No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

xep-0031.xml 55KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293
  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <!DOCTYPE xep SYSTEM 'xep.dtd' [
  3. <!ENTITY % ents SYSTEM "xep.ent">
  4. %ents;
  5. ]>
  6. <?xml-stylesheet type='text/xsl' href='xep.xsl'?>
  7. <xep>
  8. <header>
  9. <title>A Framework For Securing Jabber Conversations</title>
  10. <abstract>
  11. Although the value and utility of contemporary instant messaging
  12. systems, like Jabber, are now indisputable, current security
  13. features to protect message data are generally inadequate for
  14. many deployments; this is particularly true in security conscious
  15. environments like large, commercial enterprises and government
  16. agencies. These current features suffer from issues of
  17. scalability, usability, and supported features. Furthermore, there is a
  18. lack of standardization.
  19. We present a protocol to allow communities of Jabber users to
  20. apply cryptographic protection to selected conversation data.
  21. </abstract>
  22. &LEGALNOTICE;
  23. <number>0031</number>
  24. <status>Deferred</status>
  25. <type>Standards Track</type>
  26. <sig>Standards</sig>
  27. <dependencies/>
  28. <supersedes/>
  29. <supersededby/>
  30. <shortname>N/A</shortname>
  31. <author>
  32. <firstname>Paul</firstname>
  33. <surname>Lloyd</surname>
  34. <email>paul_lloyd@hp.com</email>
  35. <jid>paul_lloyd@jabber.hp.com (private)</jid>
  36. </author>
  37. <revision>
  38. <version>0.2</version>
  39. <date>2002-07-09</date>
  40. <initials>PCL</initials>
  41. <remark>
  42. updated to reflect group consensus to incorporate XML Encryption, as well
  43. as other group comments from Draft 0.9.
  44. </remark>
  45. </revision>
  46. <revision>
  47. <version>0.1</version>
  48. <date>2002-05-07</date>
  49. <initials>
  50. PCL
  51. </initials>
  52. <remark>
  53. initial version
  54. </remark>
  55. </revision>
  56. </header>
  57. <section1 topic="Introduction">
  58. <p>
  59. Instant messaging has clearly crossed the chasm from experimental
  60. to mainstream in a short amount of time. It is particularly
  61. interesting to note the extent to which the employees and
  62. affiliates of large enterprises have adopted instant messaging as
  63. part of their daily professional lives. IM is no longer simply
  64. used on Friday evening to select which movie to watch; it's now
  65. used on Monday morning to select which company to acquire.
  66. </p>
  67. <p>
  68. While the benefits of IM are clear and compelling, the risks
  69. associated with sharing sensitive information in an IM
  70. environment are often overlooked. We need a mechanism that
  71. permits communities of users to protect their IM conversations.
  72. This document presents an extension protocol that can be
  73. incorporated into the existing Jabber protocol to provide such a
  74. mechanism. We hope that this protocol spurs both interest
  75. and further investigation into mechanisms to protect Jabber
  76. conversations. We also hope that the Jabber community can
  77. accelerate the adoption of standardized security mechanisms.
  78. </p>
  79. <p>
  80. In addition to its ability to protect traditional messaging data,
  81. the proposed protocol may also serve as a foundation for securing
  82. other data transported via other Jabber extensions.
  83. </p>
  84. <p>
  85. We use the following terms throughout this document to describe
  86. the most relevant aspects of the IM environment that we wish to
  87. address:
  88. </p>
  89. <ul>
  90. <li>
  91. <p>
  92. user. A user is simply any Jabber user. Users are uniquely
  93. identified by a JID; they connect to Jabber hosts using a
  94. Jabber node.
  95. </p>
  96. <p>
  97. Users produce and consume information, and we wish to
  98. provide them with mechanisms that can be used to protect
  99. this information.
  100. </p>
  101. </li>
  102. <li>
  103. <p>
  104. community. A community is a collection of users who wish to
  105. communicate via Jabber. No restrictions or assumptions are
  106. made about the size of communities or the geographical,
  107. organizational, or national attributes of the members.
  108. Communities are assumed to be dynamic and ad-hoc. Users
  109. typically join communities by the simple act of invitation.
  110. All members of a community are assumed to be peers.
  111. </p>
  112. <p>
  113. The members of communities share information among
  114. themselves, and we wish to provide them with mechanisms
  115. that can permit information to only be shared by community
  116. members.
  117. </p>
  118. </li>
  119. <li>
  120. <p>
  121. conversation. A conversation is the set of messages
  122. that flows among the members of a community via some
  123. network. Conversations consist of both the actual
  124. conversation data produced and consumed by the various
  125. users as well as the Jabber protocol elements that
  126. transport it. Members participate in a conversation when
  127. they are the source or destination of this traffic.
  128. </p>
  129. <p>
  130. In hostile network environments, like the Internet,
  131. conversation data is vulnerable to a variety of well-known
  132. attacks.
  133. </p>
  134. </li>
  135. </ul>
  136. <p>
  137. Other Jabber and IM terms are used in a traditional, intuitive
  138. fashion.
  139. </p>
  140. </section1>
  141. <section1 topic="Requirements And Considerations">
  142. <p>
  143. The proposed protocol is designed to address the specific
  144. requirements and considerations presented in this section.
  145. </p>
  146. <section2 topic="Security Requirements">
  147. <section3 topic="Data Protection Requirements">
  148. <p>
  149. A secure IM system must permit conversation participants to
  150. preserve the following properties of their conversation data:
  151. </p>
  152. <ul>
  153. <li>
  154. <p>
  155. confidentiality. Conversation data must only be disclosed
  156. to authorized recipients
  157. </p>
  158. </li>
  159. <li>
  160. <p>
  161. integrity. Conversation data must not be altered
  162. </p>
  163. </li>
  164. <li>
  165. <p>
  166. data origin authentication. Recipients must be able to
  167. determine the identity of the sender and trust that the
  168. message did, in fact, come from the sender. It is important
  169. to note that this requirement does not include the
  170. requirement of a durable digital signature on conversation
  171. data.
  172. </p>
  173. </li>
  174. <li>
  175. <p>
  176. replay protection. Recipients must be able to detect and
  177. ignore duplicate conversation data.
  178. </p>
  179. </li>
  180. </ul>
  181. <p>
  182. These are established, traditional goals of information security
  183. applied to the conversation data. In the IM environment, these
  184. goals protect against these attacks:
  185. </p>
  186. <ul>
  187. <li>
  188. <p>
  189. eavesdropping, snooping, etc.
  190. </p>
  191. </li>
  192. <li>
  193. <p>
  194. masquerading as a conversation participant
  195. </p>
  196. </li>
  197. <li>
  198. <p>
  199. forging messages
  200. </p>
  201. </li>
  202. </ul>
  203. <p>
  204. Preserving the availability of conversation data is not addressed
  205. by this protocol.
  206. </p>
  207. <p>
  208. Preserving the anonymity of conversation participants is an
  209. interesting topic which we defer for future exploration.
  210. </p>
  211. <p>
  212. Finally, note that this protocol does not concern any authentication
  213. between a Jabber node and a Jabber host.
  214. </p>
  215. </section3>
  216. <section3 topic="Data Classification Requirements">
  217. <p>
  218. A secure IM system must support a data classification feature through the use
  219. of security labeling. Conversation participants must be
  220. able to associate a security label with each piece of
  221. conversation data. This label may be used to specify a data
  222. classification level for the conversation data.
  223. </p>
  224. </section3>
  225. <section3 topic="The End To End Requirement">
  226. <p>
  227. It is easy to imagine Jabber systems in which the servers play
  228. active, fundamental roles in the protection of conversation
  229. data. Such systems could offer many advantages, like:
  230. </p>
  231. <ul>
  232. <li>
  233. <p>
  234. allowing the servers to function as credential issuing
  235. authorities,
  236. </p>
  237. </li>
  238. <li>
  239. <p>
  240. allowing the servers to function as policy enforcement
  241. points.
  242. </p>
  243. </li>
  244. </ul>
  245. <p>
  246. Unfortunately, such systems have significant disadvantages when
  247. one considers the nature of instant messaging:
  248. </p>
  249. <ul>
  250. <li>
  251. <p>
  252. Many servers may be untrusted, public servers.
  253. </p>
  254. </li>
  255. <li>
  256. <p>
  257. In many conversation communities, decisions of trust and
  258. membership can only be adequately defined by the members
  259. themselves.
  260. </p>
  261. </li>
  262. <li>
  263. <p>
  264. In many conversation communities, membership in the
  265. community changes in real time based upon the dynamics of
  266. the conversation.
