mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-24 18:22:24 -05:00
Initial otr usage draft
This commit is contained in:
parent
ee89518a7e
commit
c5cd20c877
291
inbox/otr-info.xml
Normal file
291
inbox/otr-info.xml
Normal file
@ -0,0 +1,291 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<!DOCTYPE xep SYSTEM 'xep.dtd' [
|
||||
<!ENTITY % ents SYSTEM 'xep.ent'>
|
||||
%ents;
|
||||
]>
|
||||
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
|
||||
<xep>
|
||||
<header>
|
||||
<title>Current Off-the-Record Messaging Usage</title>
|
||||
<abstract>
|
||||
This document outlines the current usage of Off-the-Record messaging in
|
||||
XMPP, its drawbacks, its strengths, and recommendations for improving the
|
||||
end user experience.
|
||||
</abstract>
|
||||
&LEGALNOTICE;
|
||||
<number>xxxx</number>
|
||||
<status>ProtoXEP</status>
|
||||
<type>Informational</type>
|
||||
<sig>Standards</sig>
|
||||
<approver>Council</approver>
|
||||
<dependencies>
|
||||
<spec>XMPP Core</spec>
|
||||
</dependencies>
|
||||
<supersedes/>
|
||||
<supersededby/>
|
||||
<shortname>NOT_YET_ASSIGNED</shortname>
|
||||
<author>
|
||||
<firstname>Sam</firstname>
|
||||
<surname>Whited</surname>
|
||||
<email>sam@samwhited.com</email>
|
||||
<jid>sam@samwhited.com</jid>
|
||||
</author>
|
||||
<revision>
|
||||
<version>0.0.1</version>
|
||||
<date>2015-07-28</date>
|
||||
<initials>ssw</initials>
|
||||
<remark><p>Initial draft.</p></remark>
|
||||
</revision>
|
||||
</header>
|
||||
<section1 topic='Introduction' anchor='intro'>
|
||||
<p>
|
||||
The Off-the-Record messaging protocol (OTR) was originally introduced in
|
||||
the 2004 paper
|
||||
<i><link url='https://otr.cypherpunks.ca/otr-wpes.pdf'>
|
||||
Off-the-Record Communication, or, Why Not To Use PGP
|
||||
</link></i>
|
||||
<note>
|
||||
Nikita Borisov, Ian Goldberg, Eric Brewer (2004-10-28). "Off-the-Record
|
||||
Communication, or, Why Not To Use PGP"
|
||||
<<link url='https://otr.cypherpunks.ca/otr-wpes.pdf'>
|
||||
https://otr.cypherpunks.ca/otr-wpes.pdf
|
||||
</link>>
|
||||
</note>
|
||||
and has since become the de facto standard for performing end-to-end
|
||||
encryption in XMPP. OTR provides encryption, deniable authentication,
|
||||
forward secrecy, and malleable encryption.
|
||||
</p>
|
||||
<p>
|
||||
The OTR protocol itself is currently described by the document:
|
||||
<i><link url='https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html'>
|
||||
Off-the-Record Messaging Protocol version 3
|
||||
</link></i>
|
||||
<note>
|
||||
"Off-the-Record Messaging Protocol version 3"
|
||||
<<link url='https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html'>
|
||||
https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html
|
||||
</link>>
|
||||
</note>
|
||||
and will not be redescribed here. Instead, this document aims to describe
|
||||
OTR's usage and best practices within XMPP. It is not intended to be a
|
||||
current standard, or technical specification, as better (albeit, newer and
|
||||
less well tested) methods of end-to-end encryption exist for XMPP.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Overview' anchor='overview'>
|
||||
<p>
|
||||
Though this document will not focus on the OTR protocol itself, a brief
|
||||
overview is warranted to better understand the protocols strengths and
|
||||
weaknesses.
|
||||
</p>
|
||||
<p>
|
||||
OTR uses 128 bit AES symmetric-key encryption and the SHA-1 hash function.
