Network Working Group M. Miller
Internet-Draft P. Saint-Andre
Obsoletes: 3923 (if approved) Cisco Systems, Inc.
Intended status: Standards Track June 29, 2010
Expires: December 31, 2010
End-to-End Object Encryption for the Extensible Messaging and Presence
Protocol (XMPP)
draft-miller-3923bis-02
Abstract
This document defines a method of end-to-end object encryption for
the Extensible Messaging and Presence Protocol (XMPP). The protocol
defined herein is a simplified version of the protocol defined in RFC
3923.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Miller & Saint-Andre Expires December 31, 2010 [Page 1]
Internet-Draft XMPP E2E June 2010
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Securing XMPP Stanzas . . . . . . . . . . . . . . . . . . . . 3
3.1. Example of Securing Messages . . . . . . . . . . . . . . . 5
3.2. Example of Securing IQs . . . . . . . . . . . . . . . . . 6
4. Interaction with Stanza Semantics . . . . . . . . . . . . . . 8
5. Handling of Inbound Stanzas . . . . . . . . . . . . . . . . . 9
6. Inclusion and Checking of Timestamps . . . . . . . . . . . . . 10
7. Mandatory-to-Implement Cryptographic Algorithms . . . . . . . 11
8. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 11
9. Security Considerations . . . . . . . . . . . . . . . . . . . 11
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
10.1. XML Namespace Name for e2e Data in XMPP . . . . . . . . . 12
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . . 12
11.2. Informative References . . . . . . . . . . . . . . . . . . 13
Appendix A. Schema for urn:ietf:params:xml:ns:xmpp-objenc:0 . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
Miller & Saint-Andre Expires December 31, 2010 [Page 2]
Internet-Draft XMPP E2E June 2010
1. Introduction
End-to-end encryption of traffic sent over the Extensible Messaging
and Presence Protocol [XMPP-CORE] is a desirable goal. Requirements
and a threat analysis for XMPP encryption are provided in [E2E-REQ].
Many possible approaches to meet those (or similar) requirements have
been proposed over the years, including methods based on PGP, S/MIME,
SIGMA, and TLS.
The S/MIME approach defined in [RFC3923] has never been implemented
in XMPP clients to the best of our knowledge, but has some attractive
features, especially the ability to store-and-forward an encrypted
message at a user's server if the user is not online when the message
is received (in the XMPP community this is called "offline storage"
and the message is referred to as an "offline message"). The authors
surmise that RFC 3923 has not been implemented mainly because it adds
several new dependencies to XMPP clients, especially MIME (along with
the CPIM and MSGFMT media types). Therefore this document explores
the possibility of an approach that is similar to but simpler than
RFC 3923, while retaining the same basic object encryption model.
2. Terminology
This document inherits terminology defined in [XMPP-CORE].
Security-related terms are to be understood in the sense defined in
[SECTERMS].
The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[KEYWORDS].
3. Securing XMPP Stanzas
The process that a sending agent follows for securing stanzas is the
same regardless of the form of stanza (i.e., , , or
).
1. Constructs a cleartext version of the stanza, S.
2. Generates a session key R appropriate for the intended block
cipher (e.g. AES-SHA-256).
Miller & Saint-Andre Expires December 31, 2010 [Page 3]
Internet-Draft XMPP E2E June 2010
3. Notes the current UTC date and time N when this stanza is
constructed, formatted as described under Section 6.
4. Converts the stanza to a UTF-8 encoded string, optionally
removing line breaks and other insignificant whitespace between
elements and attributes, i.e., S' = UTF8-encode(S). We call S'
a "stanza-string" because for purposes of encryption and
decryption it is treated not as XML but as an opaque string
(this avoids the need for complex canonicalization of the XML
input).
5. Constructs a plaintext envelope (E) as follows:
* The attribute 'timestamp' set to the UTC date and time value
N
* The XML character data set to the base64-encoded form of S'
(where the encoding adheres to the definition in Section 4 of
[BASE64] and where the padding bits are set to zero). This
encoding is necessary to preserve a canonicalized form of S'.
