XEP-0188: Cryptographic Design of Encrypted Sessions

This document describes the requirements and cryptographic design that underpin the XMPP protocol extensions Encrypted Session Negotiation, Offline Encrypted Sessions and Stanza Encryption.


WARNING: This Informational document is Experimental. Publication as an XMPP Extension Protocol does not imply approval of this proposal by the XMPP Standards Foundation. Implementation of the best practice or protocol profile described herein is encouraged in exploratory implementations, although production systems should not deploy implementations of this protocol until it advances to a status of Draft.


Document Information

Series: XEP
Number: 0188
Publisher: XMPP Standards Foundation
Status: Experimental
Type: Informational
Version: 0.3
Last Updated: 2006-11-27
Approving Body: XMPP Council
Dependencies: XMPP Core, XMPP IM, RFC 2104
Supersedes: None
Superseded By: None
Short Name: cryptoesession
Wiki Page: <http://wiki.jabber.org/index.php/Cryptographic Design of Encrypted Sessions (XEP-0188)>

Author Information

Ian Paterson

Email: ian.paterson@clientside.co.uk
JabberID: ian@zoofy.com

Legal Notice

This XMPP Extension Protocol is copyright 1999 - 2007 by the XMPP Standards Foundation (XSF) and is in full conformance with the XSF's Intellectual Property Rights Policy <http://www.xmpp.org/extensions/ipr-policy.shtml>. This material may be distributed only subject to the terms and conditions set forth in the Creative Commons Attribution License (<http://creativecommons.org/licenses/by/2.5/>).

Discussion Venue

The preferred venue for discussion of this document is the Standards discussion list: <http://mail.jabber.org/mailman/listinfo/standards>.

Given that this XMPP Extension Protocol normatively references IETF technologies, discussion on the XSF-IETF list may also be appropriate (see <http://mail.jabber.org/mailman/listinfo/jsf-ietf> for details).

Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 3920) and XMPP IM (RFC 3921) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.

Conformance Terms

The following keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".


Table of Contents


1. Introduction
2. Scope
3. The Session Approach
4. Dramatis Personae
5. Requirements
    5.1. Security Requirements
       5.1.1. Confidentiality
       5.1.2. Integrity
       5.1.3. Replay Protection
       5.1.4. Perfect Forward Secrecy
       5.1.5. PKI Independence
       5.1.6. Authentication
       5.1.7. Identity Protection
       5.1.8. Repudiability
       5.1.9. Robustness
       5.1.10. Upgradability
    5.2. Application Requirements
       5.2.1. Generality
       5.2.2. Implementability
       5.2.3. Usability
       5.2.4. Efficiency
       5.2.5. Flexibility
       5.2.6. Interoperability
       5.2.7. Offline Sessions
       5.2.8. Object Encryption
6. Cryptographic Origins
    6.1. Introduction
    6.2. SIGMA Parameter Descriptions
    6.3. SIGMA-I Overview
    6.4. SAS-Only Overview
    6.5. SIGMA-R with SAS Overview
    6.6. SIGMA-I Key Exchange
    6.7. SIGMA-R with SAS Key Exchange
7. Cryptographic Design
    7.1. ESession Parameter Descriptions
    7.2. Online ESession-I Negotiation
    7.3. Online ESession-R Negotiation
    7.4. Offline ESession Negotiation
8. Security Considerations
9. IANA Considerations
10. XMPP Registrar Considerations
11. Acknowledgments
Notes
Revision History


1. Introduction

Note: The protocols developed according to the requirements and cryptographic design described in this document are described in Encrypted Session Negotiation [1], Offline Encrypted Sessions [2] and Stanza Encryption [3]. The information in those documents should be sufficient for implementors. This purely informative document is primarily for people interested in the design and analysis of those protocols.

As specified in RFC 3920 [4], XMPP is an XML streaming protocol that enables the near-real-time exchange of XML fragments between any two (or more) network endpoints. To date, the main application built on top of the core XML streaming layer is instant messaging (IM) and presence, the base extensions for which are specified in RFC 3921 [5]. There are three first-level elements of XML streams (<message/>, <presence/>, and <iq/>); each of these "XML stanza" types has different semantics, which can complicate the task of defining a generalized approach to end-to-end encryption for XMPP. In addition, XML stanzas can be extended (via properly-namespaced child elements) for a wide variety of functionality.

XMPP is a session-oriented communication technology: normally, a client authenticates with a server and maintains a long-lived connection that defines the client's XMPP session. Such stream-level sessions may be secured via channel encryption using Transport Level Security (RFC 2246 [6]), as specified in Section 5 of RFC 3920. However, there is no guarantee that all hops will implement or enforce channel encryption (or that intermediate servers are trustworthy), which makes end-to-end encryption desirable.

The encrypted stanzas should be understood by an intermediate server only to the extent required to route them. (One complicating factor is that routing information may include not only the stanza's 'to', 'from', 'type, and 'id' attributes, but also Advanced Message Processing [7] extensions.)

The session metaphor also applies to communication between endpoints: for instance, in IM applications, most instant messaging exchanges occur in bursts within limited time periods (e.g., two people may send a fairly large number of messages during a five-minute chat and then not exchange messages again for hours or even days). The XML stanzas exchanged during such a session may not be limited to <message/> stanzas; for instance, the session may be triggered by a change in one of the parties' presence status (e.g., changing from away to available) and the session may involve the exchange of <iq/> stanzas (e.g., to transfer a file as specified in File Transfer [8]).