  267. </p>
  268. </li>
  269. <li>
  270. <p>
  271. In many conversation communities, the data classifaction of
  272. the conversation changes in real time based upon the
  273. dynamics of the conversation.
  274. </p>
  275. </li>
  276. </ul>
  277. <p>
  278. Furthermore, the widespread use of gateways to external IM
  279. systems is a further complication.
  280. </p>
  281. <p>
  282. Based on this analysis, we propose that security be entirely
  283. controlled in an end to end fashion by the conversation
  284. participants themselves via their user agent software.
  285. </p>
  286. </section3>
  287. <section3 topic="Trust Issues">
  288. <p>
  289. We believe that, ultimately, trust decisions are in the hands of
  290. the conversation participants. A security protocol and
  291. appropriate conforming user agents must provide a mechanism for them to make
  292. informed decisions.
  293. </p>
  294. </section3>
  295. <section3 topic="Cryptosystem Design Considerations">
  296. <p>
  297. One of the accepted axioms of security is that people must avoid
  298. the temptation to start from scratch and produce new, untested
  299. algorithms and protocols. History has demonstrated that such
  300. approaches are likely to contain flaws and that considerable time
  301. and effort are required to identify and address all of these
  302. flaws. Any new security protocol should be based on existing,
  303. established algorithms and protocols.
  304. </p>
  305. </section3>
  306. </section2>
  307. <section2 topic="Environmental Considerations">
  308. <p>
  309. Any new IM security protocol must integrate smoothly into the
  310. existing IM environment, and it must also recognize the nature of
  311. the transactions performed by conversation participants. These
  312. considerations are especially important:
  313. </p>
  314. <ul>
  315. <li>
  316. <p>
  317. dynamic communities. The members of a community are defined
  318. in near real time by the existing members.
  319. </p>
  320. </li>
  321. <li>
  322. <p>
  323. dynamic conversations. Conversations may involve any
  324. possible subset of the entire set of community members.
  325. </p>
  326. </li>
  327. </ul>
  328. <p>
  329. Addressing these considerations becomes especially crucial when
  330. selecting a conference keying mechanism.
  331. </p>
  332. </section2>
  333. <section2 topic="Usability Requirements">
  334. <p>
  335. Given the requirement to place the responsibility for the
  336. protection of conversation data in the hands of the participants,
  337. it is imperative to address some fundamental usability issues:
  338. </p>
  339. <ul>
  340. <li>
  341. <p>
  342. First, overall ease of use is a requirement. For protocol
  343. purposes, one implication is that some form of
  344. authentication via passphrases is necessary. While we
  345. recognize that this can have appalling consequences,
  346. especially when we realize that a passphrase may be shared
  347. by all of the community members, we also recognize the
  348. utility.
  349. </p>
  350. </li>
  351. <li>
  352. <p>
  353. PKIs are well established in many large organizations, and
  354. some communities will prefer to rely on credentials issued
  355. from these authorities. To ensure ease of use, we must
  356. strive to allow the use of existing PKI credentials and
  357. trust models rather than impose closed, Jabber-specific
  358. credentials.
  359. </p>
  360. </li>
  361. <li>
  362. <p>
  363. Finally, performance must not be negatively impacted; this
  364. is particularly true if we accept that most communities are
  365. composed of human users conversing in real time. For
  366. protocol purposes, one obvious implication is the desire to
  367. minimize computationally expensive public key operations.
  368. </p>
  369. </li>
  370. </ul>
  371. <p>
  372. We note that, in practice, the design and construction of user
  373. agents will also have a major impact on ease of use.
  374. </p>
  375. </section2>
  376. <section2 topic="Development And Deployment Requirements">
  377. <p>
  378. To successfully integrate into the existing Jabber environment,
  379. an extension protocol for security must satisfy the following:
  380. </p>
  381. <ul>
  382. <li>
  383. <p>
  384. It must be an optional extension of the existing Jabber protocol.
  385. </p>
  386. </li>
  387. <li>
  388. <p>
  389. It must be transparent to existing Jabber servers.
  390. </p>
  391. </li>
  392. <li>
  393. <p>
  394. It must function gracefully in cases where some community
  395. members are not running a user agent that supports the
  396. protocol.
  397. </p>
  398. </li>
  399. <li>
  400. <p>
  401. It must make good use of XML.
  402. </p>
  403. </li>
  404. <li>
  405. <p>
  406. It must avoid encumbered algorithms.
  407. </p>
  408. </li>
  409. <li>
  410. <p>
  411. It must be straightforward to implement using widely
  412. available cryptographic toolkits.
  413. </p>
  414. </li>
  415. <li>
  416. <p>
  417. It must not require a PKI.
  418. </p>
  419. </li>
  420. </ul>
  421. <p>
  422. Failure to accommodate these will impede or prohibit adoption of
  423. any security protocol.
  424. </p>
  425. </section2>
  426. </section1>
  427. <section1 topic="Protocol Specification">
  428. <section2 topic="Protocol Overview">
  429. <p>
  430. Ultimately, conversation data is protected by the application of
  431. keyed cryptographic operations. One operation is used to provide
  432. confidentiality, and a separate operation is used to provide
  433. integrity and data origin authentication. The keys used to
  434. parameterize these operations are called conversation keys. Each
  435. conversation should have its own unique set of conversation keys
  436. shared among the conversation participants.
  437. </p>
  438. <p>
  439. Conversation keys are transported among the conversation
  440. participants within a negotiated security session. A security session allows
  441. pairs of conversation participants to securely share conversation keys
  442. throught all participants in the conversation as required.
  443. </p>
  444. </section2>
  445. <section2 topic="Definitions And Notation">
  446. <p>
  447. The following terms are used throughout this specification:
  448. </p>
  449. <ul>
  450. <li>
  451. <p>
  452. initiator. The initiator is the user who requested a security session
  453. negotiation. Initiator's are identified by their JID.
  454. </p>
  455. </li>
  456. <li>
  457. <p>
  458. responder. The responder is the user who responded to a security session
  459. negotiation request. Responder's are identified by their JID.
  460. </p>
  461. </li>
  462. <li>
  463. <p>
  464. hmac. This indicates the HMAC algorithm. The notation hmac (key, value)
  465. indicates the HMAC computation of value using key.
  466. </p>
  467. </li>
  468. <li>
  469. <p>
  470. concatentation operator. The '|' character is used in character or octet
  471. string expressions to indicate concatenation.
  472. </p>
  473. </li>
  474. <li>
  475. <p>
  476. security session ID. A character string that uniquely identifies a
  477. security session between two users. Security session IDs MUST only
  478. consist of Letters, Digits, and these characters: '.', '+', '-',
  479. '_', '@'. Security session IDs are case sensitive.
  480. </p>
  481. </li>
  482. <li>
  483. <p>
  484. SS. This term indicates the security session secret that is agreed to
  485. during a security session negotiation.
  486. </p>
  487. </li>
  488. <li>
  489. <p>
  490. SKc. This term indicates the keying material used within a security session
  491. to protect confidentiality. The SKc is derived from the security session secret, SS.
  492. </p>
  493. </li>
  494. <li>
  495. <p>
  496. SKi. This term indicates the keying material used within a security session
  497. to protect integrity and to provide authnetication. The SKi is derived from the
  498. security session secret, SS.
  499. </p>
  500. </li>
  501. <li>
  502. <p>
  503. conversation key ID. A character string that uniquely identifies a
  504. conversation key shared by a community of users. Conversation key IDs MUST only
  505. consist of Letters, Digits, and these characters: '.', '+', '-',
  506. '_', '@'. Conversation key IDs are case sensitive. Conversation key IDs SHOULD
  507. be generated from at least 128 random bits.
  508. </p>
  509. </li>
  510. <li>
  511. <p>
  512. passphrase ID. A character string that uniquely identifies a
  513. passphrase shared by a community of users. Passphrase IDs MUST only
  514. consist of Letters, Digits, and these characters: '.', '+', '-',
  515. '_', '@'. Passphrase IDs are case sensitive.
  516. </p>
  517. </li>
  518. </ul>
  519. </section2>
  520. <section2 topic="XML Processing">
  521. <p>
  522. Since cryptographic operations are applied to data that is
  523. transported within an XML stream, the protocol defines a set of
  524. rules to ensure a consistent interpretation by all conversation
  525. participants.
  526. </p>
  527. <section3 topic="Transporting Binary Content">
  528. <p>
  529. Binary data, such as the result of an HMAC, is always transported
  530. in an encoded form; the two supported encoding schemes are base64
  531. and hex.
  532. </p>
  533. <p>
  534. Senders MAY include arbitrary white space within the character
  535. stream. Senders SHOULD NOT include any other characters outside
  536. of the encoding set.
