From 5e497d4222d8ffb50df43d1f92a1c33dfc45a979 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Thu, 30 Nov 2017 21:00:13 +0100 Subject: [PATCH] Update inbox/isr-sasl2.xml to 0.0.5 --- inbox/isr-sasl2.xml | 355 +++++++++++++++----------------------------- 1 file changed, 118 insertions(+), 237 deletions(-) diff --git a/inbox/isr-sasl2.xml b/inbox/isr-sasl2.xml index 80386e6c..40f37197 100644 --- a/inbox/isr-sasl2.xml +++ b/inbox/isr-sasl2.xml @@ -1,9 +1,8 @@ - draft-ietf-tls-tls13-19 The Transport Layer Security (TLS) Protocol Version 1.3 <https://tools.ietf.org/html/draft-ietf-tls-tls13-19>." > - IANA Named Information Hash Algorithm RegistryIANA Named Information Hash Algorithm Registry <https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg>." > - IANA Channel-Binding TypesIANA Channel-Binding Types<https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml>." > + draft-ietf-tls-tls13-21 The Transport Layer Security (TLS) Protocol Version 1.3 <https://tools.ietf.org/html/draft-ietf-tls-tls13-21>." > + draft-schmaus-sasl-ht-03draft-schmaus-sasl-ht-03: The Hashed Token SASL Mechanism <https://tools.ietf.org/html/draft-schmaus-kitten-sasl-ht-03>." > %ents; ]> @@ -14,62 +13,7 @@ This specification introduces a mechanism for instant stream resumption, based on Stream Management (XEP-0198), allowing XMPP entities to instantaneously resume an XMPP stream. - - - This XMPP Extension Protocol is copyright (c) 1999 - - 2016 by the XMPP Standards Foundation (XSF). - - Permission is hereby granted, free of charge, to any - person obtaining a copy of this specification (the - "Specification"), to make use of the Specification - without restriction, including without limitation the rights to - implement the Specification in a software program, deploy the - Specification in a network service, and copy, modify, merge, - publish, translate, distribute, sublicense, or sell copies of the - Specification, and to permit persons to whom the Specification is - furnished to do so, subject to the condition that the foregoing - copyright notice and this permission notice shall be included in - all copies or substantial portions of the Specification. Unless - separate permission is granted, modified works that are - redistributed shall not contain misleading information regarding - the authors, title, number, or publisher of the Specification, and - shall not claim endorsement of the modified works by the authors, - any organization or project to which the authors belong, or the - XMPP Standards Foundation. - - ## NOTE WELL: This Specification is provided on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, express or implied, including, without limitation, any - warranties or conditions of TITLE, NON-INFRINGEMENT, - MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In no event - shall the XMPP Standards Foundation or the authors of this - Specification be liable for any claim, damages, or other - liability, whether in an action of contract, tort, or otherwise, - arising from, out of, or in connection with the Specification or - the implementation, deployment, or other use of the - Specification. ## - - In no event and under no legal theory, whether in tort - (including negligence), contract, or otherwise, unless required by - applicable law (such as deliberate and grossly negligent acts) or - agreed to in writing, shall the XMPP Standards Foundation or any - author of this Specification be liable for damages, including any - direct, indirect, special, incidental, or consequential damages of - any character arising out of the use or inability to use the - Specification (including but not limited to damages for loss of - goodwill, work stoppage, computer failure or malfunction, or any - and all other commercial damages or losses), even if the XMPP - Standards Foundation or such author has been advised of the - possibility of such damages. - - This XMPP Extension Protocol has been contributed in - full conformance with the XSF's Intellectual Property Rights - Policy (a copy of which may be found at <http://xmpp.org/extensions/ipr-policy.shtml> - or obtained by writing to XSF, P.O. Box 1641, Denver, CO 80201 - USA). - - + &LEGALNOTICE; xxxx ProtoXEP Standards Track @@ -89,6 +33,23 @@ flo@geekplace.eu flo@geekplace.eu + + 0.0.5 + 2017-11-30 + fs +

Minor changes

 + + + 0.0.4 + 2017-10-15 + fs + +
    +
  • Bump SASL2 namespace to urn:xmpp:sasl:1, and as result:
    • +
  • Rename 'key' to 'token'
    • +
+ + 0.0.3 2017-03-17 @@ -120,7 +81,7 @@ url='http://xmpp.org/extensions/xep-0198.html#resumption'>XEP-0198 § 5, the approach defined herein reduces the round trips required to resume a stream to exactly one. This is - achieved by using just a secure short-lived key to resume the + achieved by using just a secure short-lived token to resume the stream.