The foregoing XMPP communications exist in the context of a one-to-one communication session between two entities. However, several forms of XMPP communication exist outside the context of one-to-one communication sessions:

2. Scope

Ideally, any technology for end-to-end encryption in XMPP could be extended to cover all the scenarios above as well as one-to-one communication sessions. However, both many-to-many sessions and one-to-many broadcast are deemed out of scope for this document.

Offline communications are handled via a simple extension to the protocol for one-to-one sessions between two entities that are online simultaneously (see below).

3. The Session Approach

Existing approaches to encryption of Internet communications have generally assumed that the "thing" to be encrypted has a stable identity or is best understood as a standalone object (e.g., a file or email message); the term "object encryption" well captures this assumption. Both Current Jabber OpenPGP Usage [11] and RFC 3923 [12] assume that XMPP communications are more like the exchange of email messages than they are like an interactive session -- while Current Jabber OpenPGP Usage uses "old-style" PGP object encryption and RFC 3923 uses "new-style" S/MIME object encryption, both specify the use of object encryption.

However, because XMPP is a session-oriented communication technology, encryption schemes that are appropriate for other Internet technologies may not be appropriate for XMPP. XMPP, with its in-order delivery of XML stanzas, is able to take advantage of much more secure approaches to encryption (including Perfect Forward Secrecy) that are not feasible for less dynamic technologies (like email).

The session-oriented nature of XMPP implies that the focus should be on "session encryption" rather than "object encryption". The paradigm for XMPP encryption should be something closer to the widely-deployed Secure Shell technology (see RFC 4301 [13] and RFC 4253 [14]) or ZRTP [15] (an acclaimed RFC 3711 [16] key agreement protocol) than to traditional encryption of files and standalone email messages.

Therefore, this document specifies a method for encrypted sessions ("ESessions") that takes advantage of the inherent possibilities and strengths of session encryption as opposed to object encryption. The conceptual model for this approach was inspired by "off-the-record" (OTR) communication, as implemented in the Gaim encryption plugin and described in Off-the-Record Communication [17]. The basic concept is that of an encrypted session which acts as a secure tunnel between two endpoints. Once the tunnel is established, the content of all one-to-one XML stanzas exchanged between the endpoints will be encrypted and then transmitted within a "wrapper" protocol element.

Note: In order to gain a thorough understanding of this document, it is recommended that the Off-the-Record Communication paper and the ZRTP Internet-Draft are read first.

4. Dramatis Personae

This document introduces two characters to help the reader follow the necessary exchanges:

  1. "Alice" is the name of the initiator of the ESession.
  2. "Bob" is the name of the other participant in the ESession started by Alice.

While Alice and Bob are introduced as "end users", they are simply meant to be examples of XMPP entities. Any directly addressable XMPP entity may participate in an ESession.

5. Requirements

5.1 Security Requirements

This document stipulates the following security requirements for end-to-end encryption of XMPP communications:

Each of these requirements is explained in greater depth below.

5.1.1 Confidentiality

The one-to-one XML stanzas exchanged between two entities MUST NOT be understandable to any other entity that might intercept the communications.

5.1.2 Integrity

Alice and Bob MUST be sure that no other entity may change the content of the XML stanzas they exchange, or remove or insert stanzas into the ESession undetected.

5.1.3 Replay Protection

Alice or Bob MUST be able to identify and reject any communications that are copies of their previous communications resent by another entity.

5.1.4 Perfect Forward Secrecy

The encrypted communication MUST NOT be revealed even if long-lived keys are compromised in the future (e.g., Steve steals Bob's computer). [18]

5.1.5 PKI Independence

The protocol must not rely on any public key infrastructure (PKI), certification authority, web of trust, or any other trust model that is external to the trust established between Alice and Bob. However, if external authentication or trust models are available then Alice and Bob must be able to use them to enhance any trust that exists between them.

5.1.6 Authentication

Each party to a conversation MUST know that the other party is who they want to communicate with (Alice must be able to know that Bob really is Bob, and vice versa). [19]

5.1.7 Identity Protection

No other entity should be able to identify Alice or Bob. The JIDs they use to route their stanzas are unavoidably vulnerable to interception. However, the public keys they use SHOULD NOT be revealed to other entities using a passive attack. Bob SHOULD also be able to choose between protecting either his public key or Alice's public key from disclosure through active ("man-in-the-middle") attacks.

5.1.8 Repudiability

Alice and Bob MUST be able to repudiate any stanza that occurs within an ESession. After an ESession has finished, it SHOULD NOT be possible to prove cryptographically that any transcript has not been modified by a third party. [20]

5.1.9 Robustness

The protocol must provide more than one difficult challenge that must be overcome before an attack can succeed (for example, by generating encryption keys using as many shared secrets as possible - like retained secrets or optional passwords).

5.1.10 Upgradability

The protocol must be upgradable so that, if a vulnerability is discovered, a new version can fix it. Alice MUST tell Bob which versions of the protocol she is prepared to support. Then Bob MUST either choose one or reject the ESession. [21]

5.2 Application Requirements

In addition to the foregoing security profile, this document also stipulates the following application-specific requirements for encrypted communication in the context of Jabber/XMPP technologies:

Each of these is explained in greater depth below.