6. Converts the envelope (E) to a UTF-8 encoded string, optionally
removing line breaks and other insignificant whitespace between
elements and attributes, i.e., E' = UTF8-encode(E).
7. Encrypts the UTF8-encoded enveloped (E') using the intended
block cipher, i.e. T = block-encrypt(R, E').
8. Generates a message authentication code (MAC) with a
cryptographic hashing algorithm (e.g. HMACSHA256) using the
encrypted data T as the salt and the session block cipher key R
as the message, i.e., M = mac-hash(T, R)
9. Encrypts the session key (R) using the recipient's public key to
produce encrypted data K. (Known issue: This step is under-
specified and will be expanded in a later version of this
document.)
10. Constructs an element qualified by the
"urn:ietf:params:xml:ns:xmpp-objenc:0" namespace as follows:
* The child element (implicitly qualified by the
"urn:ietf:params:xml:ns:xmpp-objenc:0" namespace) as follows:
+ The attribute 'cipher-algo' set to the asynchronous
encryption scheme used in step 9;
Miller & Saint-Andre Expires December 31, 2010 [Page 4]
Internet-Draft XMPP E2E June 2010
+ The XML character data set to the base64-encoded form of
K.
* The child element qualified by the
"urn:ietf:params:xml:ns:xmpp-objenc:0" namespace as follows:
+ The attribute 'mac-algo' set to the cryptographic hashing
algorithm used to generate M in step 8;
+ The attribute 'mac-hash' set to the base64-encoded result
of the MAC, M;
+ The attribute 'cipher-algo' set to the block encryption
scheme used to generate the encrypted data T in step 7;
+ The XML character data as the base64-encoded form of T.
11. Sends the element as the payload of a stanza that SHOULD
match the stanza from step 1 in kind (e.g., ), type
(e.g., "chat"), and addressing (e.g. to="romeo@montague.net"
from="juliet@capulet.net/balcony"). If the original stanza (S)
has a value for the "id" attribute, this stanza MUST NOT use the
same value for its "id" attribute.
3.1. Example of Securing Messages
The sender begins with the cleartext version of the stanza
"S":
8996aef0-061d-012d-347a-549a200771aa
Wherefore art thou, Romeo?
The sender then performs the steps 1 through 5 from above to
generate:
Miller & Saint-Andre Expires December 31, 2010 [Page 5]
Internet-Draft XMPP E2E June 2010
PG1lc3NhZ2UgeG1sbnM9ImphYmJlcjpjbGllbnQiIGZyb209Imp1bGlldEBjYXB
1bGV0Lm5ldC9iYWxjb255IiB0bz0icm9tZW9AbW9udGVndWUubmV0IiB0eXBlPS
JjaGF0Ij48dGhyZWFkPmM2MzczODI0LWEzMDctNDBkZC04ZmUwLWJhZDZlNzI5O
WFkMDwvdGhyZWFkPjxib2R5PldoZXJlZm9yZSBhcnQgdGhvdSwgUm9tZW8/PC9i
b2R5PjwvbWVzc2FnZT4=
Then performs steps 6 through 10, and sends the following:
OPfr4zudqiEeLcOQazZJIB6B9gx3zrVbyHKTU8a/aDb0wiZevztxxCi8hto0+Qw
Foyhcupj547WbFZJNlB2dsAPhlJzeH9SuGLJShjhbkOyKjmqZLLCZr3OQtJjcTU
sAVj7IZZsOOPDmwsb4Dxv5sz+icsDpi5l+5APfthDaoHbcrvz2pA1CJ5IFQoob4