|
||||
An OTR session can be held only between two parties, meaning that OTR is
|
||||
incompatible with &xep0045;. It provides deniability in the form of
|
||||
malleable encryption (a third party may generate fake messages after the
|
||||
session has ended). This means that if you were not a part of the original
|
||||
conversation, you cannot prove based on captured messages alone that a
|
||||
message from the conversation was actually sent by a given party. Unlike
|
||||
PGP, OTR also provides forward secrecy; even if a session is recorded and
|
||||
the primary key is compromised at a later date, the OTR messages will not
|
||||
be able to be decrypted as each was encrypted with an ephemeral key
|
||||
exchanged with Diffie-Hellman key exchange with a 1536 bit modulus.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Discovery'>
|
||||
<p>
|
||||
Clients that support the OTR protocol do not advertise it in any of the
|
||||
normal XMPP ways. Instead, OTR provides its own discovery mechanism. If a
|
||||
client wishes to indicate support for OTR they include a special whitespace
|
||||
tag in their messages. This tag can appear anywhere in the body of the
|
||||
message stanza, but it is most often found at the end. The OTR tag
|
||||
comprises the following bytes:
|
||||
|
||||
<example caption='OTR tag'>
|
||||
\x20\x09\x20\x20\x09\x09\x09\x09 \x20\x09\x20\x09\x20\x09\x20\x20
|
||||
</example>
|
||||
|
||||
and is followed by one or more of the following sequences to indicate the
|
||||
version of OTR which the client supports:
|
||||
|
||||
<example caption='OTR tag version 1'>
|
||||
\x20\x09\x20\x09\x20\x20\x09\x20
|
||||
</example>
|
||||
|
||||
Note that this version 1 tag must come before other version tags for
|
||||
compatibility; it is, however, NOT RECOMMENDED to implement version 1 of
|
||||
the OTR protocol.
|
||||
|
||||
<example caption='OTR tag version 2'>
|
||||
\x20\x20\x09\x09\x20\x20\x09\x20
|
||||
</example>
|
||||
|
||||
<example caption='OTR tag version 3'>
|
||||
\x20\x20\x09\x09\x20\x20\x09\x09
|
||||
</example>
|
||||
</p>
|
||||
<p>
|
||||
When a client sees this special string in the body of a message stanza it
|
||||
may choose to start an OTR session immediately, or merely indicate support
|
||||
to the user and allow the user to manually start a session. This is done by
|
||||
sending a message stanza containing an OTR query message in the body which
|
||||
indicates the supported versions of OTR. In XMPP these are most commonly
|
||||
version 2 and version 3, which would be indicated by a message stanza which
|
||||
has a body that starts with the string:
|
||||
|
||||
<example caption='OTR query'>
|
||||
?OTR?v23?
|
||||
</example>
|
||||
</p>
|
||||
<p>
|
||||
Any message which begins with the afforementioned string (note that the
|
||||
version number[s] may be different), postfixed with a payload should be
|
||||
decrypted as an OTR message. The initialization message should not contain
|
||||
a payload, and should just be the initialization string by itself.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='OTR Messages'>
|
||||
<section2 topic='Construction and Decoding'>
|
||||
<p>
|
||||
When sending a message encrypted with OTR, it is RECOMMENDED to encrypt
|
||||
only the text node of the <body/> element (the message itself).
|
||||
However, there are some clients in the wild which will encrypt the entire
|
||||
contents of the <body/> element, including sub-nodes. Because of
|
||||
this behavior, it is RECOMMENDED that clients decrypt and expand any OTR
|
||||
messages inside of the body element before re-processing the element as a
|
||||
whole. Clients that support OTR MUST tolerate encrypted payloads which
|
||||
expand to XML, and those which expand to plain text messages.
|
||||
</p>
|
||||
</section2>
|
||||
<section2 topic='Routing'>
|
||||
<p>
|
||||
XMPP is designed so that the client needs to know very little about where
|
||||
and how a message will be routed. Generally, clients are encouraged to
|
||||
send messages to the bare JID and allow the server to route the messages
|
||||
as it sees fit. However, OTR requires that messages be sent to a
|
||||
particular resource. Therefore clients SHOULD send OTR messages to a full
|
||||
JID, possibly allowing the user to determine which resource they wish to
|
||||
start an encrypted session with. Furthermore, if a client receives a
|
||||
request to start an OTR session in a carboned message (due to a server
|
||||
which does not support the aforementioned "private" directive, or a
|
||||
client which does not set it), it SHOULD be silently ignored.