  537. </p>
  538. <p>
  539. Receivers MUST ignore all characters not in the encoding set.
  540. </p>
  541. </section3>
  542. <section3 topic="Transporting Encrypted Content">
  543. <p>
  544. Encrypted data, including wrapped cryptographic keys, are always
  545. wrapped per XML Encryption.
  546. </p>
  547. </section3>
  548. <section3 topic="HMAC Computation">
  549. <p>
  550. HMACs are computed over a specific collection of attribute values
  551. and character data; when computing an HMAC the following rules
  552. apply:
  553. </p>
  554. <ul>
  555. <li>
  556. <p>
  557. All characters MUST be encoded in UTF-8.
  558. </p>
  559. </li>
  560. <li>
  561. <p>
  562. The octets in each character MUST be processed in network
  563. byte order.
  564. </p>
  565. </li>
  566. <li>
  567. <p>
  568. For a given element, the attribute values that are HMACed
  569. MUST be processed in the specified order regardless of the
  570. order in which they appear in the element tag.
  571. </p>
  572. </li>
  573. <li>
  574. <p>
  575. For each attribute value, the computation MUST only include
  576. characters from the anticipated set defined in this
  577. specification; in particular, white space MUST always be
  578. ignored.
  579. </p>
  580. </li>
  581. <li>
  582. <p>
  583. For character data that is represented in an encoded form,
  584. such as base64 or hex, the computation MUST only include
  585. valid characters from the encoding set.
  586. </p>
  587. </li>
  588. </ul>
  589. </section3>
  590. <section3 topic="Performing Cryptographic Operations">
  591. <p>
  592. The following algorithm is used to encrypt a character string, such as
  593. an XML element:
  594. </p>
  595. <ul>
  596. <li>
  597. <p>
  598. The character string MUST be encoded in UTF-8.
  599. </p>
  600. </li>
  601. <li>
  602. <p>
  603. The octets in each character MUST be processed in network byte order.
  604. </p>
  605. </li>
  606. <li>
  607. <p>
  608. Appropriate cryptographic algorithm parameters, such as an
  609. IV for a block cipher, are generated.
  610. </p>
  611. </li>
  612. </ul>
  613. </section3>
  614. </section2>
  615. <section2 topic="XML Namespaces">
  616. <p>
  617. In order to integrate smoothly with the existing Jabber protocol,
  618. this protocol utilizes a new XML namespace, jabber:security.
  619. </p>
  620. </section2>
  621. <section2 topic="Security Sessions">
  622. <section3 topic="Overview">
  623. <p>
  624. A security session is a pair-wise relationship between two users
  625. in which the users have achieved the following:
  626. </p>
  627. <ul>
  628. <li>
  629. <p>
  630. They have mutually authenticated each other using credentials acceptable to both.
  631. </p>
  632. </li>
  633. <li>
  634. <p>
  635. They have agreed on a set of key material known only to both.
  636. </p>
  637. </li>
  638. </ul>
  639. <p>
  640. Security sessions are identified by a 3-tuple consisting of the following items:
  641. </p>
  642. <ul>
  643. <li>
  644. <p>
  645. initiator. This is the JID of the user who initiated the session.
  646. </p>
  647. </li>
  648. <li>
  649. <p>
  650. responder. This is the JID of the user who responded to the initiator's request.
  651. </p>
  652. </li>
  653. <li>
  654. <p>
  655. sessionId. A label generated by the initiator.
  656. </p>
  657. </li>
  658. </ul>
  659. <p>
  660. Security sessions are used to transport conversation keys between the conversation participants.
  661. </p>
  662. <p>
  663. Scalabilty is an immediate, obvious concern with such an approach. We expect this
  664. approach to be viable in practice because:
  665. </p>
  666. <ul>
  667. <li>
  668. <p>
  669. The number of participants in typical, interactive conversations is generally on the order of 10^1.
  670. </p>
  671. </li>
  672. <li>
  673. <p>
  674. New participants are usually invited to dynamically join a
  675. conversation by being invited by an existing participant;
  676. this existing participant is the only one who needs to
  677. establish a security session with the new participant,
  678. because this single security session can be used to
  679. transport all of the required conversation keys.
  680. </p>
  681. </li>
  682. <li>
  683. <p>
  684. User agents can permit the lifetime of security sessions to
  685. last long enough to allow transport of conversation keys
  686. for a variety of converstions.
  687. </p>
  688. </li>
  689. <li>
  690. <p>
  691. Conversation keys can be established with a suitable lifetime.
  692. </p>
  693. </li>
  694. </ul>
  695. <p>
  696. Other approaches, including the incorporation of more
  697. sophisticated conference keying algorithms, are a topic for
  698. future exploration.
  699. </p>
  700. </section3>
  701. <section3 topic="Security Session Negotiation">
  702. <p>
  703. Security sessions are negotiated using an authenticated Diffie-Hellman key agreement
  704. exchange. The two goals of the exchange are to perform the mutual authentication
  705. and to agree to a secret that is know only to each.
  706. </p>
  707. <p>
  708. The exchange also allows the parties to negotiate the various algorithms
  709. and authentication mechanisms that will be used.
  710. </p>
  711. <p>
  712. Once the pair agree on a shared secret, they each derive key material from the
  713. secret; this key material is used to securely transport the conversation keys,
  714. which are used to actually protect conversation data.
  715. </p>
  716. <p>
  717. The protocol data units (PDUs) that comprise the exchange are transported
  718. within existing Jabber protocol elements.
  719. </p>
  720. </section3>
  721. <section3 topic="DTDs">
  722. <example>
  723. &lt;!ELEMENT session1
  724. (nonce, keyAgreement, algorithms, authnMethods) &gt;
  725. &lt;!ATTLIST session1
  726. version CDATA #REQUIRED
  727. initiator CDATA #REQUIRED
  728. responder CDATA #REQUIRED
  729. sessionId CDATA #REQUIRED
  730. hmac (hmac-sha1) #REQUIRED &gt;
  731. &lt;!ELEMENT nonce
  732. (#PCDATA)* &gt;
  733. &lt;!ATTLIST nonce
  734. encoding (base64 | hex) #REQUIRED &gt;
  735. &lt;!ELEMENT keyAgreement
  736. (dh) &gt;
  737. &lt;!ELEMENT dh
  738. (publicKey) &gt;
  739. &lt;!ATTLIST dh
  740. group (modp1024 | modp2048 | modp4096 | modp8192) #REQUIRED &gt;
  741. &lt;!ELEMENT publicKey
  742. (#PCDATA)* &gt;
  743. &lt;!ATTLIST publicKey
  744. encoding (base64 | hex) #REQUIRED &gt;
  745. &lt;!ELEMENT algorithms
  746. (algorithm)+ &gt;
  747. &lt;!ELEMENT algorithm
  748. (confAlg, hmacAlg) &gt;
  749. &lt;!ELEMENT confAlg EMPTY &gt;
  750. &lt;!ATTLIST confAlg
  751. cipher (3des-cbc | aes-128-cbc | aes-256-cbc) #REQUIRED &gt;
  752. &lt;!ELEMENT hmacAlg EMPTY &gt;
  753. &lt;!ATTLIST hmacAlg
  754. alg (hmac-sha1 | hmac-md5) #REQUIRED&gt;
  755. &lt;!ELEMENT authnMethods
  756. (authnMethod)+ &gt;
  757. &lt;!ELEMENT authnMethod
  758. (digSig | passphrase) &gt;
  759. &lt;!ELEMENT digSig
  760. (certificate+, caCertificate*) &gt;
  761. &lt;!ATTLIST digSig
  762. alg (rsa) #REQUIRED&gt;
  763. &lt;!ELEMENT certificate
  764. (#PCDATA)* &gt;
  765. &lt;!ATTLIST certificate
  766. type (x509 | pkcs7) #REQUIRED
  767. encoding (base64 | hex) #REQUIRED &gt;
  768. &lt;!ELEMENT caCertificate
  769. (#PCDATA)* &gt;
  770. &lt;!ATTLIST caCertificate
  771. type (x509 | pkcs7) #REQUIRED
  772. encoding (base64 | hex) #REQUIRED &gt;
  773. &lt;!ELEMENT passphrase EMPTY &gt;
  774. &lt;!ATTLIST passphrase
  775. passphraseId CDATA #REQUIRED &gt;
  776. &lt;!ELEMENT session2
  777. (nonce, keyAgreement, algorithm, authnMethod, authenticator) &gt;
  778. &lt;!ATTLIST session2
  779. version CDATA #REQUIRED
  780. initiator CDATA #REQUIRED
  781. responder CDATA #REQUIRED
  782. sessionId CDATA #REQUIRED
  783. hmac (hmac-sha1) #REQUIRED &gt;
  784. &lt;!ELEMENT authenticator
  785. (#PCDATA)* &gt;
  786. &lt;!ATTLIST authenticator
  787. encoding (base64 | hex) #REQUIRED&gt;
  788. &lt;!ELEMENT session3
  789. (authenticator, keyTransport*) &gt;
  790. &lt;!ATTLIST session3
  791. version CDATA #REQUIRED
  792. initiator CDATA #REQUIRED
  793. responder CDATA #REQUIRED
  794. sessionId CDATA #REQUIRED
  795. hmac (hmac-sha1) #REQUIRED &gt;
  796. </example>
  797. </section3>
  798. <section3 topic="Generating And Sending the session1 PDU">
  799. <p>
  800. The initiator's user agent employs the following algorithm to generate the session1 PDU:
  801. </p>
  802. <ul>
  803. <li>
  804. <p>
  805. Appropriate values for the version, initiator, responder,
  806. sessionId, and hmac attributes are assembled. The version of
  807. this specification is '1.0'. The values of initiator and
  808. responder MUST be the JIDs of the two participants,
  809. respectively.