5.2.1 Generality

The solution should be generally applicable to the full content of any XML stanza type (<message/>, <presence/>, <iq/>) sent between two entities. It is deemed acceptable for now if the solution does not apply to many-to-many stanzas (e.g., groupchat messages sent within the context of multi-user chat) or one-to-many stanzas (e.g., presence "broadcasts" and pubsub notifications); end-to-end encryption of such stanzas may require separate solutions or extensions to the one-to-one session solution.

5.2.2 Implementability

The only good security technology is an implemented security technology. The solution should be one that typical client developers can implement in a relatively straightforward and interoperable fashion.

5.2.3 Usability

The requirement of usability takes implementability one step further by stipulating that the solution must be one that organizations may deploy and humans may use with 100% transparency (with the ease-of-use of https:). Experience has shown that: solutions requiring a full public key infrastructure do not get widely deployed, and solutions requiring any user action are not widely used. If the users are prepared to verify the integrity of their copies of each other's keys then the necessary actions should be limited to a one-time out-of-band verification of a string of up to 6 alphanumeric characters.

5.2.4 Efficiency

Cryptographic operations are highly CPU intensive, particularly public key and Diffie-Hellman operations. Cryptographic data structures can be relatively large especially public keys and certificates. The solution should perform efficiently even when CPU and network bandwidth are constrained. The number of stanzas required for ESession negotiation should be minimized.

5.2.5 Flexibility

The solution should be compatible with existing (and future) cryptographic algorithms and identity certification schemes (including X.509 and PGP). The protocol should also be able to evolve to correct the weaknesses that are inevitably discovered once any cryptographic protocol is in widespread use.

5.2.6 Interoperability

Ideally, it would be possible for an XMPP user to exchange encrypted messages (and, potentially, presence information) with users of non-XMPP messaging systems.

5.2.7 Offline Sessions

Ideally, it should be possible to encrypt one-to-one communications that are stored for later delivery instead of being delivered immediately, such as so-called "offline messages". However, any vulnerabilities introduced to enable offline communications must not make online communications more vulnerable.

5.2.8 Object Encryption

For cases where a session is not desired, it should be possible to encrypt, sign and send a single stanza in isolation, so-called "object encryption".

6. Cryptographic Origins

6.1 Introduction

Authenticated key-exchange is the most challenging part of the design of any secure communication protocol. The ESessions key exchange essentially translates the SIGMA [22] [23] key-exchange protocol into the syntax of XMPP. The SIGMA approach to Diffie-Hellman Key Agreement (see RFC 2631 [24]) underpins several standard key-exchange protocols including the Internet Key Exchange (IKE) protocol versions 1 and 2 (see RFC 2409 [25] and RFC 4306 [26]).

Note: Although this section provides an overview of SIGMA, it is strongly recommended that the SIGMA paper is read first in order to gain a thorough understanding of this document.

The 3-message SIGMA-I-based key exchange protects the identity of the initiator against active attacks. This SHOULD NOT be used to establish client to client sessions since the responder's identity is not protected against active attacks. However, it SHOULD be used to establish client to service (server) sessions, especially where the identity of the service is well known to third parties.

The two 4-message SIGMA-R-based key exchanges with hash commitment defend the responder's identity against active attacks and facilitate detection of a Man in the Middle attack. They SHOULD be used to establish client to client sessions.

Note: The block cipher function, cipher, uses CTR mode.

6.2 SIGMA Parameter Descriptions

Table 1: SIGMA and SAS Overview Parameters

Parameter Description
g Diffie-Hellman generator
x, y Alice and Bob's private Diffie-Hellman keys
gx, gy Alice and Bob's public Diffie-Hellman keys
Hgx Hash of Alice's public Diffie-Hellman key
KSA, KSB The MAC keys (derived from K) that Alice and Bob use to calculate macA and macB
pubKeyA, pubKeyB The public keys that represent the identity of Alice and Bob, and are used to verify their signatures
macA, macB The MAC values that associate the shared secret with the identity of Alice or Bob
signKeyA, signKeyB The private keys that Alice and Bob use to sign
signA, signB Alice's and Bob's signatures of the shared secret
KCA, KCB The cipher keys (derived from K) that Alice and Bob use to encrypt
IDA, IDB The encrypted parameters that identify Alice and Bob to each other
SAS Short Authentication string

Table 2: Key Exchange Parameters

Parameter Description
p Diffie-Hellman prime
e, d Alice and Bob's public Diffie-Hellman keys (the same as gx, gy)
He Hash of Alice's public Diffie-Hellman key
K Shared secret (derived by Alice from gy and x, or by Bob from gx and y)
HASH Selected hash algorithm
NA, NB Alice and Bob's session freshness nonces (ESession IDs)
CA, CB Block cipher initial counter value for blocks sent by Alice and Bob
n Block size of selected cipher algorithm in bits
KMA, KMB The MAC keys (derived from K) that Alice and Bob use to protect the integrity of encrypted data
MA, MB The MAC values that Alice and Bob use to confirm the integrity of encrypted data
SRS Shared retained secret (derived from K in previous session between the clients)
RS1A...RSZA Retained secrets Alice shares with Bob (one for each client he uses)
RS1B...RSZB Retained secrets Bob shares with Alice (one for each client she uses)
RSH1A...RSHZA HMACs of retained secrets Alice shares with Bob
SRSH Bob's HMAC of SRS
OSS Other shared secret of Alice and Bob (e.g. a shared password) defaults to "secret"
isPKA, isPKB Whether or not Alice and Bob prefer to receive a public key (booleans)

6.3 SIGMA-I Overview

The diagram below demonstrates the barest cryptographic skeleton of the SIGMA-I key exchange protocol. Here Bob allows Alice to protect her identity from active attacks, by allowing her to authenticate him before she communicates her identity. Note: The cipher keys (KCA and KCB) are different in each direction, making this exchange slightly more conservative than SIGMA.

