You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

783 lines
31 KiB

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY signcrypt "&lt;signcrypt/&gt;">
<!ENTITY sign "&lt;sign/&gt;">
<!ENTITY crypt "&lt;crypt/&gt;">
<!ENTITY openpgp "&lt;openpgp/&gt;">
<!ENTITY payload "&lt;payload/&gt;">
<!ENTITY % ents SYSTEM 'xep.ent'>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<title>OpenPGP for XMPP</title>
<abstract>Specifies end-to-end encryption and authentication of data with the help of
OpenPGP, announcement, discovery and retrieval of public keys and a
mechanism to synchronize secret keys over multiple
<type>Standards Track</type>
<spec>XMPP Core</spec>
<initials>XEP Editor (jwi)</initials>
<remark>Defer due to lack of activity.</remark>
<initials>fs (XEP Editor: ssw)</initials>
<remark><p>Update acknowledgements.</p></remark>
<initials>bjc (XEP Editor: ssw)</initials>
<remark><p>Minior editorial fixes.</p></remark>
<remark><p>Minior editorial fixes.</p></remark>
<initials>XEP Editor (ssw)</initials>
<remark><p>Initial published version approved by the XMPP Council.</p></remark>
<remark><p>First draft.</p></remark>
<section1 topic='Introduction' anchor='intro'>
<p>This XMPP extension protocol specifies the foundations of
end-to-end encryption and authentication, based on digital
signatures, of data with the help of OpenPGP. Additional XEPs will
use this extension protocol as building block when specifying their
own OpenPGP profile suiting their use case. One such profile is the
Instant Messaging Profile specified in &xep0374;.</p>
<p>XMPP provides the mechanisms to solve a lot of issues that come
with modern day OpenPGP usage. For example, based on &xep0163; this
specification describes a standardized way to discover OpenPGP
public keys of other entities. But unlike the OpenPGP keyservers,
this process establishes a strong relation between the key and the
key's owning entity (usually a human user). A similar mechanism
described herein allows to synchronize the secret key(s) across
multiple devices.</p>
<p>OpenPGP in return allows for end-to-end encrypted data to be
exchanged between one, two or even multiple entities
(multi-end-to-multi-end encryption). Therefore this XEP can be used
for example to implement end-to-end encrypted &xep0045;.</p>
<section1 topic='Glossary' anchor='glossary'>
<di><dt>OpenPGP element</dt><dd>An XMPP extension element: &openpgp; qualified by the 'urn:xmpp:openpgp:0' namespace</dd></di>
<di><dt>OpenPGP content element</dt><dd>An element embedded via OpenPGP in a &openpgp; element. Either one of &signcrypt;, &sign; or &crypt;, qualified by the 'urn:xmpp:openpgp:0' namespace.</dd></di>
<di><dt>PEP</dt><dd>Personal Eventing Protocol (<cite>XEP-0163</cite>)</dd></di>
<di><dt>Public key PEP node</dt><dd>A PEP node containing an entity's public OpenPGP key.</dd></di>
<di><dt>Secret key PEP node</dt><dd>A PEP node containing an entity's encrypted secret OpenPGP key.</dd></di>
<section1 topic='OpenPGP Encrypted and Signed Data' anchor='signcrypt'>
<section2 topic='Exchanging OpenPGP Encrypted and Signed Data' anchor='exchange'>
<p>The &openpgp; extension element qualified by the
'urn:xmpp:openpgp:0' namespace is used in order to exchange
encrypted and signed data.</p>
<example caption='The &openpgp; extension within a message.'><![CDATA[
<message to=''>
<openpgp xmlns='urn:xmpp:openpgp:0'>
<p>The text content of &openpgp; ("BASE64_OPENPGP_MESSAGE") is a
Base64 encoded (&rfc4648; <link
url=''>§ 4</link>)
OpenPGP message as specified in &rfc4880; which contains an
encrypted and/or signed UTF-8 (&rfc3629;) encoded string. This
string MUST correspond to exactly one OpenPGP content element,
that is, it represents either a &signcrypt;, a &sign; or a &crypt;
extension element qualified by the 'urn:xmpp:openpgp:0'
namespace. Note that OpenPGP's ASCII Armor is not used, instead
the XMPP client MUST encode the raw bytes of OpenPGP message using
<p>In case of a &signcrypt; element, the OpenPGP message embedded
in the &openpgp; element MUST be encrypted and signed, and SHOULD
also be encrypted to self. In case of a &sign; element, the
OpenPGP message MUST be signed and MUST NOT be encrypted. In case
of &crypt; the OpenPGP message MUST NOT be signed, but MUST be
<example caption='The &signcrypt; extension element.'><![CDATA[
<signcrypt xmlns='urn:xmpp:openpgp:0'>
<to jid=''/>
<time stamp='2014-07-10T17:06:00+02:00'/>
<body xmlns='jabber:client'>
This is a secret message.