  810. </p>
  811. </li>
  812. <li>
  813. <p>
  814. The nonce is prepared by first generating a string of 20
  815. random octets (160 random bits). The octets are then
  816. encoded into a string of 40 hex characters representing the
  817. random string.
  818. </p>
  819. </li>
  820. <li>
  821. <p>
  822. A Diffie-Hellman group is selected. The appropriate values
  823. for g and p will be used to generate the initiator's public
  824. key.
  825. </p>
  826. </li>
  827. <li>
  828. <p>
  829. An ephemeral private key, x, is generated using g and p
  830. for the selected group. This key MUST be generated using an
  831. appropriate random number source. The corresponding public
  832. key, g^x, is generated and encoded.
  833. </p>
  834. </li>
  835. <li>
  836. <p>
  837. The desired set of confidentiality and HMAC cryptographic
  838. algorithms is selected. The manner in which these
  839. algorithms are selected and all related policy issues are
  840. outside the scope of this specification.
  841. </p>
  842. </li>
  843. <li>
  844. <p>
  845. The desired set of authentication algorithms is selected.
  846. The manner in which these algorithms are selected and all
  847. related policy issues are outside the scope of this
  848. specification. When the digital signature form of
  849. authentication is selected, the relevant end-entity
  850. certificate and, optionally, a chain of CA certificates
  851. representing a validation path, is assembled and encoded. A
  852. set of trusted CA certificates MAY optionally be included
  853. via caCertificate elements; if so, the set MUST include the
  854. issuer of the initiator's end-entity certificate.
  855. </p>
  856. </li>
  857. </ul>
  858. <p>
  859. These values are then used to prepare the XML session1 element;
  860. this element is transmitted via the existing Jabber iq mechanism:
  861. </p>
  862. <example>
  863. &lt;iq from="initiator's JID" to="responder's JID" type="get" id="whatever"&gt;
  864. &lt;query xmlns="jabber:security:session"&gt;
  865. &lt;session1&gt;...&lt;/session1&gt;
  866. &lt;/query&gt;
  867. &lt;/iq&gt;
  868. </example>
  869. </section3>
  870. <section3 topic="Receiving And Processing the session1 PDU">
  871. <p>
  872. The responder's user agent employs the following algorithm to process each session1 PDU:
  873. </p>
  874. <ul>
  875. <li>
  876. <p>
  877. The version and hmac attributes are checked against the
  878. values supported by the user agent. An unsupported version
  879. results in an error code of 10000, and an unsupported hmac
  880. results in an error code of 10001. The responder attribute MUST
  881. match the JID of the receiver; a mismatch results in an error code of 10009
  882. </p>
  883. </li>
  884. <li>
  885. <p>
  886. The nonce is decoded, and its length is checked. The nonce
  887. may also be checked to detect replays. An invalid nonce
  888. results in an error code of 10002.
  889. </p>
  890. </li>
  891. <li>
  892. <p>
  893. The Diffie-Hellman group is checked against the values
  894. supported by the user agent. An unsupported group results
  895. in an error code of 10003
  896. </p>
  897. </li>
  898. <li>
  899. <p>
  900. The desired confidentiality and HMAC cryptographic
  901. algorithms are selected from the proposed set. The manner
  902. in which these algorithms are selected and all related
  903. policy issues are outside the scope of this specification.
  904. If none of the proposed algorithms are supported, an error
  905. code of 10004 occurs.
  906. </p>
  907. </li>
  908. <li>
  909. <p>
  910. The desired authentication algorithm is selected from the
  911. proposed set. The manner in which this algorithm is
  912. selected and all related policy issues are outside the
  913. scope of this specification. In the digital signature case,
  914. the responder's end-entity
  915. certificate MUST be issued by one of the trusted CAs listed
  916. in the session1 PDU or by the same issuer as the
  917. initiator's end-entity certificate. If none of the proposed
  918. algorithms are supported, an error code of 10005 results.
  919. If the responder does not have acceptable credentials, an
  920. error code of 10006 occurs.
  921. </p>
  922. </li>
  923. </ul>
  924. <p>
  925. If any errors occur during processing, the session negotiation
  926. fails, and the error is communicated via the existing Jabber iq
  927. mechanism:
  928. </p>
  929. <example>
  930. &lt;iq from="responder's JID" to="initiator's JID" type="error" id="whatever"&gt;
  931. &lt;error code="???"&gt;...&lt;/error&gt;
  932. &lt;/iq&gt;
  933. </example>
  934. <p>
  935. If no errors occur, then the responder's user agent proceeds with
  936. the session2 PDU.
  937. </p>
  938. </section3>
  939. <section3 topic="Generating And Sending the session2 PDU">
  940. <p>
  941. The responder's user agent employs the following algorithm to generate the session2 PDU:
  942. </p>
  943. <ul>
  944. <li>
  945. <p>
  946. Appropriate values for the version, initiator, responder,
  947. sessionId, and hmac attributes are assembled. The version of
  948. this specification is '1.0'. The values of initiator and
  949. responder MUST be the JIDs of the two participants,
  950. respectively. The sessionId and hmac values MUST match the
  951. sessionId and hmac values contained in the session1 PDU.
  952. </p>
  953. </li>
  954. <li>
  955. <p>
  956. The nonce is prepared by first generating a string of 20
  957. random octets (160 random bits). The octets are then
  958. encoded into a string of 40 hex characters representing the
  959. random string.
  960. </p>
  961. </li>
  962. <li>
  963. <p>
  964. An ephemeral private key, y, is generated using g and p
  965. for the group indicated by the session1 PDU. This key MUST
  966. be generated using an appropriate random number source. The
  967. corresponding public key, g^y, is generated and encoded.
  968. </p>
  969. </li>
  970. <li>
  971. <p>
  972. The desired pair of confidentiality and HMAC cryptographic
  973. algorithms is selected. The manner in which this pair is
  974. selected and all related policy issues are outside the
  975. scope of this specification.
  976. </p>
  977. </li>
  978. <li>
  979. <p>
  980. The desired authentication algorithm is selected. The
  981. manner in which this algorithm is selected and all related
  982. policy issues are outside the scope of this specification.
  983. When the digital signature form of authentication is
  984. selected, the relevant end-entity certificate and,
  985. optionally, a chain of CA certificates representing a
  986. validation path, is assembled and encoded.
  987. </p>
  988. </li>
  989. <li>
  990. <p>
  991. Based on the selected authentication algorithm, the
  992. responder's authenticator is constructed. A digital signature algorithm
  993. requires calculating:
  994. </p>
  995. <ul>
  996. <li>
  997. <p>
  998. HK = hmac (initiator's nonce | responder's nonce, g^xy)
  999. </p>
  1000. </li>
  1001. <li>
  1002. <p>
  1003. HASH_R = hmac (HK, version | sessionId | g^y | g^x | responder's JID)
  1004. </p>
  1005. </li>
  1006. </ul>
  1007. <p>
  1008. HASH_R is signed using the responder's private key and encoded in PKCS#1 format.
  1009. The PKCS#1 octets are then further encoded in base64 or hex.
  1010. </p>
  1011. <p>
  1012. The passphrase algorithm requires calculating:
  1013. </p>
  1014. <ul>
  1015. <li>
  1016. <p>
  1017. HK = hmac (hash (passphrase), initiator's nonce | responder's nonce)
  1018. </p>
  1019. </li>
  1020. <li>
  1021. <p>
  1022. HASH_R = hmac (HK, version | sessionId | g^y | g^x | responder's JID)
  1023. </p>
  1024. </li>
  1025. </ul>
  1026. <p>
  1027. The octets of HASH_R are simply encoded in base64 or hex.
  1028. </p>
  1029. <p>
  1030. The manner in which the responder's user agent gains access
  1031. to the responder's credentials is outside the scope of this
  1032. specification.
