFk44R01RcVmzlUS
0HaSEIQVQk/3r33c\n3/NKzN8Cq+yzZKfP/p3KkpHMixCUTEe7B38
Eu9h5hfs8PgXkb/GAdw7Ea/qW\nQgRjYcNl7jcplYY/FQQTEEfQoc
fKCbm/RaOsRSMnqGjkqGGt6+yQGWtvzSS2\nHD4/EHGV62IGz/sQH
5cAvloA9LqfiNh/oEm/UD2iLTAVj1BBS+WJZqMRznAJ\nNM4gF8vF
nDdLAMyeMZedlrHCS4lp6PzeblDD0Jk2HQ==
NOTE: The sender SHOULD include a with each chat to
maintain conversation continuity.
4. Handling of Inbound Stanzas
Several scenarios are possible when an entity receives an encrypted
stanza:
Case #1: The receiving application does not understand the protocol.
Case #2: The receiving application understands the protocol and is
able to decrypt the payload.
Case #3: The receiving application understands the protocol and is
able to decrypt the payload, but the timestamps fail the checks
specified under Checking of Timestamps (Section 5).
Case #4: The receiving application understands the protocol but is
unable to decrypt the payload.
In Case #1, the receiving application MUST do one and only one of the
following: (1) ignore the extension, (2) ignore the entire
stanza, or (3) return a error to the sender,
as described in [XMPP-CORE].
In Case #2, the receiving application MUST NOT return a stanza error
to the sender, since this is the success case.
In Case #3, the receiving application MAY return a
error to the sender (as described in [XMPP-CORE]), optionally
supplemented by an application-specific error condition element as shown below:
Miller & Saint-Andre Expires September 2, 2010 [Page 5]
Internet-Draft XMPP E2E March 2010
XML-character-data-here
In Case #4, the receiving application SHOULD return a
error to the sender (as described in [XMPP-CORE]), optionally
supplemented by an application-specific error condition element
as shown below:
XML-character-data-here
In addition to returning an error in Case #4 the receiving
application SHOULD NOT present the stanza to the intended recipient
(human or application) and SHOULD provide some explicit alternate
processing of the stanza (which may be to display a message informing
the recipient that it has received a stanza that cannot be
decrypted).
5. Inclusion and Checking of Timestamps
Timestamps are included to help prevent replay attacks. All
timestamps MUST conform to [DATETIME] and be presented as UTC with no
offset, including fractions of a second as appropriate. Absent a
local adjustment to the sending agent's perceived time or the
underlying clock time, the sending agent MUST ensure that the
timestamps it sends to the receiver increase monotonically (if
necessary by incrementing the seconds fraction in the timestamp if
the clock returns the same time for multiple requests). The
following rules apply to the receiving application:
o It MUST verify that the timestamp received is within five minutes
of the current time, except as described below for offline
messages.
Miller & Saint-Andre Expires September 2, 2010 [Page 6]
Internet-Draft XMPP E2E March 2010
o It SHOULD verify that the timestamp received is greater than any
timestamp received in the last 10 minutes which passed the
previous check.
o If any of the foregoing checks fails, the timestamp SHOULD be
presented to the receiving entity (human or application) marked as
"old timestamp", "future timestamp", or "decreasing timestamp",
and the receiving entity MAY return a stanza error to the sender.
The foregoing checks assume that the recipient is online when the
message is received. However, if the recipient is offline then the
server will probably store the message for delivery when the
recipient is next online (offline storage does not apply to or
stanzas, only stanzas). As described in
[OFFLINE], when sending an offline message to the recipient, the
server SHOULD include delayed delivery data as specified in [DELAY]
so that the recipient knows that this is an offline message and also
knows the original time of receipt at the server. In this case, the
recipient SHOULD verify that the timestamp received in the encrypted
message is within five minutes of the time stamped by the recipient's
server in the element.
6. Mandatory-to-Implement Cryptographic Algorithms
All implementations MUST support the following algorithms.
Implementations MAY support other algorithms as well.
o The RSA (PKCS #1 v1.5) key transport, as specified in [CMS-ALG]
section 4.2.1.
o The AES-128 encryption algorithm in CBC mode, as specified in
[CMS-AES].
o The SHA-256 hashing algorithm, as specified in [X509-ALGO].
7. Certificates
To participate in end-to-end encryption using the methods defined in
this document, a client needs to possess an X.509 certificate. It is
expected that many clients will generate their own (self-signed)
certificates rather than obtain a certificate issued by a
certification authority (CA). In any case the certificate MUST
include an XMPP address that is represented using the ASN.1 Object
Identifier "id-on-xmppAddr" as specified in Section 5.1.1 of
[XMPP-CORE].
Miller & Saint-Andre Expires September 2, 2010 [Page 7]
Internet-Draft XMPP E2E March 2010
8. Security Considerations
To follow.
9. IANA Considerations
9.1. XML Namespace Name for e2e Data in XMPP
A URN sub-namespace of signed and encrypted content for the
Extensible Messaging and Presence Protocol (XMPP) is defined as
follows.
URI: urn:ietf:params:xml:ns:xmpp-objenc
Specification: RFC XXXX
Description: This is an XML namespace name of signed and encrypted
content for the Extensible Messaging and Presence Protocol as
defined by RFC XXXX.
Registrant Contact: IESG,
10. References
10.1. Normative References
[CMS-AES] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, July 2003.
[CMS-ALG] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[DATETIME]
Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, July 2002.
[E2E-REQ] Saint-Andre, P., "Requirements for End-to-End Encryption
in the Extensible Messaging and Presence Protocol (XMPP)",
draft-saintandre-xmpp-e2e-requirements-01 (work in
progress), June 2009.
[TERMS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[X509-ALGO]
Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
Miller & Saint-Andre Expires September 2, 2010 [Page 8]
Internet-Draft XMPP E2E March 2010
[XMPP-CORE]
Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, October 2004.
10.2. Informative References
[DELAY] Saint-Andre, P., "Delayed Delivery", XSF XEP 0203,
September 2009.
[HMAC] "The Keyed-Hash Message Authentication Code (HMAC):
Federal Information Processing Standards Publication 198".
[OFFLINE] Saint-Andre, P., "Best Practices for Handling Offline
Messages", XSF XEP 0160, January 2006.
Appendix A. Schema for urn:ietf:params:xml:ns:xmpp-objenc
The following XML schema is descriptive, not normative.
Miller & Saint-Andre Expires September 2, 2010 [Page 9]
Internet-Draft XMPP E2E March 2010
Authors' Addresses
Matthew Miller
Cisco
Email: mamille2@cisco.com
Peter Saint-Andre
Cisco
Email: psaintan@cisco.com
Miller & Saint-Andre Expires September 2, 2010 [Page 10]