a0i0WevcAFyB+vWXsRqQCxjn5sHdb6G4vjQ/m1lzTWahzKvi56pNUm7ll18oI8L
mPi1VWUEqH3aayGLVlJ9fhBDSSpW4jTQ/ts1nzPJwVlKdTqdgNBusFEhrRMhJD5
1JdLOhxx+Ov2Xbs22++XQ1tS8/A==
a8zpjgRcO1VHZ9CoqU19/jB7nn58Gzu5/sQm8YQe4F9zz+YKUfqTS9LaHcqdAwa
z8BG1a24Z72VYb5Ptjh7nQ19f5QQdA/P4lZ3oqeTJTsA4DkhvJaSUhrjYib/NOk
3lkMoatR/OSbfvhPdqXQ/dutLuRFjkilXGVwNWkgLm3iSnKUiYSdUzWvj88RgR3
ldVHFeyrdgufU9qu/FyO6MZXjfEtD80O+3ZBbESqllzmYFXnfkzBrhfi14iCba6
/b5Io5zhFUyWaq5e6qq2z72a+1bjeWkG8F9XBiMkyaxkB64wAS0o6aDpWdir5Oi
+Rnms4LV/wxL4Is/oe8Fo9xR3UmrdlAiaehdGBh+EnJGqprKa9eccOKqSu7/lJQ
ObAdJGEOeAVs8JEkQkxw+qR8edkEDuv6ZXN7JCWQx9LNaiiwsfAzApJJbqfrtDx
koQ3JaBbxQ+8FE3TM0E4Tbr9V8NDZC8abgBramlpUBfgknJvLYMTzx1lnsiCUxo
6ezC0xqV
3.2. Example of Securing IQs
The sender begins with the cleartext version of the stanza "S":
Miller & Saint-Andre Expires December 31, 2010 [Page 6]
Internet-Draft XMPP E2E June 2010
Romeo, what's here? Poison? Drunk all, and
left no friendly drop to help me after?
The sender then performs the steps 1 through 5 from above to
generate:
PGlxIHhtbG5zPSJqYWJiZXI6aXEiIGZyb209Imp1bGlldEBjYXB1bGV0Lm5ldC9
jcnlwdCIgaWQ9ImE1NDNiYzNlZSIgdG89InJvbWVvQG1vbnRlZ3VlLm5ldC9jcn
lwdCIgdHlwZT0icmVzdWx0Ij48bW9vZCB4bWxucz0iaHR0cDovL2phYmJlci5vc
mcvcHJvdG9jb2wvbW9vZCI+PGRlamVjdGVkIC8+PHRleHQ+Um9tZW8sIHdoYXQn
cyBoZXJlPyBQb2lzb24/IERydW5rIGFsbCwgYW5kIGxlZnQgbm8gZnJlbmRseSB
kcm9wIHRvIGhlbHAgbWUgYWZ0ZXI/PC90ZXh0PjwvbW9vZD48L2lxPg==
Then performs steps 6 through 10, and sends the following:
Miller & Saint-Andre Expires December 31, 2010 [Page 7]
Internet-Draft XMPP E2E June 2010
hOU+BRkEcCY0+eKTX9hzCbP30Ij0q5zZ9buFgkOWu4LsVkI92OiH65SvYL/XCB6
12sb9fhjkiAIeR0AySGiid+AeS7KZDzpcZ+ORg8j9CkEX/LeTYszBfZFiHzDFkh
qtwu3s7QMAR0Bzxj9NVE7W8fSdleusvyOOP5c0scrpRkXDMVO2Z3/rTjC0xInx3
XQUP+RlqFE7g1HCr01BjoPjI4p3N+fONVv0U9mwtt1I5tJ4EXgTofUM0GMNGX1i
NoNNjPDb9XsihpLvDIjMblXVHvYAIyPwCs2ZdDv7L5kmZ6U+35b7Qx8TdWUN2I4
5fBbxczvkFN6+cx2h5uapOTxBkw==
ksCAkoJeoymtf3ygzBJkrJYQV+g04CkAs5oSmej60GU89mRN3rKSX5FVfWo558W
Bcn8mVUxFxWhSdNBrsW5GQS1EyygDT+yfJe6OqzLTCqZn4iqaCyIPWM7XB/PolA
fvELw7y3hf8JrEAM4JXIfxrcOYDqewr7zmamwuuos4B6qzgiNN9ZW2AfTyKL3+l
twcmFvF/nWF1YN8CquGmBm83WFn7Ik9R+Nqq54+QNCABjSFPT25ZYquEhxk/RIS
CDAIXFOaFBozGjC20M3UDqnuwLsUF+P4ucjybysxhHQlqLOffX0Vhb1YesWaZac
pvsj8Ovfpv+ESrWGptXr+8GMK1og69GHRrd2k2TonPFp1KwS5MkbEpP2tS7R+nT
b9oGFojr6waNKhhhVmP/9FWRMi7C2KfLCHggAatLWDjBG8k7yd5DWdSqY7LwkwB
hT6+iErRfhdvk1EVxn2TVqjfhsFh33XDqkRT4BhPJUjJPkwLZkQ03PVgHKluMsE
JoUBS0OxD7gE5q808hy3qA+r5PDowy6nQ9zbUaCu4JbvKV2moql7fgHUy8MZLIe
DFVJ5A5z8Te6K4pFaQGAzxEOouS2A+BmvPAFczFeL+QGy58RSNMiXJ9ZMpb+N2C
1iDzPD8OL
4. Interaction with Stanza Semantics
The following limitations and caveats apply:
o Undirected stanzas MUST NOT be encrypted. Such
stanzas are delivered to anyone the sender has authorized, and
therefore it is highly unlikely that the sender can find an
appropriate certificate.