  1033. </p>
  1034. </li>
  1035. </ul>
  1036. <p>
  1037. These values are then used to prepare the XML session2 element;
  1038. this element is transmitted via the existing Jabber iq mechanism:
  1039. </p>
  1040. <example>
  1041. &lt;iq from="responder's JID" to="initiator's JID" type="result" id="whatever"&gt;
  1042. &lt;query xmlns="jabber:security:session"&gt;
  1043. &lt;session2&gt;...&lt;/session2&gt;
  1044. &lt;/query&gt;
  1045. &lt;/iq&gt;
  1046. </example>
  1047. </section3>
  1048. <section3 topic="Receiving And Processing the session2 PDU">
  1049. <p>
  1050. The initiator's user agent employs the following algorithm to process each session2 PDU:
  1051. </p>
  1052. <ul>
  1053. <li>
  1054. <p>
  1055. The attribute values are checked against the values sent in
  1056. the session1 PDU. A mismatch results in an error code of
  1057. 10008.
  1058. </p>
  1059. </li>
  1060. <li>
  1061. <p>
  1062. The nonce is decoded, and its length is checked. The nonce
  1063. may also be checked to detect replays. An invalid nonce
  1064. results in an error code of 10002.
  1065. </p>
  1066. </li>
  1067. <li>
  1068. <p>
  1069. The Diffie-Hellman group is checked against the value sent
  1070. in the session1 PDU. A mismatch results in an error code of 10003
  1071. </p>
  1072. </li>
  1073. <li>
  1074. <p>
  1075. The confidentiality and HMAC cryptographic algorithms are
  1076. validated against the set proposed in the session1 PDU. A
  1077. mismatch results in an error code of 10004.
  1078. </p>
  1079. </li>
  1080. <li>
  1081. <p>
  1082. The authentication algorithm is validated against the set
  1083. proposed in the session1 PDU. A mismatch results in an
  1084. error code of 10005.
  1085. </p>
  1086. </li>
  1087. <li>
  1088. <p>
  1089. The authenticator is verified. A failure results in an error code of 10007.
  1090. </p>
  1091. </li>
  1092. </ul>
  1093. <p>
  1094. If any errors occur during processing, the session negotiation
  1095. fails, and the error is communicated via the existing Jabber iq
  1096. mechanism:
  1097. </p>
  1098. <example>
  1099. &lt;iq from="initiator's JID" to="responder's JID" type="error" id="whatever"&gt;
  1100. &lt;error code="???"&gt;...&lt;/error&gt;
  1101. &lt;/iq&gt;
  1102. </example>
  1103. <p>
  1104. If no errors occur, then the initiator's user agent proceeds with the session3 PDU.
  1105. </p>
  1106. </section3>
  1107. <section3 topic="Generating And Sending the session3 PDU">
  1108. <p>
  1109. The initiator's user agent employs the following algorithm to generate the session3 PDU:
  1110. </p>
  1111. <ul>
  1112. <li>
  1113. <p>
  1114. Appropriate values for the version, initiator, responder,
  1115. sessionId, and hmac attributes are assembled. The version of
  1116. this specification is '1.0'. The values of initiator and
  1117. responder MUST be the JIDs of the two participants,
  1118. respectively. The sessionId and hmac values MUST match the
  1119. sessionId and hmac values contained in both the session1 and
  1120. session2 PDUs.
  1121. </p>
  1122. </li>
  1123. <li>
  1124. <p>
  1125. Based on the selected authentication algorithm, the
  1126. initiator's authenticator is constructed. A digital signature algorithm
  1127. requires calculating:
  1128. </p>
  1129. <ul>
  1130. <li>
  1131. <p>
  1132. HK = hmac (initiator's nonce | responder's nonce, g^xy)
  1133. </p>
  1134. </li>
  1135. <li>
  1136. <p>
  1137. HASH_I = hmac (HK, version | sessionId | g^x | g^y | initiator's JID)
  1138. </p>
  1139. </li>
  1140. </ul>
  1141. <p>
  1142. HASH_I is signed using the responder's private key and encoded in PKCS#1 format.
  1143. The PKCS#1 octets are then further encoded in base64 or hex.
  1144. </p>
  1145. <p>
  1146. The passphrase algorithm requires calculating:
  1147. </p>
  1148. <ul>
  1149. <li>
  1150. <p>
  1151. HK = hmac (hash (passphrase), initiator's nonce | responder's nonce)
  1152. </p>
  1153. </li>
  1154. <li>
  1155. <p>
  1156. HASH_I = hmac (HK, version | sessionId | g^x | g^y | initiator's JID)
  1157. </p>
  1158. </li>
  1159. </ul>
  1160. <p>
  1161. The octets of HASH_I are simply encoded in base64 or hex.
  1162. </p>
  1163. <p>
  1164. The manner in which the initiator's user agent gains access
  1165. to the initiator's credentials is outside the scope of this
  1166. specification.
  1167. </p>
  1168. </li>
  1169. <li>
  1170. <p>
  1171. A set of conversation keys may optionally be included in
  1172. the response. This should typically be the case since
  1173. security sessions are negotiated for the sole purpose of
  1174. key transport.
  1175. </p>
  1176. </li>
  1177. </ul>
  1178. <p>
  1179. These values are then used to prepare the XML session3 element;
  1180. this element is transmitted via the existing Jabber iq mechanism:
  1181. </p>
  1182. <example>
  1183. &lt;iq from="initiator's JID" to="responder's JID" type="result" id="whatever"&gt;
  1184. &lt;query xmlns="jabber:security:session"&gt;
  1185. &lt;session3&gt;...&lt;/session3&gt;
  1186. &lt;/query&gt;
  1187. &lt;/iq&gt;
  1188. </example>
  1189. </section3>
  1190. <section3 topic="Receiving And Processing the session3 PDU">
  1191. <p>
  1192. The responder's user agent employs the following algorithm to process each session3 PDU:
  1193. </p>
  1194. <ul>
  1195. <li>
  1196. <p>
  1197. The attribute values are checked against the values sent in
  1198. the session2 PDU. A mismatch results in an error code of
  1199. 10008.
  1200. </p>
  1201. </li>
  1202. <li>
  1203. <p>
  1204. The authenticator is verified. A failure results in an error code of 10007.
  1205. </p>
  1206. </li>
  1207. <li>
  1208. <p>
  1209. Any keys included in the PDU are processed and added to the user agent's key store.
  1210. </p>
  1211. </li>
  1212. </ul>
  1213. <p>
  1214. If any errors occur during processing, the session negotiation
  1215. fails, and the error is communicated via the existing Jabber iq
  1216. mechanism:
  1217. </p>
  1218. <example>
  1219. &lt;iq from="responder's JID" to="initiator's JID" type="error" id="whatever"&gt;
  1220. &lt;error code="???"&gt;...&lt;/error&gt;
  1221. &lt;/iq&gt;