<p>OpenPGP content elements MUST possess exactly one 'time'
element as direct child elements. The &signcrypt; and &crypt;
content elements MUST contain at least one 'to' element(s), which
MUST have a 'jid' attribute containing the intended recipient's
XMPP address of the signed and/or encrypted data to prevent
Surreptitious Forward Attacks<note>Jee Hea An, Yevgeniy Dodis, and
Tal Rabin. 2002. On the Security of Joint Signature and
Encryption. In Proceedings of the International Conference on the
Theory and Applications of Cryptographic Techniques: Advances in
Cryptology (EUROCRYPT '02), Lars R. Knudsen
(Ed.). Springer-Verlag, London, UK, UK, 83-107. &lt;<link
The XMPP address found in the 'to' element's 'jid' attribute
SHOULD be without Resourcepart (i.e., a bare JID). A &sign; content
element may not carry a 'to' attribute. The 'time' element MUST
have a 'stamp' attribute which contains the timestamp when the
OpenPGP content element was signed and/or encrypted in the
DateTime format as specified in &xep0082; § 3.2. The &signcrypt;
and &crypt; elements SHOULD furthermore contain a 'rpad' element
which text content is a random-length random-content padding.</p>
<table caption='OpenPGP Content Element Properties'>
<th>Content Element</th>
<th>'to' Element</th>
<th>'time' Element</th>
<th>&lt;rpad/&gt; Element</th>
<th>&lt;payload/&gt; Element</th>
<td>MUST have at least one</td>
<td>MUST have exactly one</td>
<td>SHOULD have exaclty one</td>
<td>MUST have exactly one</td>
<td>MAY NOT contain one</td>
<td>MUST have exaclty one</td>
<td>MUST have exactly one</td>
<td>MUST have at least one</td>
<td>MUST have exaclty one</td>
<td>SHOULD have exaclty one</td>
<td>MUST have exactly one</td>
<p>OpenPGP content elements MUST possess exactly one &payload;
element. The child elements of &payload; can be seen as OpenPGP
secured Stanza extension elements which are encrypted and/or
signed. After the &openpgp; element and the including &signcrypt;,
&sign; or &crypt; element was verified, they are processed
according to the specification of the relevant OpenPGP for XMPP
profile (see for example &xep0374;).</p>
<section2 topic='Verification of &openpgp; Content' anchor='openpgp-verification'>
<p>Recipients MUST verify that the signature is valid, that the
signature's key corresponds to the sender's key, and that the
sender's key has a User ID containing the sender's XMPP
address in the form "" (for details see
<link url='#openpgp-user-ids'>"OpenPGP User IDs"</link>). Thus,
the recipient may
need to retrieve the key from the Personal Eventing Protocol node
as described above. At least one of the XMPP addresses found in
the 'to' elements contained in OpenPGP content element MUST
correspond to the outer 'to' of the XMPP &MESSAGE;. Furthermore,
recipients are RECOMMENDED to verify the 'time' element for
plausibility or to display it to a user for verification.</p>
<section1 topic='Announcing and Discovering the Public Key via PEP' anchor='announcing-discover-pubkey'>
<p>Parties interested in exchanging encrypted data between each
other via OpenPGP need to know the public key(s) of the
recipients. The following section specifies a mechanism to announce
and discover public keys.</p>
<section2 topic='Announcing the Public Key via PEP' anchor='annoucning-pubkey'>
<p>In order to announce the public key, the client needs to store
it in a PEP node. The public key data, as specified in <cite>RFC
4880</cite>, is stored within a &lt;pubkey/&gt; element which is a
child element of the &lt;pubkeys/&gt; element qualified by the
'urn:xmpp:openpgp:0' namespace. Note that OpenPGP's ASCII Armor is
not used, instead the XMPP client MUST encode the public key using
Base64. Client SHOULD only try to store the public key if the
Personal Eventing Protocol service supports persistent-items, thus
it SHOULD check if the service reports the
'' feature.</p>
<example caption='Saving the public key in the PEP node.'><![CDATA[
<iq from='' type='set' id='1'>
<pubsub xmlns=''>
<publish node='urn:xmpp:openpgp:0'>
<pubkeys xmlns='urn:xmpp:openpgp:0'>
<section2 topic='Discovering the Public Key via PEP' anchor='discover-pubkey'>
<p>In order to discover the public key of an XMPP entity, clients
send a PubSub &IQ; request to the entity's bare JID of which it
wants to know the public key.</p>
<example caption='Requesting a OpenPGP public key from an XMPP entity.'><![CDATA[
<iq from=''
<pubsub xmlns=''>
<items node='urn:xmpp:openpgp:0'
<example caption='Personal Eventing Protocol result containing the requested public key.'><![CDATA[
<iq from=''
<pubsub xmlns=''>
<items node='urn:xmpp:openpgp:0'>
<pubkeys xmlns='urn:xmpp:openpgp:0'>
<p>Note that the result may contain multiple pubkey elements. Only
the public keys found in the most recent MUST be used. Requesters