o Stanzas directed to multiplexing services (e.g. multi-user chat)
SHOULD NOT be encrypted, unless the sender has established an
acceptable trust relationship with the multiplexing service.
Miller & Saint-Andre Expires December 31, 2010 [Page 8]
Internet-Draft XMPP E2E June 2010
5. Handling of Inbound Stanzas
Several scenarios are possible when an entity receives an encrypted
stanza:
o The receiving application does not understand the protocol.
o The receiving application understands the protocol and is able to
decrypt the payload.
o The receiving application understands the protocol and is able to
decrypt the payload, but the timestamps fail the checks specified
under Checking of Timestamps (Section 6).
o The receiving application understands the protocol but is unable
to decrypt the payload.
In Case #1, the receiving application MUST do one and only one of the
following: (1) ignore the extension, (2) ignore the entire
stanza, or (3) return a error to the sender,
as described in [XMPP-CORE].
In Case #2, the receiving application MUST NOT return a stanza error
to the sender, since this is the success case.
In Case #3, the receiving application MAY return a
error to the sender (as described in [XMPP-CORE]), optionally
supplemented by an application-specific error condition element of
(previously defined in [RFC3923]):
XML-character-data-here
In Case #4, the receiving application SHOULD return a
error to the sender (as described in [XMPP-CORE]), optionally
supplemented by an application-specific error condition element of
(previously defined in [RFC3923]):
Miller & Saint-Andre Expires December 31, 2010 [Page 9]
Internet-Draft XMPP E2E June 2010
XML-character-data-here
In addition to returning an error in Case #4, the receiving
application SHOULD NOT present the stanza to the intended recipient
(human or application) and SHOULD provide some explicit alternate
processing of the stanza (which MAY be to display a message informing
the recipient that it has received a stanza that cannot be
decrypted).
6. Inclusion and Checking of Timestamps
Timestamps are included to help prevent replay attacks. All
timestamps MUST conform to [DATETIME] and be presented as UTC with no
offset, and SHOULD include the seconds and fractions of a second to
three digits. Absent a local adjustment to the sending agent's
perceived time or the underlying clock time, the sending agent MUST
ensure that the timestamps it sends to the receiver increase
monotonically (if necessary by incrementing the seconds fraction in
the timestamp if the clock returns the same time for multiple
requests). The following rules apply to the receiving application:
o It MUST verify that the timestamp received is within five minutes
of the current time, except as described below for offline
messages.
o It SHOULD verify that the timestamp received is greater than any
timestamp received in the last 10 minutes which passed the
previous check.
o If any of the foregoing checks fails, the timestamp SHOULD be
presented to the receiving entity (human or application) marked as
"old timestamp", "future timestamp", or "decreasing timestamp",
and the receiving entity MAY return a stanza error to the sender.
