mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-21 08:45:04 -05:00
first round of synchronization with latest XEP-0188
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@211 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
parent
5763c6cc78
commit
3c0fd0cf10
168
xep-0116.xml
168
xep-0116.xml
@ -57,6 +57,7 @@
|
||||
<spec>RFC 2409</spec>
|
||||
<spec>RFC 3526</spec>
|
||||
<spec>RFC 3548</spec>
|
||||
<spec>SHA256</spec>
|
||||
<spec>xml-c14n</spec>
|
||||
<spec>XEP-0004</spec>
|
||||
<spec>XEP-0020</spec>
|
||||
@ -196,15 +197,21 @@
|
||||
|
||||
<section1 topic="Online ESession Negotiation" anchor='init'>
|
||||
<section2 topic="Introduction" anchor='init-intro'>
|
||||
<p>The process for establishing a secure session over an insecure transport is essentially a negotiation of various ESession algorithms and other parameters, combined with a translation into XMPP syntax of the σ approach to key exchange (see <cite>Cryptographic Design of Encrypted Sessions</cite>).</p>
|
||||
<p>If Alice believes Bob may be online then she SHOULD use the protocol specified in &xep0155; and in this section to negotiate the ESession options and the keys.</p>
|
||||
<p>Note: If Alice believes Bob is offline then she SHOULD NOT use this negotiation protocol. However, she MAY use the protocol specified in <cite>Offline Encrypted Sessions</cite> to establish the ESession options and keys. Alternatively, she MAY send stanzas without encryption - in which case her client MUST make absolutely clear to her that the stanzas will not be protected and give her the option not to send the stanzas.</p>
|
||||
<p>Each entity (or each user of a client installation) MUST be assigned a large random Anonymous ID (AID) upon first use.</p>
|
||||
<p>This protocol supports both 3- and 4-message key negotiations. The 3-message SIGMA-I-based key exchange protects the identity of the <em>initiator</em> against active attacks. This SHOULD NOT be used to establish client-to-client sessions since the <em>responder's</em> identity is not protected against active attacks. However, it SHOULD be used to establish client-to-service (server) sessions, especially where the identity of the service is well known to third parties.</p>
|
||||
<p>The 4-message SIGMA-R-based key exchange with hash commitment defends the <em>responder's</em> identity against active attacks and facilitates detection of a Man in the Middle attack. It SHOULD be used to establish client-to-client sessions. The 4-message key exchange also features optional Short-Authentication-String protection against Man-in-the-Middle attacks without the need to generate, distribute or authenticate any public keys. As long as a hash commitment is used at the start of the key exchange then only a short human-friendly string needs to be verified out-of-band (e.g. by recognizable voice communication).</p>
|
||||
<p>The 4-message key exchange also features optional secret retention. If retained secrets are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p>
|
||||
<p>Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the <link url='#foundations-skeleton-r'>SIGMA-R Overview</link>. It provides much more detail including the use of retained secrets and other secrets. Note: These <em>optional</em> security enhancements are especially important when the protocol is being used without public keys.</p>
|
||||
<p>Alternatively Alice and Bob could agree a shared secret via secure out-of-band communication, Bob could then use it to create an HMAC of his public key that only Alice could verify.</p>
|
||||
<p>The process for establishing a secure session over an insecure transport is essentially a negotiation of various ESession algorithms and other parameters, combined with a translation into XMPP syntax of the σ approach to key exchange (see <cite>Cryptographic Design of Encrypted Sessions</cite>).</p>
|
||||
<p>If Alice believes Bob may be online then she SHOULD use the protocol specified in &xep0155; and in this section to negotiate the ESession options and the keys.</p>
|
||||