may want to limit the results to the most recent item using the
'max_items' attribute set to '1'. Clients could alternatively use
&xep0059; as an alternative to 'max_items' but accoding to
<cite>XEP-0060</cite> RSM is not (yet) mandatory for PubSub
<p>Some XMPP services may not provide the Personal Eventing
Protocol feature required to provide the mechanism described
here. If so, they will return an &IQ; error of type
<section1 topic='Synchronizing the Secret Key with a Private PEP Node' anchor='synchro-pep'>
<p>A private PEP node is used to allow XMPP clients to synchronize
the user's secret OpenPGP key. Where private PEP node is defined: A
PEP node in whitelist mode where only the bare JID of the key
owner is whitelisted as described in &xep0223;. The secret key is
additionally encrypted.</p>
<section2 topic='Required PEP features'>
<p>The used PEP server MUST support PEP and the whitelist access
model. It SHOULD also support persistent items.</p>
<section3 topic='Discovering support'>
<example caption='Account owner queries server regarding protocol support'><![CDATA[
<iq from='juliet@capulet.lit/balcony'
<query xmlns=''/>
<p>The service discovery result must contain a PEP identity
'&lt;identity category='pubsub' type='pep'/&gt;, and the
feature. Ideally it also contains the
<example caption='Server communicates protocol support'><![CDATA[
<iq from='juliet@capulet.lit'
<query xmlns=''>
<identity category='account' type='registered'/>
<identity category='pubsub' type='pep'/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<feature var=''/>
<section2 topic='Requesting Information About the Secret Key PEP Node' anchor='req-info-secret-pep-node'>
<p>In order to synchronize the secret key over a private PEP node,
clients first need to discover and verify the node for the correct
<section3 topic='Client Sends Request'>
<example caption='Requesting the user&apos;s secret key.'><![CDATA[
<iq from=''
<pubsub xmlns=''>
<items node='urn:xmpp:openpgp:secret-key:0'
<section3 topic='PEP Service Success Response'>
<example caption='Personal Eventing Protocol result containing the requested secret key.'><![CDATA[
<iq from=''
<pubsub xmlns=''>
<items node='urn:xmpp:openpgp:secret-key:0'>
<secretkey xmlns='urn:xmpp:openpgp:0'>
<section3 topic='PEP Node Does Not Exist Response'>
<p>If the node does not exist the service will return an &IQ;
error indicating the item-not-found error condition. The
client MUST then create it with an whitelist access model.</p>
<example caption='Node does not exist'><![CDATA[
<iq from=''
<error type='cancel'>
<item-not-found xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<section3 topic='PEP Not Supported'>
<p>The service will return a service-unavailable error &IQ; if
it does not support PEP.</p>
<example caption='Node does not exist'><![CDATA[
<iq from=''
<error type='cancel'>
<service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<section2 topic='Creating the Secret Key PEP Node'>
<example caption='Client creates secret key PEP node'><![CDATA[
<iq type='set'
<pubsub xmlns=''>
<create node='urn:xmpp:openpgp:secret-key:0'/>
<x xmlns='jabber:x:data' type='submit'>
<field var='FORM_TYPE' type='hidden'>
<field var='pubsub#access_model'>
<example caption='Service informs requesting entity of success'><![CDATA[
<iq type='result'
<p>The node is now created and the only affiliated entity is the
bare JID of the user, who created the node, with an affiliation as
<p>In order to set a new secret key, clients store the encrypted
secret key as Base64 encoded raw OpenPGP message within an
&lt;secretkey/&gt; element qualified by the 'urn:xmpp:openpgp:0'
namespace. These secret key backups are created as follows:</p>
<li>All secret keys that should be included in the backup MUST
be concatenated in their transferable key format (<cite>RFC
4880</cite> <link
<li>A backup code is generated from secure random: The backup
code consists of 24 upper case characters from the Latin
alphabet and numbers without 'O' ("LATIN CAPITAL LETTER O")
and '0' ("DIGIT ZERO") (alphabet:
<tt>123456789ABCDEFGHIJKLMNPQRSTUVWXYZ</tt>) grouped into
4-character chunks, e.g.,
<tt>TWNK-KD5Y-MT3T-E1GS-DRDB-KVTW</tt>. The characters MUST be
generated from cryptographically secure random. For example
or <tt>/dev/urandom</tt>. More information about the
randomness requirements for security can be found in &rfc4086;
<li>The whole backup code including the dashes is directly
used as a string to encrypt the concatenated transferable keys
as an OpenPGP message. More precisely: It is used as the
symmetric-key for a Symmetric-Key Encrypted Session Key Packet
according to <cite>RFC 4880</cite> <link
5.3</link>; the symmetric-key is thus 29 characters long
including the dashes. The encryption algorithm MUST be one of
the standardized OpenPGP symmetric algorithms, e.g, AES-128.