ALICE                                                BOB 
                                            gx
                                      ------------>

                                                     macB = HMAC(KSB, {gx, gy, pubKeyB})
                                                     signB = sign(signKeyB, macB)
                                                     IDB = cipher(KCB, {pubKeyB, signB})
                                         gy, IDB 
                                      <------------

authenticate(IDB) 
macA = HMAC(KSA, {gy, gx, pubKeyA})
signA = sign(signKeyA, macA)
IDA = cipher(KCA, {pubKeyA, signA})
                                            IDA
                                      ------------>

                                                     authenticate(IDA)
    

6.4 SAS-Only Overview

The diagram below demonstrates the skeleton of the Diffie-Hellman key exchange that employs out-of-band SAS authentication. If Alice and Bob's public keys are not yet trusted, or if their private keys have been compromised, then the hash commitment sent in the first step enables Alice and Bob to verify their copies of each other's Diffie-Hellman (and public) keys and detect a Man in the Middle more easily.

If a Man in the Middle changes the public Diffie-Hellman keys that Alice and Bob receive, then he could potentially use his knowledge of the SAS that Bob will eventually calculate when choosing the key he will send to Alice in the second step. However, the fact that the value he received in the first step is only a hash means the Man in the Middle must choose the key he sends to Alice before he can predict the SAS that she will calculate with it. Therefore, even if the SAS is very short, he is unable to use his resources to choose a key that will (have a better than random chance to) result in a SAS that matches Bob's. So only a truncated version of the HASH of Alice and Bob's keys needs to be verified out-of-band in the final step.

ALICE                                                BOB 
                                            Hgx
                                      ------------>

                                            gy
                                      <------------
SAS = truncate(HASH(gx | gy))
                                            gx
                                      ------------>

                                                     assert Hgx = HASH(gx)
                                                     SAS = truncate(HASH(gx | gy))
                                           SAS
                                      <===========>
    

6.5 SIGMA-R with SAS Overview

The logic of the four-step SIGMA-R protocol is similar to the three-step SIGMA-I protocol. The difference being that Bob protects his identity from active attacks by by delaying communicating his identity to Alice until he has authenticated her. The diagram below demonstrates the skeleton of the key exchange. Note that it also takes advantage of the extra step required for SIGMA-R to incorporate a hash commitment, thus enabling optional out-of-band SAS authentication.

ALICE                                                BOB 
                                            Hgx
                                      ------------>

                                            gy
                                      <------------

macA = HMAC(KSA, {gy, gx, pubKeyA})
signA = sign(signKeyA, macA)
IDA = cipher(KCA, {pubKeyA, signA})
SAS = truncate(HASH(gx | gy))
                                         gx, IDA
                                      ------------>

                                                     assert Hgx = HASH(gx)
                                                     SAS = truncate(HASH(gx | gy))
                                           SAS
                                      <===========>

                                                     authenticate(IDA)
                                                     macB = HMAC(KSB, {gx, gy, pubKeyB})
                                                     signB = sign(signKeyB, macB)
                                                     IDB = cipher(KCB, {pubKeyB, signB})
                                           IDB
                                      <------------
authenticate(IDB)
    

6.6 SIGMA-I Key Exchange

The diagram below describes exactly the same SIGMA-I key exchange protocol as the SIGMA-I Overview above. It provides much more detail, without specifying any ESession-specific details. The differences between it and the SIGMA-R with SAS Key Exchange are highlighted.

ALICE                                        BOB 

NA = random()
x = random()
e = gx mod p
                                 e, NA
                             ------------>
                                             NB = random()
                                             CA = random()
                                             CB = CA XOR 2n-1 
                                             y = random()
                                             d = gy mod p
                                             assert 1 < e < p-1
                                             K = HASH(ey mod p)
                                             KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                             KCB = HMAC(HASH, K, "Responder Cipher Key")
                                             KMA = HMAC(HASH, K, "Initiator MAC Key")
                                             KMB = HMAC(HASH, K, "Responder MAC Key")
                                             KSA = HMAC(HASH, K, "Initiator SIGMA Key")
                                             KSB = HMAC(HASH, K, "Responder SIGMA Key")
                                             macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, CA})
                                             signB = sign(signKeyB, macB)
                                             IDB = cipher(KCB, CB, {pubKeyB, signB})
                                             MB = HMAC(HASH, KMB, CB, IDB) 
                               d, CA, NB
                             <------------
                                IDB, MB 
CB = CA XOR 2n-1 
assert 1 < d < p-1
K = HASH(dx mod p)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KCB = HMAC(HASH, K, "Responder Cipher Key") 
KMA = HMAC(HASH, K, "Initiator MAC Key")
KMB = HMAC(HASH, K, "Responder MAC Key") 
KSA = HMAC(HASH, K, "Initiator SIGMA Key")
KSB = HMAC(HASH, K, "Responder SIGMA Key")
assert MB = HMAC(HASH, KMB, CB, IDB)
{pubKeyB, signB} = decipher(KCB, CB, IDB)
macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, CA})
verify(signB, pubKeyB, macB) 
macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA})
signA = sign(signKeyA, macA)
IDA = cipher(KCA, CA, {pubKeyA, signA})
MA = HMAC(HASH, KMA, CA, IDA)
                                  IDA
                             ------------>
                                   MA 
                                             assert MA = HMAC(HASH, KMA, CA, IDA)
                                             {pubKeyA, signA} = decipher(KCA, CA, IDA)
                                             macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA})
                                             verify(signA, pubKeyA, macA)
    