@@ -133,7 +94,7 @@
Instant Stream Resumption.
-
Instant Stream Resumption Key (ISR Key)
+
Instant Stream Resumption Token (ISR Token)
A shared secret that is exclusively ephemeral and represented as string.
 @@ -155,7 +116,7 @@

XMPP entities providing Instant Stream Resumption MUST announce that functionality as stream feature, but only if an instant stream resumption is possible at this stage. The ISR stream future consists - of an <isr/> element qualified by the 'urn:xmpp:isr:0' + of an <isr/> element qualified by the 'htpps://xmpp.org/extensions/isr/0' namespace. And since ISR requires TLS, this means that the <isr/> stream feature only appears on TLS secured connections.

@@ -175,66 +136,64 @@ - + - X-HT-SHA-256-ENDP + HT-SHA-256-ENDP ]]> -

Every ISR enabled entity MUST support the X-HT-SHA-256-ENDP - mechanism, support for X-HT-SHA-256-UNIQ is RECOMMENDED. The family - of SASL X-HT-* mechanisms is defined below in Section 6.

+

Every ISR enabled entity SHOULD support the HT-SHA-256-ENDP + mechanism, support for HT-SHA-256-UNIQ is RECOMMENDED. The family + of HT SASL mechanisms is specified in &sasl-ht;.

- + -

In order to obtain an ISR key, the requesting entity must add a - 'mechanism' attribute qualified by the 'urn:xmpp:isr:0' namespace to - the <enable/> element as defined in &xep0198; when attempting - to enable Stream Management. The value of the 'mechanism' attribute - is the name of the SASL mechanism the requesting entity will use - when performing ISR with the returned key. The entities involved in - ISR MUST only use or allow this mechanism when performing ISR with - the according key. This effectively pins the SASL - mechanism Pinning the SASL mechanism is believed to - increase the security.

+

In order to obtain an ISR token, the requesting entity must add an + 'isr-enable' element qualified by the 'htpps://xmpp.org/extensions/isr/0' namespace to the + <enable/> element as defined in &xep0198; when attempting to + enable Stream Management. This <isr-enable/> element MUST contain a + 'mechanism' attribute containing the name of the SASL mechanism the + requesting entity will use when performing ISR with the returned + token. The entities involved in ISR MUST only use or allow this + mechanism when performing ISR with the according token. This + effectively pins the SASL mechanism Pinning the SASL mechanism + is believed to increase the security.

- + + + ]]>

Next, the <enabled/> Nonza (see &xep0360;) which is send as positive reply upon a request to enable Stream Management, MUST - contain an 'key' attribute qualified by the 'urn:xmpp:isr:0' - namespace containing a ISR key. The key MUST be newly generated by a - cryptographically secure random number generator and MUST contain at - lest 128 bit of entropy. The Nonza can optionally also contain a - 'location' attribute qualified by the 'urn:xmpp:isr:0' namespace + contain an 'isr-enabled' element qualified by the 'htpps://xmpp.org/extensions/isr/0' + namespace containing a ISR token as value of its 'token' attribute. The + token MUST be newly generated by a cryptographically secure random + number generator and MUST contain at least 128 bit of entropy. The + <isr-enabled/> element can optionally also contain a + 'location' attribute which specifies the preferred IP address or hostname, and a TCP port number of the host which should be used for instant stream resumption.

- ]]> + + +]]> - ]]> + + +]]> -

The <enabled/> Nonza containing an ISR key MUST only be +

The <enabled/> Nonza containing an ISR token MUST only be sent over TLS secured connections.

 @@ -243,7 +202,7 @@

In order to instantaneously resume an XMPP stream the initiating entity, which is either an XMPP client or server, must posses a - valid ISR key. After it has obtained the ISR key, using the process + valid ISR token. After it has obtained the ISR token, using the process described in the previous section, it first determines the host for resumption, and after that, tries to perform the instant stream resumption.

@@ -255,7 +214,7 @@
  1. The host provided in the optional 'location' attribute - qualified by the 'urn:xmpp:isr:0' namespace found in the + qualified by the 'htpps://xmpp.org/extensions/isr/0' namespace found in the <enabled/> element of XEP-0198 (the "isr:location").
    2. @@ -269,7 +228,7 @@ tried by the initiating entity in this order.

    Note that the hosts announced by the 'location' attribute - qualified by the 'urn:xmpp:isr:0' namespace MUST be connected to + qualified by the 'htpps://xmpp.org/extensions/isr/0' namespace MUST be connected to using TLS from the beginning, i.e. <starttls/> MUST NOT be used, instead the TLS handshake is performed right after establishing the connection.