<p>Note: If Alice believes Bob is offline then she SHOULD NOT use this negotiation protocol. However, she MAY use the protocol specified in <cite>Offline Encrypted Sessions</cite> to establish the ESession options and keys. Alternatively, she MAY send stanzas without encryption - in which case her client MUST make absolutely clear to her that the stanzas will not be protected and give her the option not to send the stanzas.</p>
|
||||
</section2>
|
||||
|
||||
<section2 topic="Three- or Four-Message Negotiations" anchor='init-variants'>
|
||||
<p>This protocol supports both 3- and 4-message key negotiations.</p>
|
||||
<p>The 3-message SIGMA-I-based key exchange protects the identity of the <em>initiator</em> against active attacks. This SHOULD NOT be used to establish client-to-client sessions since the <em>responder's</em> identity is not protected against active attacks. However, it SHOULD be used to establish client-to-service (server) sessions, especially where the identity of the service is well known to third parties.</p>
|
||||
<p>The 4-message SIGMA-R-based key exchange with hash commitment defends the <em>responder's</em> identity against active attacks and facilitates detection of a Man in the Middle attack. It SHOULD be used to establish client-to-client sessions. The 4-message key exchange also includes the following optional security enhancements:</p>
|
||||
<ul>
|
||||
<li><p>"Secret Retention": If retained secrets are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first. Sessions remain secure even if a long-lived private signing key is compromised at some time <em>after</em> the first session.</p></li>
|
||||
<li><p>"Short-Authentication-String": Alice and Bob can use SAS once to quickly authenticate each other's public keys. Only a very short human-friendly string needs to be verified out-of-band (e.g. by recognizable voice communication).</p>
|
||||
<p>Alternatively, thanks to its protection against Man-in-the-Middle attacks, SAS can be used to eliminate the need to generate, distribute or authenticate any public keys. Note: When this protocol is being used without public keys Alice and Bob SHOULD employ Secret Retention, then the out-of-band verification only needs to be performed once to verify the absence of a Man in the Middle for all sessions (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p></li>
|
||||
<li><p>"Other Secret": Alice and Bob agree a password out-of-band and their clients use it to authenticate each other every time a session is negotiated.</p></li>
|
||||
</ul>
|
||||
</section2>
|
||||
|
||||
<section2 topic="ESession Request" anchor='init-online-request'>
|
||||
@ -216,17 +223,19 @@
|
||||
<li><p>Signature algorithm names</p></li>
|
||||
<li><p>Compression algorithm names</p></li>
|
||||
<li><p>The list of stanza types that MAY be encrypted and decrypted</p></li>
|
||||
<li><p>Whether or not the other entity MUST send the fingerprint of its public signature-verification key instead of the full key <note>If the entity already possesses one of the other entity's public keys then it is RECOMMENDED that only the fingerprint is requested from the other entity - since this saves bandwidth.</note></p></li>
|
||||
<li><p>The different versions of this protocol that are supported <note>This version of this document describes version 1.0 of this protocol.</note></p></li>
|
||||
<li><p>The minimum number of stanzas that MUST be exchanged before an entity MAY initiate a key re-exchange (1 - every stanza, 100 - every hundred stanzas). Note: This value MUST be less than &twosup32; (see <link url='#sec-rekey'>Re-Keying Limits</link>)</p></li>
|
||||
<li><p>What sort of identification is required from the other entity. This MUST be either 'key' (its public signature-verification key), or 'hash' (a fingerprint of its public key) <note>If the entity already possesses one of the other entity's public keys then it is RECOMMENDED that only the fingerprint is requested from the other entity - since this saves bandwidth.</note>, or 'none' (no identification). 'none' MUST NOT be specified with 3-message negotiation.</p></li>
|
||||
</ol>
|
||||