6.7 SIGMA-R with SAS Key Exchange

The Short Authentication String technique enables protection against a Man in the Middle without the need to generate, distribute or authenticate any public keys. As long as a hash commitment is used at the start of the key exchange then only a short human-friendly string needs to be verified out-of-band (e.g. by recognizable voice communication).

Furthermore, if retained secrets associated with a client/user combination are employed consistently during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). [27]

Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the SIGMA-R Overview. It provides much more detail including the use of retained secrets and other secrets. Note: These optional security enhancements are especially important when the protocol is being used without public keys.

The diagram does not specify any ESession-specific details. The differences between it and the SIGMA-I Key Exchange are highlighted.

ALICE                                        BOB 

NA = random()
x = random()
e = gx mod p
He = SHA256(e)
                               He, isPKA
                             ------------>
                                   NA 
                                             NB = random()
                                             CA = random()
                                             CB = CA XOR 2n-1 
                                             y = random()
                                             d = gy mod p
                               d, CA, NB
                             <------------
                                 isPKB 
CB = CA XOR 2n-1 
assert 1 < d < p-1
K = HASH(dx mod p)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KMA = HMAC(HASH, K, "Initiator MAC Key")
KSA = HMAC(HASH, K, "Initiator SIGMA Key")
SAS = truncate(HASH(e | d | "Short Authentication String"))
RSH1A...RSHZA = HMAC(HASH, NA, RS1A...RSZA)
if isPKB equals false then: 
    macA = HMAC(HASH, KSA, {NB, NA, e, RSH1A...RSHZA})
    IDA = cipher(KCA, CA, macA)
else: 
    macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, RSH1A...RSHZA})
    signA = sign(signKeyA, macA)
    IDA = cipher(KCA, CA, {pubKeyA, signA})
MA = HMAC(HASH, KMA, CA, IDA)
                                IDA, MA
                             ------------>
                             e, RSH1A...RSHZA
                                             assert He = SHA256(e)
                                             SAS = truncate(HASH(e | d | "Short Authentication String") ))
                                  SAS
                             <===========>

                                             assert 1 < e < p-1
                                             K = HASH(ey mod p)
                                             KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                             KMA = HMAC(HASH, K, "Initiator MAC Key")
                                             KSA = HMAC(HASH, K, "Initiator SIGMA Key") 
                                             assert MA = HMAC(HASH, KMA, CA, IDA)
                                             if isPKB equals false then: 
                                                 macA = decipher(KCA, CA, IDA)
                                                 assert macA = HMAC(HASH, KSA, {NB, NA, e, RSH1A...RSHZA})
                                             else: 
                                                 {pubKeyA, signA} = decipher(KCA, CA, IDA)
                                                 macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, RSH1A...RSHZA})
                                                 verify(signA, pubKeyA, macA)
                                             SRS = choose(RS1B...RSZB, RSH1A...RSHZA, NA)
                                             K = HASH(K | SRS | OSS)
                                             KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                             KCB = HMAC(HASH, K, "Responder Cipher Key")
                                             KMA = HMAC(HASH, K, "Initiator MAC Key")
                                             KMB = HMAC(HASH, K, "Responder MAC Key")
                                             KSB = HMAC(HASH, K, "Responder SIGMA Key")
                                             SRSH = HMAC(HASH, SRS, "Shared Retained Secret")
                                             retain(HMAC(HASH, K, "New Retained Secret"))
                                             if isPKA equals false then: 
                                                 macB = HMAC(HASH, KSB, {NA, NB, d, CA})
                                                 IDB = cipher(KCB, CB, macBelse: 
                                                 macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, CA})
                                                 signB = sign(signKeyB, macB)
                                                 IDB = cipher(KCB, CB, {pubKeyB, signB})
                                             MB = HMAC(HASH, KMB, CB, IDB)
                                   IDB
                             <------------
                                MB, SRSH 

SRS = choose(RS1A...RSZA, SRSH)
K = HASH(K | SRS | OSS)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KCB = HMAC(HASH, K, "Responder Cipher Key")
KMA = HMAC(HASH, K, "Initiator MAC Key")
KMB = HMAC(HASH, K, "Responder MAC Key")
KSB = HMAC(HASH, K, "Responder SIGMA Key")
retain(HMAC(HASH, K, "New Retained Secret"))
assert MB = HMAC(HASH, KMB, CB, IDB)
if isPKA equals false then: 
    macB = decipher(KCB, CB, IDB)
    assert macB = HMAC(HASH, KSB, {NA, NB, d, CA})
else: 
    {pubKeyB, signB} = decipher(KCB, CB, IDB)
    macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, CA})
    verify(signB, pubKeyB, macB)
    

7. Cryptographic Design

This section provides an overview of the full ESession key-exchange protocol from a cryptographic point of view. This protocol is based on the full fledge protocol, as described in Appendix B of the SIGMA paper. It also uses variant (ii), as described in Secion 5.4 of the same paper.