<section1 topic='Business Rules' anchor='rules'>
<section2 topic='OpenPGP Packet Format Version Restriction' anchor='openpgp-packet-format-version'>
<p>Implementations of this XEP MUST generate and accept only
version 4 (or higher) OpenPGP packets. Lower version OpenPGP
packets are insecure in many aspects (see for example <cite>RFC
4880</cite> <link
<section1 topic='Implementors Advice' anchor='implementors-advice'>
<section2 topic='Design Principles and Techniques' anchor='design-and-techniques'>
<p>OpenPGP implementations have a sad history of being not very
user-friendly which results in users either not using OpenPGP or in
users wrongly using OpenPGP. Implementors of this XEP, and
additional future XEPs based on this XEP, therefore should read
<span class='ref'><link
Werner, and Marcus Brinkman "STEED — Usable End-to-End
Encryption", White Paper, g10 GmbH, 2011-10-17. &lt;<link
and <span class='ref'><link
Johnny can't encrypt"</link></span><note>Whitten, Alma, and
J. Doug Tygar. "Why Johnny Can't Encrypt: A Usability Evaluation
of PGP 5.0." Usenix Security. Vol. 1999. 1999. &lt;<link
url=''></link>&gt;</note>. Implementors
of this XEP are encouraged to provide the concepts described in
<li>Automatic key generation</li>
<li>Automatic key distribution</li>
<li>Opportunistic encryption</li>
<li>Trust upon first contact</li>
<p>Furthermore implementors should design the user interface for
effective security by following the design principles and
techniques for security mentioned in "Why Johnny Can't
<section2 topic='Stanza Size' anchor='stanza-size'>
<p>Implementors should be aware that the size OpenPGP public and
secret keys is somewhere in the range of tens of
kilobytes. Applying Base64 encoding on keys, as it is described
herein, further increases the size. The formula to determine the
Base64 encoded size is: ceil(bytes / 3) * 4. Thus the lower bound
for the maximum stanza size of 10000 bytes, as specified in <cite>RFC
6120</cite> § 13.12. 4., is usually exceeded. However all XMPP server
implementations, the authors are aware of, follow the
recommendation of the RFC and do not blindly set the maximum
stanza size to such a low value, but use a much higher
threshold. Therefore, this should hardly be an issue for
implementations. Nevertheless, it is advised to keep the size of
OpenPGP keys small by removing all signatures except the most
recent self-signature on each User ID before exporting the key
(cf. GnuPG's <tt>--export-options export-minimal</tt>).