<p>Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p). For each MODP group that Alice specifies she MUST perform the following computations to calculate her Diffie-Hellman keys (where n is the number of bits per cipher block for the block cipher algorithm with the largest block size out of those she specified):</p>
|
||||
<ol>
|
||||
<li><p>Generate a secret random number x (where &twosup2n; < x < p - 1)</p></li>
|
||||
<li><p>Calculate e = &gsupx; mod p</p></li>
|
||||
<li><p>Generate: a secret random number x (where &twosup2n; < x < p - 1)</p></li>
|
||||
<li><p>Calculate: e = &gsupx; mod p</p></li>
|
||||
<li><p>Calculate: He = SHA256(e) (see &nistfips180-2;)</p></li>
|
||||
</ol>
|
||||
<p>Alice MUST send all her calculated values of e to Bob (in the same order as the associated MODP groups are being sent). She MUST also specify randomly generated Base64 encoded (in accordance with Section 3 of &rfc3548;) value of &NsubA; (her ESession ID).</p>
|
||||
<example caption='Alice Requests an ESession'><![CDATA[
|
||||
<p>Note: The last step is not necessary for 3-message negotiations.</p>
|
||||
<p>Alice MUST send all her calculated values of 'He' (for 4-message negotiations) or 'e' (for 3-message negotiations) to Bob (in the same order as the associated MODP groups are being sent). She MUST also specify randomly generated Base64 encoded (in accordance with Section 3 of &rfc3548;) value of &NsubA; (her ESession ID).</p>
|
||||
<example caption='Initiates a 4-message ESession Negotiation'><![CDATA[
|
||||
<message from='alice@example.org/pda' to='bob@example.com'>
|
||||
<thread>ffd7076498744578d10edabfe7f4a866</thread>
|
||||
<feature xmlns='http://jabber.org/protocol/feature-neg'>
|
||||
@ -236,17 +245,21 @@
|
||||
</field>
|
||||
<field type="boolean" var="accept">
|
||||
<value>1</value>
|
||||
<required/>
|
||||
</field>
|
||||
<field type="list-single" var="otr">
|
||||
<option><value>false</value></option>
|
||||
<option><value>true</value></option>
|
||||
<required/>
|
||||
</field>
|
||||
<field type="list-single" var="disclosure">
|
||||
<option><value>never</value></option>
|
||||
<required/>
|
||||
</field>
|
||||
<field type="list-single" var="security">
|
||||
<option><value>e2e</value></option>
|
||||
<option><value>c2s</value></option>
|
||||
<required/>
|
||||
</field>
|
||||
<field type="list-single" var="modp">
|
||||
<option><value>5</value></option>
|
||||
@ -274,8 +287,11 @@
|
||||
<option><value>iq</value></option>
|
||||
<option><value>presence</value></option>
|
||||
</field>
|
||||
<field type="boolean" var="pk_hash">
|
||||
<value>0</value>
|
||||
<field type="list-single" var="pubkey">
|
||||
<value>key</value>
|
||||
<option><value>key</value></option>
|
||||
<option><value>hash</value></option>
|
||||
<option><value>none</value></option>
|
||||
</field>
|
||||
<field type="list-single" var="ver">
|
||||
<option><value>1.3</value></option>
|
||||
@ -287,7 +303,34 @@
|
||||
<field type="hidden" var="my_nonce">
|
||||
<value> ** Alice's Base64 encoded ESession ID ** </value>
|
||||
</field>
|
||||
<field type="hidden" var="keys">
|
||||
<field type="hidden" var="dhhashes">
|
||||
<value> ** Base64 encoded value of He5 ** </value>
|
||||
<value> ** Base64 encoded value of He14 ** </value>
|
||||
<value> ** Base64 encoded value of He2 ** </value>
|
||||
</field>
|
||||
</x>
|
||||
</feature>
|
||||
<amp xmlns='http://jabber.org/protocol/amp' per-hop='true'>
|
||||
<rule action='drop' condition='deliver' value='stored'/>
|
||||
</amp>
|
||||
</message>
|
||||
]]></example>
|
||||
<p>The first message of a 3-message negotiation is identical except the a 'dhkeys' field is included instead of the 'dhhashes' field:</p>
|
||||
<example caption='Alice Initiates a 3-message ESession Negotiation'><![CDATA[
|
||||
<message from='alice@example.org/pda' to='bob@example.com'>
|
||||
<thread>ffd7076498744578d10edabfe7f4a866</thread>
|
||||
<feature xmlns='http://jabber.org/protocol/feature-neg'>
|
||||
<x type='form' xmlns='jabber:x:data'>
|
||||
<field type="hidden" var="FORM_TYPE">
|
||||
<value>urn:xmpp:chatneg</value>
|
||||
</field>
|
||||
...
|
||||
...
|
||||
...