  1222. </example>
  1223. </section3>
  1224. <section3 topic="Session Key Material Derivation">
  1225. <p>
  1226. TBA
  1227. </p>
  1228. </section3>
  1229. </section2>
  1230. <section2 topic="Key Transport">
  1231. <section3 topic="Overview">
  1232. <p>
  1233. Conversation keys are used to protect conversation data.
  1234. </p>
  1235. </section3>
  1236. <section3 topic="The Key Transport Mechanism">
  1237. <p>
  1238. Conversation keys are transported using the symmetric key wrap feature of
  1239. XML Encryption embedded in the keyTransport PDU.
  1240. </p>
  1241. </section3>
  1242. <section3 topic="DTDs">
  1243. <example>
  1244. &lt;!ELEMENT keyTransport
  1245. (convId, payload, hmac) &gt;
  1246. &lt;!ATTLIST keyTransport
  1247. version CDATA #REQUIRED
  1248. initiator CDATA #REQUIRED
  1249. responder CDATA #REQUIRED
  1250. sessionId CDATA #REQUIRED &gt;
  1251. &lt;!ELEMENT convId
  1252. (#PCDATA)* &gt;
  1253. &lt;!-- These are actually instances of xenc:EncryptedKey --&gt;
  1254. &lt;!ELEMENT payload
  1255. (confKey, hmacKey) &gt;
  1256. &lt;!ELEMENT hmac
  1257. (#PCDATA)* &gt;
  1258. &lt;!ATTLIST hmac
  1259. encoding (base64 | hex) #REQUIRED &gt;
  1260. </example>
  1261. </section3>
  1262. <section3 topic="Generating And Sending the keyTransport PDU">
  1263. <p>
  1264. The sender's user agent employs the following algorithm to generate the keyTransport PDU:
  1265. </p>
  1266. <ul>
  1267. <li>
  1268. <p>
  1269. Appropriate values for the version, initiator, responder, and
  1270. sessionId attributes are assembled. The version of
  1271. this specification is '1.0'. The values of initiator and
  1272. responder MUST be the JIDs of the two participants who negotiated the
  1273. security session, respectively, and they
  1274. MUST correspond to an existing security session.
  1275. </p>
  1276. </li>
  1277. <li>
  1278. <p>
  1279. The key's identifier, convId, is assembled.
  1280. </p>
  1281. </li>
  1282. <li>
  1283. <p>
  1284. The payload, which consists of the confidentiality key and the integrity key, is wrapped
  1285. in instances of xenc:EncryptedKey as follows:
  1286. </p>
  1287. <ul>
  1288. <li>
  1289. <p>
  1290. The Type attribute of the xenc:EncryptedKey element MUST indicate 'content'.
  1291. </p>
  1292. </li>
  1293. <li>
  1294. <p>
  1295. The Id, MimeType and Encoding attributes of the xenc:EncryptedKey element MUST NOT
  1296. be present.
  1297. </p>
  1298. </li>
  1299. <li>
  1300. <p>
  1301. The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute
  1302. MUST indicate a valid symmetric key wrap algorithm. Furthermore, the
  1303. algorithm MUST be the same as was negotiated for the security session.
  1304. </p>
  1305. </li>
  1306. <li>
  1307. <p>
  1308. The ds:KeyInfo element MUST NOT be present. The key to use is SKc of the
  1309. security session.
  1310. </p>
  1311. </li>
  1312. <li>
  1313. <p>
  1314. The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice.
  1315. </p>
  1316. </li>
  1317. </ul>
  1318. </li>
  1319. <li>
  1320. <p>
  1321. The HMAC is computed using SKi of the security session over the following values:
  1322. </p>
  1323. <ul>
  1324. <li>
  1325. <p>
  1326. the version attribute of the keyTransport element
  1327. </p>
  1328. </li>
  1329. <li>
  1330. <p>
  1331. the initiator attribute of the keyTransport element
  1332. </p>
  1333. </li>
  1334. <li>
  1335. <p>
  1336. the responder attribute of the keyTransport element
  1337. </p>
  1338. </li>
  1339. <li>
  1340. <p>
  1341. the sessionId attribute of the keyTransport element
  1342. </p>
  1343. </li>
  1344. <li>
  1345. <p>
  1346. the character string used to construct the body of the convId element
  1347. </p>
  1348. </li>
  1349. </ul>
  1350. </li>
  1351. </ul>
  1352. <p>
  1353. These values are then used to prepare the XML keyTransport element;
  1354. this element is transmitted via the existing Jabber iq mechanism:
  1355. </p>
  1356. <example>
  1357. &lt;iq from="sender's JID" to="receiver's JID" type="set" id="whatever"&gt;
  1358. &lt;query xmlns="jabber:security:keyTransport"&gt;
  1359. &lt;keyTransport&gt;...&lt;/keyTransport&gt;
  1360. &lt;/query&gt;
  1361. &lt;/iq&gt;
  1362. </example>
  1363. </section3>
  1364. <section3 topic="Receiving and Processing the keyTransport PDU">
  1365. <p>
  1366. The receiver's user agent employs the following algorithm to process each keyTransport PDU:
  1367. </p>
  1368. <ul>
  1369. <li>
  1370. <p>
  1371. The values of the version, initiator, responder, and sessionId are validated; initiator,
  1372. responder, and sessionId MUST indicate an existing security session.
  1373. A version mismatch results in an error code of 10000; an invalid security session
  1374. results in an error of 10010.
  1375. </p>
  1376. </li>
  1377. <li>
  1378. <p>
  1379. The payload, which consists of the confidentiality key and the intergrity key, is unwrapped.
  1380. Any failures result in an error code of 10012.
  1381. </p>
  1382. </li>
  1383. <li>
  1384. <p>
  1385. The body of the HMAC element is decoded into the actual HMAC octet string.
  1386. </p>
  1387. </li>
  1388. <li>
  1389. <p>
  1390. The HMAC is validated. An invalid HMAC results in an error code of 10011.
  1391. </p>
  1392. </li>
  1393. <li>
  1394. <p>
  1395. The keys are added to the user agent's key store.
  1396. </p>
  1397. </li>
  1398. </ul>
  1399. <p>
  1400. If any errors occur during processing, the error is communicated via the existing Jabber iq
  1401. mechanism:
  1402. </p>
  1403. <example>
  1404. &lt;iq from="receiver's JID" to="sender's JID" type="error" id="whatever"&gt;
  1405. &lt;error code="???"&gt;...&lt;/error&gt;
  1406. &lt;/iq&gt;
  1407. </example>
  1408. </section3>
  1409. </section2>
  1410. <section2 topic="Message Protection">
  1411. <section3 topic="Overview">
  1412. <p>
  1413. The ultimate goal is, of course, the protection of conversation data. The protocol exchanges
  1414. described above allow the conversation participants to cryptographically protect their conversation data using the conversation keys that they share.
  1415. </p>
  1416. </section3>
  1417. <section3 topic="The Message Protection Mechanism">
  1418. <p>
  1419. A protected message is defined as a traditional Jabber message whose body content
  1420. is extended to include the transport of a cryptographically protected message body.
  1421. The two key features are
  1422. </p>
  1423. <ul>
  1424. <li>
  1425. <p>
  1426. First, the usual body element contains some arbitrary text. Those familiar with the
  1427. evolution of email protocols will recognize this trick as the same one used
  1428. when MIME was introduced.
  1429. </p>
  1430. </li>
  1431. <li>
  1432. <p>
  1433. Second, the message contains a Jabber x element defining the Jabber:security:message
  1434. namespace; this element transports the protected message.
  1435. </p>
  1436. </li>
  1437. </ul>
  1438. <p>
  1439. This mechanism has the advantages of allowing transparent integration with existing
  1440. Jabber servers and existing Jabber clients.
  1441. </p>
  1442. </section3>
  1443. <section3 topic="DTD">
  1444. <example>
  1445. &lt;!ELEMENT protectedMessage
  1446. (securityLabel?, payload, hmac) &gt;
  1447. &lt;!ATTLIST protectedMessage
  1448. version CDATA #REQUIRED
  1449. from CDATA #REQUIRED
  1450. to CDATA #REQUIRED
  1451. convId #REQUIRED
  1452. seqNum #REQUIRED &gt;
  1453. &lt;!ELEMENT securityLabel
  1454. (#PCDATA)* &gt;
  1455. &lt;!-- this is actually an instance of xenc:EncryptedData --&gt;
  1456. &lt;!ELEMENT payload
  1457. (#PCDATA)* &gt;
  1458. &lt;!ELEMENT hmac
  1459. (#PCDATA)* &gt;
  1460. &lt;!ATTLIST hmac
  1461. encoding (base64 | hex) #REQUIRED &gt;
  1462. </example>
  1463. </section3>
  1464. <section3 topic="Generating And Sending the protectedMessage PDU">
  1465. <p>
  1466. The sender's user agent employs the following algorithm to generate the protectedMessage PDU:
  1467. </p>
  1468. <ul>
  1469. <li>
  1470. <p>
  1471. Appropriate values for the version, from, to, convId, and
  1472. seqNum attributes are assembled. The version of
  1473. this specification is '1.0'. The value of convId MUST correspond to an existing, valid key.
  1474. </p>
  1475. </li>
  1476. <li>
  1477. <p>
  1478. The actual message body is encoded into a character string corresponding to a Jabber message body element. This character string is then wrapped in an instance of xenc:EncryptedData as follows:
  1479. </p>
  1480. <ul>
  1481. <li>
  1482. <p>
  1483. The Type attribute of the xenc:EncryptedData element MUST indicate 'element'.
  1484. </p>
  1485. </li>
  1486. <li>
  1487. <p>
  1488. The Id, MimeType and Encoding attributes of the xenc:EncryptedData element MUST NOT
  1489. be present.
