There is a number of different end-to-end encryption mechanisms that can be used to secure user communication against unauthorized access from malicious third parties. Popular examples for this are &xep0384; and &xep0373;.

While the latter allows for encryption of arbitrary extension elements, protocols such as &xep0384; are limited to only encrypt the body of a message. This approach is not very flexible and prevents the combined usage with XMPP extension protocols such as &xep0385; or &xep0308; as their extension elements cannot be included in the encrypted part of the message, therefore leaking information about the message content.

This extension protocol proposes a solution to aforementioned issues by generalizing the OpenPGP Content Elements (eg. <signcrypt>) introduced by &xep0373; for the use with other encryption protocols.

This proposal widens the scope of the security guarantees given by the used encryption mechanism from just the body of the message to all contents of the &content; element. It is intended to serve as a "one size fits all" solution for extension element encryption in XMPP.

In order to achieve its goal, Stanza Content Encryption does the following:

• Define elements that hold sensitive information and their encrypted form
• Speficy rules about how extension elements are encrypted and embedded in the message
• Specify rules about which elements are allowed inside and outside the protected domain

Envelope Element &envelope;

An XMPP extension element which is used to hold the encrypted &content; element.

Content Element &content;

An element which is used to contain all of those extension elements that need to be encrypted. The XML representation of this element is encrypted and then embedded into the &envelope; element.

In order to prevent certain attacks, different affix elements MAY be added into the &content; element.

Encryption protocols that make use of Stanza Content Encryption MUST define their own profiles that describe mandatory behaviour of which of these elements are used. They MAY also define and add their own specific affix elements.

The main use case of Stanza Content Encryption is the use of end-to-end encryption protocols in combination with extension protocols that store sensitive information in other places than the message body. Some end-to-end encryption protocols like &xep0384; are historically limited to encryption of the message body only. This approach excludes other extension elements from the protected domain of the payload element, exposing them to potential attackers.

The example above obviously leaks information about the communication through the unencrypted OOB extension element.

Another example of a possible use case would be encrypted <iq/> queries. A resource might want to query sensitive information from another resource capable of Stanza Content Encryption. This problem can also be solved using SCE.

To fix the issue of leaking extension elements using Stanza Content Encryption, the sender prepares the message by placing the content elements inside the &content; element.

The &content; element is then serialized into XML and encrypted using the encryption mechanism in place. The result is embedded in the &envelope; element and appended to the message.

The message can then be sent to the recipient.

The recipient of the message decrypts the content of the &envelope; element to retrieve the &content; element. Depending on the affix profiles specified by the used encryption protocol, the affix elements are verified to prevent certain attacks from taking place.

Next the extension elements of the &content; elements &payload; element are checked against the whitelist/blacklist and any disallowed elements are discarded.

As a last step, the original unencrypted stanza is recreated by replacing the &envelope; element of the stanza with the contents of the &payload; element.

The receiving client MUST ignore certain elements that may allow for attacks to take place.

Since it is hard to come up with a complete list of blacklisted elements, a general rule of thumb would be the following:

Blacklisted are all elements that need to be read by the server at some point.

Below is an additional list of elements that are definitely forbidden inside the &content; element and MUST instead be placed in the message unencrypted.

Unencrypted &content; elements are NOT ALLOWED as child elements of the stanza and MUST be dropped.

Elements in the &content; element MUST be identified using an element name and namespace. Notably the <body/> element MUST contain a valid namespace (i.e. "jabber:client").

Recipient must verify that the decrypted &content; element contains valid XML before processing it any further. Invalid XML must be rejected.

After verifying the integrity of the &content; element, the recipient needs to make sure that no blacklisted elements are found within the payload. Any forbidden elements MUST be dropped before the message is processed any further.

Duplicate elements within the &content; element MUST be dropped.

Elements in the &content; element override elements in the enclosing stanza. TODO: Maybe we want to remove this rule by disallowing duplicate elements all together?

As a first, naïve approach a recipient of a message containing an &envelope; element could simply reinject the reassambled unencrypted stanza into the XML stream. This might introduce some security issues. Most notably, there is no way to distinguish end-to-end encrypted elements from unencrypted elements.

Implementations should rather handle encrypted elements explicitly.

TODO: Maybe the Registrar should handle a blacklist of elements that are allowed as child elements of the &content; element?

TODO.