|
||||
<field type="hidden" var="my_nonce">
|
||||
<value> ** Alice's Base64 encoded ESession ID ** </value>
|
||||
</field>
|
||||
<field type="hidden" var="dhkeys">
|
||||
<value> ** Base64 encoded value of e5 ** </value>
|
||||
<value> ** Base64 encoded value of e14 ** </value>
|
||||
<value> ** Base64 encoded value of e2 ** </value>
|
||||
@ -335,8 +378,9 @@
|
||||
]]></example>
|
||||
</section2>
|
||||
<section2 topic="Diffie-Hellman Preparation (Bob)" anchor='init-online-bobprep'>
|
||||
<p>If Bob supports one or more of each of Alice's ESession options and is willing to start an ESession with Alice, then he MUST select one of the options from each of the ESession fields he received from Alice including one hash algorithm ("HASH"), and one of the MODP groups and Alice's corresponding value of e (see &rfc3766; or <cite>RFC 3526</cite> for recommendations regarding balancing the sizes of symmetric cipher blocks and Diffie-Hellman moduli).</p>
|
||||
<p>Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p). Bob SHOULD return a &feature; error unless: 1 < e < p - 1</p>
|
||||
<p>If Bob supports one or more of each of Alice's ESession options and is willing to start an ESession with Alice, then he MUST select one of the options from each of the ESession fields he received from Alice including one hash algorithm ("HASH"), and one of the MODP groups (see &rfc3766; or <cite>RFC 3526</cite> for recommendations regarding balancing the sizes of symmetric cipher blocks and Diffie-Hellman moduli) and Alice's corresponding value of 'He' (for 4-message negotiations) or 'e' (for 3-message negotiations).</p>
|
||||
<p>Note: Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p).</p>
|
||||
<p>For 3-message negotiations, Bob SHOULD return a &feature; error unless: 1 < e < p - 1</p>
|
||||
<p>Bob MUST then perform the following computations (where n is the number of bits per cipher block for the selected block cipher algorithm):</p>
|
||||
<ol start='1'>
|
||||
<li><p>Generate a random number &NsubB; (his ESession ID)</p></li>
|
||||
@ -346,6 +390,7 @@
|
||||
<li><p>Calculate d = &gsupy; mod p</p></li>
|
||||
<li><p>Calculate K = HASH(&esupy; mod p) (the shared secret)</p></li>
|
||||
</ol>
|
||||
<p>If this is a 4-message negotiation Bob MUST skip the last step above and all the steps described in the next two sections. He can skip straight to the <link url='#init-online-response'>ESession Response</link> section.</p>
|
||||
</section2>
|
||||
|
||||
<section2 topic="Generating Session Keys" anchor='init-keys'>
|
||||
@ -370,17 +415,19 @@
|
||||
<section2 topic="Hiding Identity" anchor='init-hide'>
|
||||
<p>Bob MUST perform the following steps before he can prove his identity to Alice while protecting it from third parties.</p>
|
||||
<ol>
|
||||
<li><p>Select &pubKeyB;, the public key Alice should use to authenticate his signature with the signature algorithm he selected ("SIGN").</p></li>
|
||||
<li><p>Set &formB; to the <link url='#sign-normal'>Normalized</link> <em>content</em> of the reponse data form he will send back to Alice (including his responses for all the fields he received from Alice).</p>
|
||||
<p>Bob MUST encapsulate the Base64 encoded values of &CsubA; and Alice's &NsubA; in two new 'counter' and 'nonce' fields and add them to &formB;. He MUST set the 'pk_hash' field to specify whether or not <em>Alice</em> MUST send the fingerprint of her public signature-verification key instead of her full key. He MUST set the value of the 'rekey_freq' field to be less than &twosup32; and greater than or equal to the value specified by Alice. Bob MUST place his Base64 encoded values of &NsubB; and d in the 'my_nonce' and 'keys' fields. Note: Bob MUST NOT return Alice's values of &NsubA; and e in these fields.</p></li>
|
||||
<li><p>If the value of the 'pubkey' field that Alice sent Bob was not 'none' then Bob MUST set &pubKeyB; to a zero length string of characters. Otherwise Bob SHOULD select &pubKeyB;, the public key Alice will use to authenticate his signature with the signature algorithm he selected ("SIGN").</p></li>
|
||||