    @@ -294,21 +253,18 @@

    Now the initiating entity sends an XMPP <stream> open element followed by a <authenticate/> Nonza as specified in the &xep0388;. The initiating entity must also provide a - <inst-resume/> element qualified by the 'urn:xmpp:isr:0' + <inst-resume/> element qualified by the 'htpps://xmpp.org/extensions/isr/0' namespace, which must contain a <resume/> element as defined in &xep0198;.

    -

    If the 'without-isr-token' attribute is set to true, then the - SASL mechanisms are performed as when traditionally authenticating - the XMPP session. If the value of the attribute is 'false', which is +

    If the with-isr-token' attribute is set to 'false', then the + SASL mechanism is performed as when traditionally authenticating + the XMPP session. If the value of the attribute is 'true', which is the default value for this attribute, then the "password" given to - the SASL mechanism is the ISR key. Note that this implies that only + the SASL mechanism is the ISR token. Note that this implies that only SASL mechanisms which take a password/token can be used this way.

    -

    All ISR implementations MUST support the - X-HT-SHA-256-ENDP mechanism.

    - - - - + + [base64 encoded SASL data] + @@ -333,20 +289,20 @@ stream resumption request together with then initial <stream> open element. The initiating entity is able to do so since it already knows that the service supports ISR because it - announced an ISR key.

    + announced an ISR token.

    -

    Servers MUST destroy the ISR key of a stream after an instant +

    Servers MUST destroy the ISR token of a stream after an instant stream resumption was attempted for that stream with an invalid ISR - key. Server implementations MUST implement the ISR key comparision in + token. Server implementations MUST implement the ISR token comparision in linear runtime.

    z - - +z + + @@ -354,17 +310,17 @@

    On success the server replies with a <success/> nonza as specified in the &xep0388;, which must include a - <inst-resumed/> element qualified by the 'urn:xmpp:isr:0' - namespace. This element MUST contain a new ISR Key found in - the 'key' attribute. It also MUST include a <resumed/> as + <inst-resumed/> element qualified by the 'htpps://xmpp.org/extensions/isr/0' + namespace. This element MUST contain a new ISR Token found in + the 'token' attribute. It also MUST include a <resumed/> as specified in &xep0198; containing the sequence number of the last by Stream Management handled stanza in the 'h' attribute and the 'previd' attribute.

    In case of an successful Instant Stream Resumption authenticated - by an ISR key, the server MUST immediately destroy the ISR key after + by an ISR token, the server MUST immediately destroy the ISR token after authentication, i.e., it MUST no longer be possible to perform an - ISR using that ISR key and Stream Management ID (SM-ID, see + ISR using that ISR token and Stream Management ID (SM-ID, see &xep0198;) tuple.

    After the <inst-resumed/> was received and has been @@ -391,13 +347,13 @@ but is unable to resume the stream instantly it MUST reply with a <success/> Nonza as defined in the &xep0388; containing a <inst-resume-failed/> element qualified by the - 'urn:xmpp:isr:0' namespace. This + 'htpps://xmpp.org/extensions/isr/0' namespace. This <inst-resume-failed/> MUST contain a <failed/> element as defined in &xep0198;.

    - + + @@ -415,25 +371,23 @@     - + -

    As specified in the &xep0388; § 2.6.4, a single SASL - mechanism may not be sufficient for authentication. In this case, - the remote entity sends a <continue/> element as defined in - &xep0388; to request the local entity to perform another - SASL mechanism. Performing instant stream resumption using - multiple SASL mechanisms MUST only be done if the - 'without-isr-token' attribute is set to 'true'.

    +

    As specified in the &xep0388; § 2.6.3, sole SASL authentication + may not be sufficient for authentication. In this case, the remote + entity sends a <continue/> element as defined in &xep0388; + to request the local entity to perform another + task.

    + T3B0aW9uYWwgQmFzZSA2NCBlbmNvZGVkIFNBU0wgc3VjY2VzcyBkYXRh - - HOTP-EXAMPLE - TOTP-EXAMPLE - + + HOTP-EXAMPLE + TOTP-EXAMPLE + ]]> @@ -441,12 +395,15 @@ -

    If the server is unable to authenticate the initiating entity it - MUST reply with a <failure/> Nonza as defined in - &xep0388;.