7.1 ESession Parameter Descriptions

The table below describes the parameters that are not found in the Parameter Descriptions tables above.

Table 3: ESession Negotiation Parameters

Parameter Description
options Includes a set of possible values for each and every ESession parameter (see the ESession Request sub-section in Encrypted Session Negotiation), including sets of possible values for p, g, HASH, CIPHER, SIGN
chosen Includes a chosen value for each ESession parameter
CIPHER Selected CTR-mode block cipher algorithm
DECIPHER Selected CTR-mode block decipher algorithm (corresponds to CIPHER)
SIGN Selected signature algorithm
VERIFY The selected signature verification algorithm (corresponds to SIGN)
SASGEN The selected SAS generation algorithm
x1...xZ Alice's private Diffie-Hellman keys - each value corresponds to one of Z different DH groups
e1...eZ The choice of public Diffie-Hellman keys that Alice offers Bob - each value corresponds to one of Z different DH groups (and a different value of x)
He1...HeZ The list of hash commitments that Alice sends to Bob (hashes of e1...eZ)
*signKeysA All the private keys that Alice is able to use to create signatures
*signsB The set of signatures of formB (one for each of Bob's private keys)
*pubKeysA All of Alice's public keys that Bob has access to

* Offline negotiation only

7.2 Online ESession-I Negotiation

Alice uses this protocol when Bob is Online. In addition to the key exchange described in the SIGMA-I Key Exchange protocol above, she offers Bob a choice of Diffie-Hellman groups with her corresponding values of e, various algorithms and other parameters. The differences between this protocol and Online ESession-R Negotiation are highlighted.

ALICE                                    BOB 

NA = random()
for g,p ∈ options
    x = random()
    e = gx mod p
formA = {e1...eZ, options, NA}
                                formA
                             --------->

                                         chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options)
                                         e = choose(e1...eZ, p)
                                         NB = random()
                                         CA = random()
                                         CB = CA XOR 2n-1 
                                         y = random()
                                         d = gy mod p
                                         formB = {CA, chosen, d, NA, NB}
                                         assert 1 < e < p-1
                                         K = HASH(ey mod p)
                                         KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                         KCB = HMAC(HASH, K, "Responder Cipher Key")
                                         KMA = HMAC(HASH, K, "Initiator MAC Key")
                                         KMB = HMAC(HASH, K, "Responder MAC Key")
                                         KSA = HMAC(HASH, K, "Initiator SIGMA Key")
                                         KSB = HMAC(HASH, K, "Responder SIGMA Key")
                                         macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB})
                                         signB = SIGN(signKeyB, macB)
                                         IDB = CIPHER(KCB, CB, {pubKeyB, signB})
                                         MB = HMAC(HASH, KMB, CB, IDB) 
                                formB
                             <---------
                               IDB, MB 
assert chosen ∈ options
x = choose(x1...xZ, p)
e = gx mod p
CB = CA XOR 2n-1 
assert 1 < d < p-1
K = HASH(dx mod p)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KCB = HMAC(HASH, K, "Responder Cipher Key") 
KMA = HMAC(HASH, K, "Initiator MAC Key")
KMB = HMAC(HASH, K, "Responder MAC Key") 
KSA = HMAC(HASH, K, "Initiator SIGMA Key")
KSB = HMAC(HASH, K, "Responder SIGMA Key")
assert MB = HMAC(HASH, KMB, CB, IDB)
{pubKeyB, signB} = DECIPHER(KCB, CB, IDB)
macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB})
VERIFY(signB, pubKeyB, macB) 
macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, formA})
signA = SIGN(signKeyA, macA)
IDA = CIPHER(KCA, CA, {pubKeyA, signA})
MA = HMAC(HASH, KMA, CA, IDA)
                                IDA
                             --------->
                               MA, NB 
                                         assert MA = HMAC(HASH, KMA, CA, IDA)
                                         {pubKeyA, signA} = DECIPHER(KCA, CA, IDA)
                                         macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, formA})
                                         VERIFY(signA, pubKeyA, macA)
    

7.3 Online ESession-R Negotiation

This protocol is similar to the Online ESession-I Negotiation above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and Online ESession-I Negotiation are highlighted.