<li><p>Set &formB; to the <link url='#sign-normal'>Normalized</link> <em>content</em> of the reponse data form he will send back to Alice (including his responses for all the fields he received from Alice) - see <link url='#init-online-response'>ESession Response</link>.</p>
|
||||
<p>Bob MUST encapsulate the Base64 encoded values of &CsubA; and Alice's &NsubA; in two new 'counter' and 'nonce' fields and add them to &formB;. He MUST set the 'pubkey' field to specify what sort of identification he requires from Alice (see <link url='#init-online-request'>ESession Request</link>). He MUST set the value of the 'rekey_freq' field to be less than &twosup32; and greater than or equal to the value specified by Alice. Bob MUST place his Base64 encoded values of &NsubB; and d in the 'my_nonce' and 'dhkeys' fields. Note: Bob MUST NOT return Alice's values of &NsubA; and e in these fields.</p></li>
|
||||
<li><p>Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC (as defined in Section 2 of &rfc2104;) of the resulting byte string using the selected hash algorithm ("HASH") and the key &KSsubB;.</p>
|
||||
<code>&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})</code></li>
|
||||
<li><p>Calculate &signB;, the signature of the HMAC result using his private signature key that corresponds to &pubKeyB;</p>
|
||||
<li><p>If the value of the 'pubkey' field that Alice sent Bob was not 'none' then Bob MUST calculate &signB;, the signature of the HMAC result using his private signature key that corresponds to &pubKeyB;</p>
|
||||
<code>&signB; = SIGN(&signKeyB;, &macB;)</code></li>
|
||||
<li><p>If the value of the 'pk_hash' field that Alice sent Bob was true then Bob SHOULD set &pubKeyB; to the key's fingerprint</p>
|
||||
<code>if (pk_hash) &pubKeyB; = HASH(&pubKeyB;)</code></li>
|
||||
<li><p>Concatenate &pubKeyB; and &signB; and encrypt the resulting byte string with the agreed algorithm ("CIPHER") in counter mode (see &nistfips800-38a;), using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2<span class='super'>n</span>, where n is the number of bits per cipher block for the agreed block cipher algorithm).</p>
|
||||
<code>&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})</code></li>
|
||||
<li><p>If the value of the 'pubkey' field that Alice sent Bob was 'hash' then Bob SHOULD set &pubKeyB; to the key's fingerprint</p>
|
||||
<code>if (pubkey == 'hash') &pubKeyB; = HASH(&pubKeyB;)</code></li>
|
||||
<li><p>Encrypt the byte string resulting from the concatenation of &pubKeyB; and &signB; (or, if the value of the 'pubkey' field that Alice sent Bob was 'none', encrypt just the HMAC result) with the agreed algorithm ("CIPHER") in counter mode (see &nistfips800-38a;), using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2<span class='super'>n</span>, where n is the number of bits per cipher block for the agreed block cipher algorithm).</p>
|
||||
<code>&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})</code>
|
||||
<p>or</p>
|
||||
<code>&IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;)</code></li>
|
||||
<li><p>Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter &CsubB; <em>before</em> the encryption above using the selected hash algorithm ("HASH") and the integrity key &KMsubB;.</p>
|
||||
<code>&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)</code></li>
|
||||
</ol>
|
||||
@ -406,13 +453,13 @@
|
||||
<field var="sign_algs"><value>rsa</value></field>
|
||||
<field var="compress"><value>none</value></field>
|
||||
<field var="stanzas"><value>message</value></field>
|
||||
<field var="pk_hash"><value>1</value></field>
|
||||
<field var="pubkey"><value>hash</value></field>
|
||||
<field var="ver"><value>1.3</value></field>
|
||||
<field var="rekey_freq"><value>50</value></field>
|
||||
<field var="my_nonce">
|
||||
<value> ** Bob's Base64 encoded ESession ID ** </value>
|
||||
</field>
|
||||
<field var="keys">
|
||||
<field var="dhkeys">
|
||||
<value> ** Base64 encoded value of d ** </value>
|
||||
</field>
|
||||
<field var="nonce">
|
||||
@ -444,13 +491,13 @@
|
||||
<field var="sign_algs"><value>rsa</value></field>
|
||||
<field var="compress"><value>none</value></field>
|
||||
<field var="stanzas"><value>message</value></field>
|
||||