The foregoing timestamp checks assume that the recipient is online
when the message is received. However, if the recipient is offline
Miller & Saint-Andre Expires December 31, 2010 [Page 10]
Internet-Draft XMPP E2E June 2010
then the server will probably store the message for delivery when the
recipient is next online (offline storage does not apply to or
stanzas, only stanzas). As described in
[OFFLINE], when sending an offline message to the recipient, the
server SHOULD include delayed delivery data as specified in [DELAY]
so that the recipient knows that this is an offline message and also
knows the original time of receipt at the server. In this case, the
recipient SHOULD verify that the timestamp received in the encrypted
message is within five minutes of the time stamped by the recipient's
server in the element.
7. Mandatory-to-Implement Cryptographic Algorithms
All implementations MUST support the following algorithms.
Implementations MAY support other algorithms as well.
o The RSA (PKCS #1 v2.1) key transport, as specified in [X509-ALGO].
o The AES-128 encryption algorithm in CBC mode, as specified in
[CMS-AES].
o The HMACSHA256 hashing algorithm, as specified in [HMAC].
8. Certificates
To participate in end-to-end encryption using the methods defined in
this document, a client needs to possess an X.509 certificate [PKIX].
It is expected that many clients will generate their own (self-
signed) certificates rather than obtain a certificate issued by a
certification authority (CA). In any case the certificate MUST
include an XMPP address that is represented using the ASN.1 Object
Identifier "id-on-xmppAddr" as specified in Section 5.1.1 of
[XMPP-CORE].
9. Security Considerations
The recipient's server might store any stanzas received
until the recipient is next available; this duration could be
anywhere from a few minutes to several months.
10. IANA Considerations
Miller & Saint-Andre Expires December 31, 2010 [Page 11]
Internet-Draft XMPP E2E June 2010
10.1. XML Namespace Name for e2e Data in XMPP
A URN sub-namespace of encrypted content for the Extensible Messaging
and Presence Protocol (XMPP) is defined as follows.
URI: urn:ietf:params:xml:ns:xmpp-objenc:0
Specification: RFC XXXX
Description: This is an XML namespace name of signed and encrypted
content for the Extensible Messaging and Presence Protocol as
defined by RFC XXXX.
Registrant Contact: IESG,
11. References
11.1. Normative References
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[CMS-AES] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, July 2003.
[DATETIME]
Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, July 2002.
[DELAY] Saint-Andre, P., "Delayed Delivery", XSF XEP 0203,
September 2009.
[E2E-REQ] Saint-Andre, P., "Requirements for End-to-End Encryption
in the Extensible Messaging and Presence Protocol (XMPP)",
draft-saintandre-xmpp-e2e-requirements-01 (work in
progress), March 2010.
[KEYWORDS]
Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[HMAC] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and HMAC-SHA)", RFC 4634, July 2006.
[PKIX] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
Miller & Saint-Andre Expires December 31, 2010 [Page 12]
Internet-Draft XMPP E2E June 2010
[SECTERMS]
Shirey, R., "Internet Security Glossary, Version 2",
RFC 4949, August 2007.
[X509-ALGO]
Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[XMPP-CORE]
Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", draft-ietf-xmpp-3920bis-08 (work
in progress), May 2010.
11.2. Informative References
[OFFLINE] Saint-Andre, P., "Best Practices for Handling Offline
Messages", XSF XEP 0160, January 2006.
[RFC3923] Saint-Andre, P., "End-to-End Signing and Object Encryption
for the Extensible Messaging and Presence Protocol
(XMPP)", RFC 3923, October 2004.
Appendix A. Schema for urn:ietf:params:xml:ns:xmpp-objenc:0
The following XML schema is descriptive, not normative.
Miller & Saint-Andre Expires December 31, 2010 [Page 13]
Internet-Draft XMPP E2E June 2010
Miller & Saint-Andre Expires December 31, 2010 [Page 14]
Internet-Draft XMPP E2E June 2010
Authors' Addresses
Matthew Miller
Cisco Systems, Inc.
1899 Wyknoop Street, Suite 600
Denver, CO 80202
USA
Phone: +1-303-308-3204
Email: mamille2@cisco.com
Peter Saint-Andre
Cisco Systems, Inc.
1899 Wyknoop Street, Suite 600
Denver, CO 80202
USA
Phone: +1-303-308-3282
Email: psaintan@cisco.com
Miller & Saint-Andre Expires December 31, 2010 [Page 15]