In addition, implementors are advised to handle
&lt;policy-violation/&gt; error responses when trying to
transmit Base64 encoded keys.</p>
<section2 topic='XMPP Address Normalization' anchor='xmpp-address-normalization'>
<!-- TODO s/6122/7622/ after -->
<p>The format of XMPP addresses, sometimes called JIDs, is well
defined. Thus they need to be normalized, as defined in
&rfc7622;. When implementations are required to compare XMPP
addresses for equality, as it is the case in <link
url='#openpgp-verification'>"Verification of &openpgp;
Content"</link>, then they also have to compare the normalized
versions of the addresses.</p>
<section1 topic='Rationale' anchor='rationale'>
<section2 topic='Key Handling' anchor='key-handling'>
<p>This specification intentionally does not specify if the used
OpenPGP key should be a primary key or a subkey. It is even
possible to announce multiple public keys in the Personal Eventing
Protocol node. Implementations MUST be prepared to find multiple
public keys. The authors however believe that for ease of use only
one OpenPGP key specially crafted for the XMPP use case should be
created, announced and used.</p>
<section2 topic='OpenPGP Element and Content Element Design' anchor='openpgp-element-design'>
<p>The &openpgp; and OpenPGP content elements are container
elements for arbitrary signed and encrypted data and can thus act
as building blocks for encrypted data included in Message, IQ and
Presence stanzas. For example, future specifications may use them
to implement encrypted versions of &xep0047; or &xep0261;.</p>
<p>Note that signed OpenPGP messages already contain a timestamp
as per the OpenPGP specification. OpenPGP content elements
nevertheless require the 'time' element because not every OpenPGP
API may provide access to the embedded OpenPGP timestamp.</p>
<p>The 'rpad' element of the OpenPGP content elements exists to
prevent length-based side channel attacks.</p>
<section2 topic='Addressing the Issues and Problems of XEP-0027' anchor='solving-xep0027-issues'>
<p>This specification addresses all relevant issues of &xep0027;
(<link url=''>§
4</link>, <link
5</link>). It mitigates replay attacks by including the
recipient's address and a timestamp in the OpenPGP content
element<note>Full Replay attack prevention would require a
counter based approach.</note>. It allows for both, signing and
encrypting of the element. The scope of the specification was
deliberately limited to OpenPGP.</p>
<p>Features like signed presences, which is provided by <cite>XEP-0027</cite>,
may be added later on as add-on XEP to this.</p>
<section2 topic='Not using OpenPGP ASCII Armor' anchor='openpgp-ascii-armor'>
<p>We decided against OpenPGP ASCII Armor (which contains an
additional checksum) and in favor for Base64, because
encoding should be part of the network application rather than the
crypto layer. Also XMPP, needs no additional error correction of payload.
In "MIME Security with OpenPGP" (&rfc3156;), ASCII Armor
has only been chosen to be backwards compatible with legacy applications
supporting non-MIME OpenPGP emails only.</p>
<section2 topic='OpenPGP User IDs' anchor='openpgp-user-ids'>
<p>OpenPGP User IDs normally consist of a name - email address pair, e.g.,
"Juliet &lt;;" (<cite>RFC 4880</cite> <link
url=''>§ 5.11</link>).
For this XEP, we require User IDs of the format "".
First, it is required to have at least one User ID indicating the use
of this OpenPGP key. When doing certification of keys (key signing),
the partner must know what User ID she actually certifies.
Second, this format uses the standardized URI from <cite>XEP-0147</cite> to indicate
that this User ID corresponds to a key that is used for XMPP.
Third, having the Real Name inside provides no additional security
or guideline if this key should be certified. The XMPP address
is the only trust anchor here.</p>
<section1 topic='Security Considerations' anchor='security'>
<p>The scope of this XEP is intentionally limited, so that the
specification just defines way for XMPP entities to discover,
announce and synchronize OpenPGP keys, and how to exchange signed
and encrypted data between two or more parties. Everything else is
outside its scope. For example, how 'secure' the key material is
protected on the endpoints is up to the implementation.</p>
<p>And while this XEP specifies a mechanism how to discover and
retrieve a public key, it does not define how the trust relation to
this key should be established. Even if key discovery and retrieval
over XMPP provides a stronger coupling between the possessing entity
(the XMPP address) and the key, as compared to the OpenPGP keyservers,
how a XMPP server authenticates a remote server is a server policy,
which does vary from server to server. Implementation MUST provide a
way for the user to establish and assign trust to a public key. For
example by using a QR code shown on the recipient's device screen.</p>
<p>Besides the protocol defined herein, OpenPGP implementations are
another big attack surface. Needless to say that the security of
encrypted data exchanged using this protocol depends on the security
of the used OpenPGP implementation. It is strongly RECOMMENED to use
existing implementations instead of writing your own. OpenPGP
implementations have suffered from various vulnerabilities in the past
which opened up DoS attack vectors. For example <link
and <link
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<section2 topic='Protocol Namespaces' anchor='registrar-ns'>
<p>The &REGISTRAR; includes 'urn:xmpp:openpgp:0' in its registry of protocol namespaces (see &NAMESPACES;).</p>
<section1 topic='XML Schema' anchor='schema'>
<p>TODO: Add after the XEP leaves the 'experimental' state.</p>
<section1 topic='Acknowledgements' anchor='acknowledgements'>
<p>Thanks to Emmanuel Gil Peyrot, Sergei Golovan, Marc Laporte, Georg
Lukas, Adithya Abraham Philip and Brian Cully for their feedback.</p>
<p>The first draft of this specification was worked out and written
on the wall of the 'Kymera' room in one of Google's buildings by the
authors, consisting of members of the XMPP Standards Foundation and
the OpenKeychain project, at the GSOC Mentors Summit 2015. The
authors would like to thank Google for making it possible by
bringing the right people together.</p>