ALICE                                      BOB 

NA = random()
for g,p ∈ options
    x = random()
    e = gx mod p
    He = SHA256(e) 
formA = {He1...HeZ, options, NA, isPKA}

                                 formA
                             ------------>

                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN...} = choose(options)
                                           He = choose(He1...HeZ, p)
                                           NB = random()
                                           CA = random()
                                           CB = CA XOR 2n-1 
                                           y = random()
                                           d = gy mod p
                                           formB = {CA, chosen, d, NA, NB, isPKB}
                                 formB
                             <------------
assert chosen ∈ options
x = choose(x1...xZ, p)
e = choose(e1...eZ, p)
CB = CA XOR 2n-1 
assert 1 < d < p-1
K = HASH(dx mod p)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KMA = HMAC(HASH, K, "Initiator MAC Key")
KSA = HMAC(HASH, K, "Initiator SIGMA Key")
SAS = SASGEN(e, d)
RSH1A...RSHZA = HMAC(HASH, NA, RS1A...RSZA)
formA2 = {RSH1A...RSHZA, e, NB}
if isPKB equals false then: 
    macA = HMAC(HASH, KSA, {NB, NA, e, formA, formA2})
    IDA = CIPHER(KCA, CA, macA)
else:  
    macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, formA, formA2})
    signA = SIGN(signKeyA, macA)
    IDA = CIPHER(KCA, CA, {pubKeyA, signA})
MA = HMAC(HASH, KMA, CA, IDA)

                                IDA, MA
                             ------------>
                                 formA2 

                                           assert He = SHA256(e)
                                           SAS = SASGEN(e, d)
                                  SAS
                             <===========>

                                           assert 1 < e < p-1
                                           K = HASH(ey mod p)
                                           KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                           KMA = HMAC(HASH, K, "Initiator MAC Key")
                                           KSA = HMAC(HASH, K, "Initiator SIGMA Key")
                                           assert MA = HMAC(HASH, KMA, CA, IDA)
                                           if isPKB equals false then: 
                                               macA = DECIPHER(KCA, CA, IDA)
                                               assert macA = HMAC(HASH, KSA, {NB, NA, e, formA, formA2})
                                           else: 
                                               {pubKeyA, signA} = DECIPHER(KCA, CA, IDA)
                                               macA = HMAC(HASH, KSA, {NB, NA, e, pubKeyA, formA, formA2})
                                               VERIFY(signA, pubKeyA, macA)
                                           SRS = choose(RS1B...RSZB, RSH1A...RSHZA, NA)
                                           K = HASH(K | SRS | OSS)
                                           KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                           KCB = HMAC(HASH, K, "Responder Cipher Key")
                                           KMA = HMAC(HASH, K, "Initiator MAC Key")
                                           KMB = HMAC(HASH, K, "Responder MAC Key")
                                           KSB = HMAC(HASH, K, "Responder SIGMA Key")
                                           if SRS equals false then: 
                                               SRS = random()
                                           SRSH = HMAC(HASH, SRS, "Shared Retained Secret")
                                           retain(HMAC(HASH, K, "New Retained Secret"))
                                           formB2 = {NA, SRSH}
                                           if isPKA equals false then: 
                                               macB = HMAC(HASH, KSB, {NA, NB, d, formB, formB2})
                                               IDB = CIPHER(KCB, CB, macBelse: 
                                               macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB, formB2})
                                               signB = SIGN(signKeyB, macB)
                                               IDB = CIPHER(KCB, CB, {pubKeyB, signB})
                                           MB = HMAC(HASH, KMB, CB, IDB)

                                IDB, MB 
                             <------------
                                 formB2 

SRS = choose(RS1A...RSZA, SRSH)
K = HASH(K | SRS | OSS)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KCB = HMAC(HASH, K, "Responder Cipher Key")
KMA = HMAC(HASH, K, "Initiator MAC Key")
KMB = HMAC(HASH, K, "Responder MAC Key")
KSB = HMAC(HASH, K, "Responder SIGMA Key")
retain(HMAC(HASH, K, "New Retained Secret"))
assert MB = HMAC(HASH, KMB, CB, IDB)
if isPKA equals false then: 
    macB = DECIPHER(KCB, CB, IDB)
    assert macB = HMAC(HASH, KSB, {NA, NB, d, formB, formB2})
else: 
    {pubKeyB, signB} = DECIPHER(KCB, CB, IDB)
    macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB, formB2})
    VERIFY(signB, pubKeyB, macB)
    

7.4 Offline ESession Negotiation

Bob uses this protocol to send stanzas to Alice when she is Offline. Note: Since the full SIGMA protocol cannot be used if Alice is offline, her identity is not protected at all.

The diagram is split into three phases. First Alice publishes her ESession options before going offline. Later Bob completes the key exchange (and sends her encrypted stanzas that are not shown below) these are all stored by Alice's server. Finally when Alice comes online again she verifies and calculates the decryption key.

The differences between this offline protocol and the Online ESession-I Negotiation protocol above are highlighted in the diagram below.

ALICE                    ALICE'S SERVER              BOB 

NA = random()
for g,p ∈ options
    x = random()
    e = gx mod p
formA = {e1...eZ, options, NA}
signsA = multi_sign(signKeysA, formA)
retain(NA, x1...xZ, expireTime) 

                   formA
                 -------->
                   signsA 

                         retain(formA, signsA)
---------------------------------------------------------------------------------------------------------
                         retrieve(formA, signsA) 

                                             formA
                                           -------->
                                             signsA 