  1490. </p>
  1491. </li>
  1492. <li>
  1493. <p>
  1494. The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute
  1495. MUST indicate a valid block encryption algorithm.
  1496. </p>
  1497. </li>
  1498. <li>
  1499. <p>
  1500. The ds:KeyInfo element MUST NOT be present. The key to be used is the confidentiality
  1501. key indicated by the convId attribute.
  1502. </p>
  1503. </li>
  1504. <li>
  1505. <p>
  1506. The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice.
  1507. </p>
  1508. </li>
  1509. </ul>
  1510. </li>
  1511. <li>
  1512. <p>
  1513. Using the HMAC key indicated by the convId attribute, the HMAC is computed
  1514. over the following values:
  1515. </p>
  1516. <ul>
  1517. <li>
  1518. <p>
  1519. the version attribute of the protectedMessage element
  1520. </p>
  1521. </li>
  1522. <li>
  1523. <p>
  1524. the from attribute of the protectedMessage element
  1525. </p>
  1526. </li>
  1527. <li>
  1528. <p>
  1529. the to attribute of the protectedMessage element
  1530. </p>
  1531. </li>
  1532. <li>
  1533. <p>
  1534. the convId attribute of the protectedMessage element
  1535. </p>
  1536. </li>
  1537. <li>
  1538. <p>
  1539. the seqNum attribute of the protectedMessage element
  1540. </p>
  1541. </li>
  1542. <li>
  1543. <p>
  1544. any securityLabel element
  1545. </p>
  1546. </li>
  1547. <li>
  1548. <p>
  1549. the character string used to construct the body of the payload element
  1550. </p>
  1551. </li>
  1552. </ul>
  1553. </li>
  1554. </ul>
  1555. <p>
  1556. These values are then used to prepare the XML protectedMessage element;
  1557. this element is transmitted via the existing Jabber message mechanism:
  1558. </p>
  1559. <example>
  1560. &lt;message from="sender's JID" to="reveiver's JID" id="whatever"&gt;
  1561. &lt;body&gt;The real body is protected.&lt;/body&gt;
  1562. &lt;x xmlns="jabber:security:message"&gt;
  1563. &lt;protectedMessage&gt;...&lt;/protectedMessage&gt;
  1564. &lt;/x&gt;
  1565. &lt;/iq&gt;
  1566. </example>
  1567. </section3>
  1568. <section3 topic="Receiving and Processing the protectedMessage PDU">
  1569. <p>
  1570. The receiver's user agent employs the following algorithm to process each protectedMessage PDU:
  1571. </p>
  1572. <ul>
  1573. <li>
  1574. <p>
  1575. The values of the version, from, to, convId, and seqNum are validated.
  1576. A version mismatch results in an error code of 10000. An unknown convId
  1577. results in an error code of 10015. If replay protection is utilized, a
  1578. duplicate seqNum results in an error code of 10016.
  1579. </p>
  1580. </li>
  1581. <li>
  1582. <p>
  1583. The body of the HMAC element is decoded into the actual HMAC octet string.
  1584. </p>
  1585. </li>
  1586. <li>
  1587. <p>
  1588. The payload, which consists of the actual message body, is unwrapped.
  1589. Any failures result in an error code of 10012.
  1590. </p>
  1591. </li>
  1592. <li>
  1593. <p>
  1594. The HMAC is validated. An invalid HMAC results in an error code of 10011.
  1595. </p>
  1596. </li>
  1597. </ul>
  1598. <p>
  1599. If any errors occur during processing, the error is communicated via the existing Jabber iq
  1600. mechanism:
  1601. </p>
  1602. <example>
  1603. &lt;iq from="receiver's JID" to="sender's JID" type="error" id="whatever"&gt;
  1604. &lt;error code="???"&gt;...&lt;/error&gt;
  1605. &lt;/iq&gt;
  1606. </example>
  1607. </section3>
  1608. </section2>
  1609. <section2 topic="Requesting Keys">
  1610. <p>TBA</p>
  1611. </section2>
  1612. <section2 topic="Conformance Profile">
  1613. <p>
  1614. The following block encryption algorithms are required, as
  1615. specified by XML Encryption:
  1616. </p>
  1617. <ul>
  1618. <li>
  1619. <p>
  1620. http://www.w3.org/2001/04/xmlenc#tripledes-cbc
  1621. </p>
  1622. </li>
  1623. <li>
  1624. <p>
  1625. http://www.w3.org/2001/04/xmlenc#aes128-cbc
  1626. </p>
  1627. </li>
  1628. <li>
  1629. <p>
  1630. http://www.w3.org/2001/04/xmlenc#aes256-cbc
  1631. </p>
  1632. </li>
  1633. </ul>
  1634. <p>
  1635. The following symmetric key wrap algorithms are required, as
  1636. specified by XML Encryption:
  1637. </p>
  1638. <ul>
  1639. <li>
  1640. <p>
  1641. http://www.w3.org/2001/04/xmlenc#kw-tripledes
  1642. </p>
  1643. </li>
  1644. <li>
  1645. <p>
  1646. http://www.w3.org/2001/04/xmlenc#kw-aes128
  1647. </p>
  1648. </li>
  1649. <li>
  1650. <p>
  1651. http://www.w3.org/2001/04/xmlenc#kw-aes256
  1652. </p>
  1653. </li>
  1654. </ul>
  1655. </section2>
  1656. </section1>
  1657. <section1 topic="Diffie-Hellman Groups">
  1658. <p>
  1659. This protocol makes use of the following Diffie-Hellman groups adopted from IKE.
  1660. </p>
  1661. <section2 topic="1024 bit Group, modp1024">
  1662. <p>
  1663. The hexidecimal value of the prime, p, is
  1664. </p>
  1665. <example>
  1666. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1667. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1668. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1669. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1670. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
  1671. FFFFFFFF FFFFFFFF
  1672. </example>
  1673. <p>
  1674. The decimal value of the generator, g, is 2.
  1675. </p>
  1676. </section2>
  1677. <section2 topic="2048 bit Group, modp2048">
  1678. <p>
  1679. The hexidecimal value of the prime, p, is
  1680. </p>
  1681. <example>
  1682. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1683. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1684. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1685. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1686. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1687. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1688. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1689. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1690. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1691. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1692. 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
  1693. </example>
  1694. <p>
  1695. The decimal value of the generator, g, is 2.
  1696. </p>
  1697. </section2>
  1698. <section2 topic="4096 bit Group, modp4096">
  1699. <p>
  1700. The hexidecimal value of the prime, p, is
  1701. </p>
  1702. <example>
  1703. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1704. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1705. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1706. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1707. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1708. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1709. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1710. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1711. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1712. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1713. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1714. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1715. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1716. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1717. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1718. 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
  1719. 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
  1720. 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
  1721. 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
  1722. 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
  1723. 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199
  1724. FFFFFFFF FFFFFFFF
  1725. </example>
  1726. <p>
  1727. The decimal value of the generator, g, is 2.
  1728. </p>
  1729. </section2>
  1730. <section2 topic="8192 bit Group, modp8192">
  1731. <p>
  1732. The hexidecimal value of the prime, p, is
  1733. </p>
  1734. <example>
  1735. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1736. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1737. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1738. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1739. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1740. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1741. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1742. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1743. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1744. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1745. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1746. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1747. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1748. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1749. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1750. 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
  1751. 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
  1752. 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
  1753. 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
  1754. 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
  1755. 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492
  1756. 36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD
  1757. F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831
  1758. 179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B
  1759. DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF
  1760. 5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6
  1761. D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3
  1762. 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA
  1763. CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328
  1764. 06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C
  1765. DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE
  1766. 12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4
  1767. 38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300
  1768. 741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568
  1769. 3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9
  1770. 22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B
  1771. 4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A
  1772. 062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36
  1773. 4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1
  1774. B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92
  1775. 4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47
  1776. 9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71
  1777. 60C980DD 98EDD3DF FFFFFFFF FFFFFFFF
  1778. </example>
  1779. <p>
  1780. The decimal value of the generator, g, is 2.
  1781. </p>
  1782. </section2>
  1783. </section1>
  1784. <section1 topic="Security Considerations">
  1785. <p>
  1786. This entire document is about security.
  1787. </p>
  1788. <p>
  1789. This version of the protocol deliberately incorporates only a minimal amount
  1790. of cryptographic choice. Examples of possible choices that can readily
  1791. added in future drafts include:
  1792. </p>
  1793. <ul>
  1794. <li>
  1795. <p>
  1796. Support for the Digital Signature Standard
  1797. </p>
  1798. </li>
  1799. <li>
  1800. <p>
  1801. Support for Elliptic Curve Cryptography
  1802. </p>
  1803. </li>
  1804. <li>
  1805. <p>
  1806. Additional symmetric algorithms
  1807. </p>
  1808. </li>
  1809. <li>
  1810. <p>
  1811. Additional hash algorithms
  1812. </p>
  1813. </li>
  1814. </ul>
  1815. <p>
  1816. Furthermore, additional credential formats, such as OpenPGP, may be addressed
  1817. in future drafts.
