Network Working Group | H. Marques |
Internet-Draft | pEp Foundation |
Intended status: Informational | B. Hoeneisen |
Expires: January 1, 2019 | Ucom.ch |
June 30, 2018 |
pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake
draft-marques-pep-handshake-00
In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks.
This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily verify their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp).
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed.
Examples for key distribution include:
To prevent man-in-the-middle (MITM) attacks, additionally the authenticity of a public key needs to be verified. Methods to authenticate public keys of peers include, e.g., verify digital signatures of public keys (which may be signed in an hierarchical or flat manner, e.g., by a Web of Trust (WoT)), compare the public key’s fingerprints via a suitable independent channel, or scan a QR mapping of the fingerprint (cf. Section 3).
This document proposes a new method to verify the authenticity of public keys by a Handshake process that allows users to easily verify their communication channel. Fingerprints of the involved peers are combined and mapped to (common) Trustwords [I-D.birk-pep-trustwords]. The successful manual comparison of the these Trustwords is used to consider the communication channel as trusted.
The proposed method is already implemented and used in applications of pretty Easy privacy (pEp) [I-D.birk-pep]. This document is targeted to applications based on the pEp framework and Opportunistic Security [RFC7435]. However, it may be also used in other applications as suitable.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
To secure a communication channel, in public key cryptography the each involved peer needs a key pair. Its public key needs to be shared to other peers by some means. However, the key obtained by the receiver may have been substituted or tampered with to allow for re-encryption attacks. To prevent such man-in-the-middle (MITM) attacks, an important step is to verify the authenticity of a public key obtained.
Such a verification process is useful in at least two scenarios:
Current methods to authenticate public keys of peers include:
Some of the methods can even be used in conjunction with Trustwords [I-D.birk-pep-trustwords] or the PGP Word list [PGP.wl].
None of the existing solutions meets all requirements set up by pEp [I-D.birk-pep], e.g.:
Most of today’s systems lack easy ways for users to authenticate their communication channel. Some methods leak private data (e.g., their social graph) or depend on central entities. Thus, none of today’s systems fulfills all of the pEp requirements (cf. above).
In pretty Easy privacy (pEp), the proposed approach for peers to authenticate each other is to engage in the pEp Handshake.
In current pEp implementations (cf. Section 6.2), the same kinds of keys as in OpenPGP are used. Such keys include a fingerprint as cryptographic hash over the public key. This fingerprint is normally represented in a hexadecimal form, consisting of ten 4-digit hexadecimal blocks, e.g.:
Each block may also be represented in decimal numbers from 0 to 65535 or in other numerical forms, e.g.
In the pEp Handshake the fingerprints of any two peers involved are combined and displayed in form of Trustwords [I-D.birk-pep-trustwords] for easy comparison by the involved parties.
The default verification process involves three steps:
The more an ordinary user needs to contribute to a process, the less likely a user will carry out all steps carefully. In particular, it was observed that a simple (manual) comparison of OpenPGP fingerprints is rarely carried out to the full extent, i.e., mostly only parts of the fingerprint are compared, if at all.
For usability reasons and to create incentive for people to actually carry out Handshake (while maintaining an certain level of entropy), pEp allows for different entropy levels, i.e.:
is mapped to:
is mapped to:
The pEp Handshake has three display modes for the verification process. All of the following modes MUST be implemented:
If the verification process was successful, the user confirms it, e.g. by setting a check mark. Once the user has confirmed it, the trust level [E-D.birk-pep-trust-rating] for this channel MUST be updated accordingly.
A (global) adversary can pre-generate all Trustwords any two users expect to compare and try to engage in MITM attacks which fit – it MUST NOT be assumed public keys and thus fingerprints to be something to stay secret, especially as in pEp public keys are aggressively distributed to all peers. Also similar Trustwords can be generated, which spelled on the phone might sound very similar.
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
According to [RFC7942], “[…] this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit.”
In pEp for email [E-D.birk-pep-email] contexts, Handshakes are already implemented for the following platforms:
In pEp for Outlook also keys from other devices can be imported by the Handshake method.
Special thanks to Volker Birk and Leon Schumacher who developed the original concept of the pEp Handshake.
This work was initially created by pEp Foundation, and then reviewed and extended with funding by the Internet Society’s Beyond the Net Programme on standardizing pEp. [ISOC.bnet]
[I-D.birk-pep] | Birk, V., Marques, H. and S. Shelburn, "pretty Easy privacy (pEp): Privacy by Default", Internet-Draft draft-birk-pep-02, June 2018. |
[I-D.birk-pep-trustwords] | Birk, V., Marques, H. and B. Hoeneisen, "IANA Registration of Trustword Lists: Guide, Template and IANA Considerations", Internet-Draft draft-birk-pep-trustwords-02, June 2018. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007. |
[RFC7435] | Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014. |
[[ RFC Editor: This section should be empty and is to be removed before publication ]]