|
||||
</p>
|
||||
</section2>
|
||||
<section2 topic='Processing Hints'>
|
||||
<p>
|
||||
&xep0334; defines a set of hints for how messages should be handled by
|
||||
XMPP servers. These hints are not hard and fast rules, but suggestions
|
||||
which the servers may or may not choose to follow. Best practice is to
|
||||
include the following hints on all OTR messages:
|
||||
|
||||
<code><![CDATA[
|
||||
<no-copy xmlns="urn:xmpp:hints"/>
|
||||
<no-permanent-store xmlns="urn:xmpp:hints"/>
|
||||
]]></code>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Similarly the "private" directive from &xep0280; should also be included
|
||||
to indicate that carbons are not necessary (since no other resource will
|
||||
be able to read the message):
|
||||
|
||||
<code><![CDATA[
|
||||
<private xmlns="urn:xmpp:carbons:2"/>
|
||||
]]></code>
|
||||
|
||||
All together, an example OTR message might look like this (with the
|
||||
majority of the body stripped out for readability):
|
||||
|
||||
<example caption='OTR message with processing hints'><![CDATA[
|
||||
<message
|
||||
from='malvolio@stewardsguild.lit/countesshousehold'
|
||||
to='olivia@countess.lit/veiled'>
|
||||
<body>?OTR?v23?...</body>
|
||||
<no-copy xmlns="urn:xmpp:hints"/>
|
||||
<no-permanent-store xmlns="urn:xmpp:hints"/>
|
||||
<private xmlns="urn:xmpp:carbons:2"/>
|
||||
</message>
|
||||
]]></example>
|
||||
</p>
|
||||
</section2>
|
||||
</section1>
|
||||
<section1 topic='Use in XMPP URIs'>
|
||||
<p>
|
||||
&rfc5122; defines a Uniform Resource Identifier (URI) and Internationalized
|
||||
Resource Identifier (IRI) scheme for XMPP entities, and &xep0147; defines
|
||||
various query components for use with XMPP URI's. When an entity has an
|
||||
associated OTR fingerprint it's URI is often formed with "otr-fingerprint"
|
||||
in the query string. Eg.
|
||||
|
||||
<example caption='OTR Fingerprint'>
|
||||
xmpp:feste@allfools.lit?otr-fingerprint=AEA4D503298797D4A4FC823BC1D24524B4C54338
|
||||
</example>
|
||||
</p>
|
||||
<p>
|
||||
The ®ISTRAR; maintains a registry of queries and key-value pairs for use
|
||||
in XMPP URIs at &QUERYTYPES;. As of the date this document was authored,
|
||||
the 'otr-fingerprint' query string has not been formally defined and has
|
||||
therefore is not officially recognized by the registrar.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Acknowledgements' anchor='acks'>
|
||||
<p>
|
||||
Thanks to Daniel Gultsch for his excellent
|
||||
<link url='https://github.com/siacs/Conversations/blob/development/docs/observations.md'>
|
||||
article
|
||||
</link>
|
||||
<note>
|
||||
Daniel Gultsch (Retreived on 2015-07-29). "Observations on Imlementing
|
||||
XMPP"
|
||||
<<link url='https://github.com/siacs/Conversations/blob/development/docs/observations.md'>
|
||||
https://github.com/siacs/Conversations/blob/development/docs/observations.md
|
||||
</link>>
|
||||
</note>
|
||||
on the pitfalls of implementing OTR, and to Georg Lukas for his feedback.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Security Considerations' anchor='security'>
|
||||
<p>
|
||||
While this document describes an existing protocol which is streamed over
|
||||
XMPP and therefore does not introduce any new security concerns itself, it
|
||||
is worth mentioning a few security issues with the underlying OTR protocol:
|
||||
</p>
|
||||
<p>
|
||||
Because Diffie-Hellman (D-H) key exchange is unauthenticated, the initial
|
||||
D-H exchange which sets up the encrypted channel is vulnerable to a
|
||||
man-in-the-middle attack. No sensitive information should be sent over the
|
||||
encrypted channel until mutual authentication has been performed
|
||||
inside the encrypted channel.
|
||||
</p>
|
||||
<p>
|
||||
OTR makes use of the SHA-1 hash algorithm. While no practical attacks have
|
||||
been observed in SHA-1 at the time of this writing, theoretical attacks
|
||||
have been constructed, and attacks have been performed on hash functions
|
||||
that are similar to SHA-1. One cryptographer estimated that the cost
|
||||
of generating SHA-1 collisions was $2.77 million dollars in 2012, and would
|
||||
drop to $700,000 by 2015.
|
||||
<note>
|
||||
Bruce Schneier (2012-10-05). "When Will We See Collisions for SHA-1?"
|
||||
<<link url='https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html'>
|
||||
https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
|
||||
</link>>
|
||||
</note>.
|
||||
This puts generating SHA-1 collisions well within the reach of governments
|
||||
and well funded criminal organizations. In this authors opinion, there are
|
||||
no theoretical vulnerabilities, and SHA-1 should be treated as with extreme
|
||||
caution.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='IANA Considerations' anchor='iana'>
|
||||
<p>
|
||||
This document requires no interaction with the Internet Assigned Numbers
|
||||
Authority (IANA).
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
|
||||
<p>
|
||||
No namespaces or parameters need to be registered with the XMPP Registrar
|
||||
as a result of this document.
|
||||
</p>
|
||||
</section1>
|
||||
</xep>
|
Loading…
Reference in New Issue
Block a user