<field var="pk_hash"><value>1</value></field>
|
||||
<field var="pubkey"><value>hash</value></field>
|
||||
<field var="ver"><value>1.3</value></field>
|
||||
<field var="rekey_freq"><value>50</value></field>
|
||||
<field var="my_nonce">
|
||||
<value> ** Bob's Base64 encoded ESession ID ** </value>
|
||||
</field>
|
||||
<field var="keys">
|
||||
<field var="dhkeys">
|
||||
<value> ** Base64 encoded value of d ** </value>
|
||||
</field>
|
||||
<field var="nonce">
|
||||
@ -490,7 +537,7 @@
|
||||
<li><p>Return a &feature; error to Bob unless the value of &MsubB; she calculated matches the one she received in the 'mac' field</p></li>
|
||||
<li><p>Obtain &pubKeyB; and &signB; by decrypting &IDB; with the agreed symmetric block cipher algorithm ("DECIPHER") in counter mode, using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2<span class='super'>n</span>, where n is the number of bits per cipher block for the agreed block cipher algorithm).</p>
|
||||
<code>{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)</code></li>
|
||||
<li><p>If the value of the 'pk_hash' field she sent to Bob in her <link url='#init-online-request'>ESession Request</link> was true, then Alice SHOULD change the value of &pubKeyB; to be her copy of the public key whose HASH matches the value of &pubKeyB; that she received from Bob. Note: If she cannot find a copy of the public key then Alice MUST terminate the ESession. She MAY then request a new ESession with the 'pk_hash' field set to false.</p></li>
|
||||
<li><p>If the value of the 'pubkey' field she sent to Bob in her <link url='#init-online-request'>ESession Request</link> was 'hash', then Alice SHOULD change the value of &pubKeyB; to be her copy of the public key whose HASH matches the value of &pubKeyB; that she received from Bob. Note: If she cannot find a copy of the public key then Alice MUST terminate the ESession. She MAY then request a new ESession with the 'pubkey' field set to 'key' or 'none'.</p></li>
|
||||
<li><p>Return a &feature; error to Bob unless she can confirm (or has previously confirmed) that &pubKeyB; really is Bob's public key, for examples, via secure out-of-band communication, or through a third-party authority (see <link url='#sec-keys'>Verifying Keys</link>).</p></li>
|
||||
<li><p>Set the value of &formB; to be the <link url='#sign-normal'>Normalized</link> <em>content</em> of the form she received from Bob without any 'identity' or 'mac' fields.</p></li>
|
||||
<li><p>Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC of the resulting byte string using HASH and the key &KSsubB;.</p>
|
||||
@ -504,7 +551,7 @@
|
||||
<p>Alice MUST then prove her identity to Bob while protecting it from third parties. She MUST perform the steps equivalent to those Bob performed above (see <link url='#init-hide'>Hiding Identity</link> for a more detailed description). Alice's calculations are summarised below (pay attention to the order of &NsubB; and &NsubA; when calculating &macA;). Note: &formA; is the <link url='#sign-normal'>Normalized</link> <em>content</em> of the <link url='#init-online-request'>ESession Request</link> data form that she sent to Bob previously.</p>
|
||||
<code>&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})</code>
|
||||
<code>&signA; = SIGN(&signKeyA;, &macA;)</code>
|
||||
<code>if (pk_hash) &pubKeyA; = HASH(&pubKeyA;)</code>
|
||||
<code>if (pubkey == 'hash') &pubKeyA; = HASH(&pubKeyA;)</code>
|
||||
<code>&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})</code>
|
||||
<code>&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)</code>
|
||||
|
||||
@ -659,7 +706,6 @@
|
||||
<p>Entities MUST associate one or more JIDs with each public key fingerprint that they store, and alert their users immediately if another JID presents the same public key. This is necessary since if Bob already has fingerprints from Alice and Mallory, and Bob's client presents only the JID (or a name associated with the JID) to Bob, then Mallory could use his own public key (that is trusted by Bob) and pretend to be Alice simply by exchanging stanzas with Bob using Alice's JID.</p>
|
||||