  1818. </p>
  1819. <p>
  1820. This version of the protocol includes a mechanism that derives a cryptographic key from a
  1821. passphrase shared by a community of users. It is impossible to overstate the security
  1822. issues that such a mechanism raises.
  1823. </p>
  1824. <p>
  1825. This version of the protocol does not include a specific rekeying capability. Data volumes
  1826. in IM environments are expected to be small, and the protocol prefers to simply instantiate
  1827. new conversation keys. It is straightforward to extend the security session protocol to
  1828. enable negotiation of a new key.
  1829. </p>
  1830. </section1>
  1831. <section1 topic="Examples">
  1832. <section2 topic="Security Session">
  1833. <example>
  1834. &lt;iq from='initiator@some.tld'
  1835. to='responder@other.tld'
  1836. type='get'
  1837. id='whatever' &gt;
  1838. &lt;x xmlns='jabber:security:session&gt;
  1839. &lt;session1 version='1.0'
  1840. initiator='initiator@some.tld'
  1841. responder='responder@other.tld'
  1842. sessionId='session11223344556677@some.tld'
  1843. hmac='hmac-sha1'&gt;
  1844. &lt;nonce encoding='hex'&gt;
  1845. ...
  1846. &lt;/nonce&gt;
  1847. &lt;keyAgreement&gt;
  1848. &lt;dh group='modp4096'&gt;
  1849. &lt;publicKey encoding='base64'&gt;
  1850. ...
  1851. &lt;/publicKey&gt;
  1852. &lt;/dh&gt;
  1853. &lt;/keyAgreement&gt;
  1854. &lt;algorithms&gt;
  1855. &lt;algorithm&gt;
  1856. &lt;confAlg cipher='3des-cbc'/&gt;
  1857. &lt;hmacAlg alg='hmac-sha1'/&gt;
  1858. &lt;/algorithm&gt;
  1859. &lt;/algorithms&gt;
  1860. &lt;authnMethods&gt;
  1861. &lt;authnMethod&gt;
  1862. &lt;digSig alg='rsa'&gt;
  1863. &lt;certificate type='x509' encoding='base64'&gt;
  1864. ...
  1865. &lt;/certificate&gt;
  1866. &lt;/digSig&gt;
  1867. &lt;/authnMethod&gt;
  1868. &lt;/authnMethods&gt;
  1869. &lt;/session1&gt;
  1870. &lt;/x&gt;
  1871. &lt;/iq&gt;
  1872. &lt;iq from='responder@other.tld'
  1873. to='initiator@some.tld'
  1874. type='result'
  1875. id='whatever' &gt;
  1876. &lt;x xmlns='jabber:security:session&gt;
  1877. &lt;session2 version='1.0'
  1878. initiator='initiator@some.tld'
  1879. responder='responder@other.tld'
  1880. sessionId='session11223344556677@some.tld'
  1881. hmac='hmac-sha1'&gt;
  1882. &lt;nonce encoding='hex'&gt;
  1883. ...
  1884. &lt;/nonce&gt;
  1885. &lt;keyAgreement&gt;
  1886. &lt;dh group='modp4096'&gt;
  1887. &lt;publicKey encoding='base64'&gt;
  1888. ...
  1889. &lt;/publicKey&gt;
  1890. &lt;/dh&gt;
  1891. &lt;/keyAgreement&gt;
  1892. &lt;algorithm&gt;
  1893. &lt;confAlg cipher='3des-cbc'/&gt;
  1894. &lt;hmacAlg alg='hmac-sha1'/&gt;
  1895. &lt;/algorithm&gt;
  1896. &lt;authnMethod&gt;
  1897. &lt;digSig alg='rsa'&gt;
  1898. &lt;certificate type='x509' encoding='base64'&gt;
  1899. ...
  1900. &lt;/certificate&gt;
  1901. &lt;/digSig&gt;
  1902. &lt;/authnMethod&gt;
  1903. &lt;authenticator encoding='base64'&gt;
  1904. ...
  1905. &lt;/authenticator&gt;
  1906. &lt;/session2&gt;
  1907. &lt;/x&gt;
  1908. &lt;/iq&gt;
  1909. &lt;iq from='initiator@some.tld'
  1910. to='responder@other.tld'
  1911. type='result'
  1912. id='whatever' &gt;
  1913. &lt;x xmlns='jabber:security:session&gt;
  1914. &lt;session3 version='1.0'
  1915. initiator='initiator@some.tld'
  1916. responder='responder@other.tld'
  1917. sessionId='session11223344556677@some.tld'
  1918. hmac='hmac-sha1'&gt;
  1919. &lt;authenticator encoding='base64'&gt;
  1920. ...
  1921. &lt;/authenticator&gt;
  1922. &lt;/session3&gt;
  1923. &lt;/x&gt;
  1924. &lt;/iq&gt;
  1925. </example>
  1926. </section2>
  1927. <section2 topic="Key Transport">
  1928. <example>
  1929. &lt;iq type='set' &gt;
  1930. &lt;x xmlns='jabber:security:key&gt;
  1931. &lt;keyTransport version='1.0'
  1932. initiator='initiator@some.tld'
  1933. responder='responder@other.tld'
  1934. sessionId='session11223344556677@some.tld'&gt;
  1935. &lt;convId&gt;
  1936. 44d2d2d2d2@some.tld
  1937. &lt;/convId&gt;
  1938. &lt;EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'
  1939. Type='http://www.w3.org/2001/04/xmlenc#Content'&gt;
  1940. &lt;EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#kw-tripledes&gt;
  1941. &lt;/EncryptionMethod&gt;
  1942. &lt;CipherData&gt;
  1943. &lt;CipherValue&gt;
  1944. ...
  1945. &lt;/CipherValue&gt;
  1946. &lt;/CipherData&gt;
  1947. &lt;/EncryptedKey&gt;
  1948. &lt;EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'
  1949. Type='http://www.w3.org/2001/04/xmlenc#Content'&gt;
  1950. &lt;EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#kw-tripledes&gt;
  1951. &lt;/EncryptionMethod&gt;
  1952. &lt;CipherData&gt;
  1953. &lt;CipherValue&gt;
  1954. ...
  1955. &lt;/CipherValue&gt;
  1956. &lt;/CipherData&gt;
  1957. &lt;/EncryptedKey&gt;
  1958. &lt;hmac encoding='hex'&gt;
  1959. ...
  1960. &lt;/hmac&gt;
  1961. &lt;/keyTransport&gt;
  1962. &lt;/x&gt;
  1963. &lt;/iq&gt;
  1964. </example>
  1965. </section2>
  1966. <section2 topic="Message Protection">
  1967. <example>
  1968. &lt;message from='initiator@some.tld'
  1969. to='responder@other.tld'&gt;
  1970. &lt;body&gt;
  1971. The real body is protected.
  1972. &lt;/body&gt;
  1973. &lt;x xmlns='jabber:security:message'&gt;
  1974. &lt;protectedMessage version='1.0'
  1975. from='initiator@some.tld'
  1976. to='responder@other.tld'
  1977. convId='44d2d2d2d2@some.tld'
  1978. seqNum='1'&gt;
  1979. &lt;securityLabel&gt;
  1980. Confidential
  1981. &lt;/securityLabel&gt;
  1982. &lt;EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
  1983. Type='http://www.w3.org/2001/04/xmlenc#Element'&gt;
  1984. &lt;EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc&gt;
  1985. &lt;/EncryptionMethod&gt;
  1986. &lt;CipherData&gt;
  1987. &lt;CipherValue&gt;
  1988. ...
  1989. &lt;/CipherValue&gt;
  1990. &lt;/CipherData&gt;
  1991. &lt;/EncryptedData&gt;
  1992. &lt;hmac encoding='hex'&gt;
  1993. ...
  1994. &lt;/hmac&gt;
  1995. &lt;/protectedMessage&gt;
  1996. &lt;/x&gt;
  1997. &lt;/message&gt;
  1998. </example>
  1999. </section2>
  2000. </section1>
  2001. <section1 topic="References">
  2002. <p>
  2003. "XML Encryption Syntax and Processing"; http://www.w3.org/TR/xmlenc-core
  2004. </p>
  2005. <p>
  2006. more to be added
  2007. </p>
  2008. </section1>
  2009. </xep>