    +

    If the server is unable to authenticate the initiating entity + it replies with a <failure/> Nonza as defined in + &xep0388;. The server MUST delete any state of the stream which + was attempted to resume in case the SM-ID was correct but the + authentication failed.This is to prevent brute force + attacks.

    + ]]> @@ -461,100 +418,19 @@ - - -

    This section specifies the Hashed Token (X-HT-*) SASL - mechanism. This mechanism was designed to be used with short-lived - tokens (shared secrets) for authentication. It provides hash - agility, mutual authentication and is secured by channel - binding. Since the token is not salted, and only one iteration is - used, the X-HT mechanism is not suitable to protect long-lived - shared secrets (e.g. "passwords"). You may want to look at &rfc5802; - for that.

    - - - -

    Each mechanism in this family differs by the choice of the hash - algorithm and the choice of the channel binding type. Each - mechanism has a name of the form X-HT-[HA]-[CBT] where [HA] is the - "Hash Name String" of the &iana-hash-alg; registry in capital - letters, and [CBT] is one of 'ENDP' or 'UNIQ'. In case of 'ENDP', - the tls-server-end-point channel binding type is used. In case of - 'UNIQ', the tls-unique channel binding type is used. For more - information about channel binding, see &rfc5929; and the - &iana-cbt; registry.

    - - - - - -
    CBTChannel Binding Type
    ENDPtls-server-end-point
    UNIQtls-unique
    - -

    The following table lists a few examples of X-HT-* SASL - mechanism names.

    - - - - - - - -
    Mechanism NameHash AlgorithmChannel-binding unique prefix
    X-HT-SHA-512-ENDPSHA-512 (FIPS 180-4)tls-server-end-point
    X-HT-SHA3-256-ENDPSHA3-512 (FIPS 202)tls-server-end-point
    X-HT-SHA-512-UNIQSHA-512 (FIPS 180-4)tls-unique
    X-HT-SHA-256-UNIQSHA-256 (&rfc6920;)tls-unique
    -     - - - -

    The mechanism consists of a simple exchange of exactly two - messages between the initiator and responder. It starts with the - message from the initiator to the responder. This - 'initiator-message' is defined as follows:

    - -

    - initiator-message = HMAC(token, "Initiator" || cb-data) -

    - -

    HMAC() is the function defined in &rfc2104; with H being the - chosen hash algorithm, 'cb-data' represents channel binding type - data, and 'token' are the UTF-8 (see &rfc3629;) encoded bytes of - the token String which acts as shared secret between initiator and - responder. The initiator-message MUST NOT be included in TLS 1.3 - 0-RTT early data (&tls13;).

    - -

    This message is followed by a message from the responder to the - initiator. This 'responder-message' is defined as follows:

    - -

    - responder-message = HMAC(token, "Responder" || cb-data) -

    - -

    The initiating entity MUST verify the responder-message to - achieve mutual authentication.

    - -     - - - -

    To be secure, X-HT MUST be used over a TLS channel that has had - the session hash extension &rfc7627; negotiated, or session - resumption MUST NOT have been used.

    - -     - -     - -

    Putting ISR data in TLS 1.3 0-RTT early data is - forbidden. (TODO: Shall we weaken this requirement to allow early +

    Any ISR data SHALL NOT be part of TLS 1.3 0-RTT + early data. (TODO: Shall we weaken this requirement to allow early data?. It would be technically possible if the sender does not add additional data, for example Stanzas, after the ISR/XEP-0388 data at the end of the early data. And if the receiver does ensure that the existence of such additional data is causing an ISR failure.)

    -

    It is of vital importance that the Instant Stream Resumption Key - is generated by a cryptographically secure random generator. See - &rfc4086; for more information about Randomness Requirements for - Security

    +

    It is of vital importance that the Instant Stream Resumption + Token is generated by a cryptographically secure random + generator. See &rfc4086; for more information about Randomness + Requirements for Security.

     @@ -566,7 +442,7 @@ -

    The ®ISTRAR; includes 'urn:xmpp:isr:0' in its registry of protocol namespaces (see &NAMESPACES;).

    +

    The ®ISTRAR; includes 'htpps://xmpp.org/extensions/isr/0' in its registry of protocol namespaces (see &NAMESPACES;).

     @@ -578,9 +454,14 @@ -

    Thanks to Jonas Wielicki, Thijs Alkemade, Dave Cridland, - Maxime Buquet and Alexander Würstlein for their feedback.

    +

    Thanks to Jonas Wielicki, Thijs Alkemade, Dave Cridland, Maxime + Buquet, Alexander Würstlein and Sam Whited for their feedback.

     + + + + +