<p>If a JID for which a key has previously been stored attempts to establish an ESession using a public key with a different fingerprint (or no key at all) then the entity MUST alert its user.</p>
|
||||
<p>Since Alice MAY use many different JIDs to talk to Bob, but always identify herself to him with the same public key, Entities SHOULD associate a "petname" with each public key fingerprint they store. Entities MUST present any public key petnames clearly to their users, and more prominently than any petname or nickname associated with the JID or the JID itself.</p>
|
||||
<p>Entities MUST take the precautions described above also when storing retained secrets and other secrets (passwords) associated with Anonimous IDs.</p>
|
||||
</section2>
|
||||
<section2 topic='Unencrypted ESessions' anchor='sec-unencrypted'>
|
||||
<p>Organisations with full disclosure policies may require entities to disable encryption (see <link url='#sec-backdoor'>Back Doors</link>) to enable the logging of all messages on their server. Unencrypted ESessions meet all the Security Requirements (see <cite>Cryptographic Design of Encrypted Sessions</cite>) except for Confidentiality. Unencrypted ESessions enable Alice to to confirm <em>securely</em> with Bob that both client-server connections are secure. i.e. that the value of the 'security' option (as specified in <cite>Chat Session Negotiation</cite>) has not been tampered with.</p>
|
||||
@ -726,7 +772,7 @@
|
||||
<section3 topic='Hash Algorithms' anchor='sec-mandatory-hash'>
|
||||
<p>An implementation of ESession MUST support the following hash algorithm:</p>
|
||||
<ul>
|
||||
<li>sha256 (see &nistfips180-2;)</li>
|
||||
<li>sha256 (see <cite>Secure Hash Standard</cite>)</li>
|
||||
</ul>
|
||||
<p>An implementation of ESession SHOULD also support at least the following hash algorithm (sha1 and md5 are broken and therefore NOT RECOMMENDED):</p>
|
||||
<ul>
|
||||
@ -778,6 +824,14 @@
|
||||
var='crypt_algs'
|
||||
type='list-single'
|
||||
label='Symmetric block cipher options'/>
|
||||
<field
|
||||
var='dhhashes'
|
||||
type='hidden'
|
||||
label='Hashes of Diffie-Hellman public keys'/>
|
||||
<field
|
||||
var='dhkeys'
|
||||
type='hidden'
|
||||
label='Diffie-Hellman public keys'/>
|
||||
<field
|
||||
var='expires'
|
||||
type='hidden'
|
||||
@ -786,10 +840,6 @@
|
||||
var='hash_algs'
|
||||
type='list-single'
|
||||
label='Hash algorithm options'/>
|
||||
<field
|
||||
var='keys'
|
||||
type='hidden'
|
||||
label='Diffie-Hellman keys'/>
|
||||
<field
|
||||
var='match_resource'
|
||||
type='text-single'
|
||||
@ -807,13 +857,27 @@
|
||||
type='hidden'
|
||||
label='ESession ID of Receiver'/>
|
||||
<field
|
||||
var='pk_hash'
|
||||
type='boolean'
|
||||
label='Respond with public key fingerprint'/>
|
||||
var='pubkey'
|
||||
type='list-single'
|
||||
label='Respond with public key'>
|
||||
<option label='No Key'>
|
||||
<value>none</value>
|
||||
</option>
|
||||
<option label='Full Key'>
|
||||
<value>key</value>
|
||||
</option>
|
||||
<option label='Key Fingerprint'>
|
||||
<value>hash</value>
|
||||
</option>
|
||||
</field>
|
||||
<field
|
||||
var='rekey_freq'
|
||||
type='text-single'
|
||||
label='Minimum number of stanzas between key exchanges'/>
|
||||
<field
|
||||
var='rshashes'
|
||||
type='hidden'
|
||||
label='Hashes of retained secrets'/>
|
||||
<field
|
||||
var='sign_algs'
|
||||
type='list-single'
|
||||
@ -822,14 +886,32 @@
|
||||
var='signs'
|
||||
type='list-single'
|
||||
label='Data form signatures'/>
|
||||
<field
|
||||
var='srshash'
|
||||
type='hidden'
|
||||
label='Hash of shared retained secret'/>
|
||||
<field
|
||||
var='stanzas'
|
||||
type='list-multi'
|
||||
label='Stanzas types to encrypt'/>
|
||||
<option>
|
||||
<value>message</value>
|
||||
</option>
|
||||
<option>
|
||||
<value>presence</value>
|
||||
</option>
|
||||
<option>
|
||||
<value>iq</value>
|
||||
</option>
|
||||
</field>
|
||||
<field
|
||||
var='ver'
|
||||
type='list-single'
|
||||
label='Supported versions of XEP-0116'/>
|
||||
label='Supported versions of ESessions'>
|
||||
<option>
|
||||
<value>1.0</value>
|
||||
</option>
|
||||
</field>
|
||||
</form_type>
|
||||
|
||||
<form_type>
|
||||
|
Loading…
Reference in New Issue
Block a user