                                                     verify_one(signsA, pubKeysA, formA)
                                                     chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options)
                                                     e = choose(e1...eZ, p)
                                                     CA = random()
                                                     y = random()
                                                     d = gy mod p
                                                     CB = CA XOR 2n-1 
                                                     NB = random()
                                                     formB = {CA, chosen, d, NA, NB}
                                                     assert 1 < e < p-1
                                                     K = HASH(ey mod p)
                                                     KCA = HMAC(HASH, K, "Initiator Cipher Key")
                                                     KCB = HMAC(HASH, K, "Responder Cipher Key")
                                                     KMA = HMAC(HASH, K, "Initiator MAC Key")
                                                     KMB = HMAC(HASH, K, "Responder MAC Key")
                                                     KSA = HMAC(HASH, K, "Initiator SIGMA Key")
                                                     KSB = HMAC(HASH, K, "Responder SIGMA Key")
                                                     macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB})
                                                     signB = SIGN(signKeyB, macB)
                                                     IDB = CIPHER(KCB, CB, {pubKeyB, signB})
                                                     MB = HMAC(HASH, KMB, CB, IDB)

                                             formB
                                           <--------
                                            IDB, MB 

                         retain(formB,IDB,MB)
---------------------------------------------------------------------------------------------------------
                         retrieve(formB,IDB,MB) 
                   formB
                 <--------
                  IDB, MB 

retrieve(NA, x1...xZ, expireTime)
assert now < expireTime 
assert chosen ∈ options
x = choose(x1...xZ, p)
e = gx mod p
CB = CA XOR 2n-1 
assert 1 < d < p-1
K = HASH(dx mod p)
KCA = HMAC(HASH, K, "Initiator Cipher Key")
KCB = HMAC(HASH, K, "Responder Cipher Key")
KMA = HMAC(HASH, K, "Initiator MAC Key")
KMB = HMAC(HASH, K, "Responder MAC Key")
KSA = HMAC(HASH, K, "Initiator SIGMA Key")
KSB = HMAC(HASH, K, "Responder SIGMA Key")
assert MB = HMAC(HASH, KMB, CB, IDB)
{pubKeyB, signB} = DECIPHER(KCB, CB, IDB)
macB = HMAC(HASH, KSB, {NA, NB, d, pubKeyB, formB})
VERIFY(signB, pubKeyB, macB)
    

Note: KMB is necessary only to allow Bob to terminate the ESession if he comes online before Alice terminates it. The calculation of KCB and KSB is not strictly necessary.

8. Security Considerations

The security considerations are described in Encrypted Session Negotiation and Offline Encrypted Sessions.

9. IANA Considerations

This document requires no interaction with the Internet Assigned Numbers Authority (IANA) [28].

10. XMPP Registrar Considerations

This document requires no interaction with the XMPP Registrar [29].

11. Acknowledgments

The author would like to thank Ian Goldberg for the time he spent reviewing this protocol and for his invaluable suggestions and comments.


Notes

1. XEP-0116: Encrypted Session Negotiation <http://www.xmpp.org/extensions/xep-0116.html>.

2. XEP-0187: Offline Encrypted Sessions <http://www.xmpp.org/extensions/xep-0187.html>.

3. XEP-0200: Stanza Encryption <http://www.xmpp.org/extensions/xep-0200.html>.

4. RFC 3920: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/rfc3920>.

5. RFC 3921: Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence <http://tools.ietf.org/html/rfc3921>.

6. RFC 2246: The TLS Protocol Version 1.0 <http://tools.ietf.org/html/rfc2246>.

7. XEP-0079: Advanced Message Processing <http://www.xmpp.org/extensions/xep-0079.html>.

8. XEP-0096: File Transfer <http://www.xmpp.org/extensions/xep-0096.html>.

9. XEP-0045: Multi-User Chat <http://www.xmpp.org/extensions/xep-0045.html>.

10. XEP-0060: Publish-Subscribe <http://www.xmpp.org/extensions/xep-0060.html>.

11. XEP-0027: Current Jabber OpenPGP Usage <http://www.xmpp.org/extensions/xep-0027.html>.

12. RFC 3923: End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP) <http://tools.ietf.org/html/rfc3923>.

13. RFC 4301: Security Architecture for the Internet Protocol <http://tools.ietf.org/html/rfc4301>.

14. RFC 4253: The Secure Shell (SSH) Transport Layer Protocol <http://tools.ietf.org/html/rfc4253>.

15. ZRTP: Extensions to RTP for Diffie-Hellman Key Agreement for SRTP <http://www.ietf.org/internet-drafts/draft-zimmermann-avt-zrtp-01.txt>. Work in progress.

16. RFC 3711: The Secure Real-time Transport Protocol (SRTP) <http://tools.ietf.org/html/rfc3711>.

17. Off-the-Record Communication, or, Why Not to Use PGP <http://www.isaac.cs.berkeley.edu/~iang/pubs/otr-wpes.pdf>.

18. Long-lived keys are typically used for a few years, whereas Offline ESession keys are destroyed as soon as the stanza is decrypted - they typically exist for just a few hours. So Perfect Forward Secrecy should significantly enhance the security even of Offline ESessions.

19. Authentication is not identification, authentication may be as simple as Alice confirming that Bob is the same Bob that she communicated with yesterday or that she talked to on the telephone. The reliable association between an entity and its public keys is "identification" and therefore beyond the scope of this document.

20. Naturally, it is possible that Alice or Bob may retain cleartext versions of the exchanged communications; however, that threat is out of scope for this document.

21. It is exceptionally difficult to design a truly secure authenticated key-exchange protocol. Weaknesses are often only discovered after years of expert cryptographic analysis. In many cases, only the widespread use of a protocol will motivate experts to undertake exhaustive analyses and recommend enhancements.

22. SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols (Hugo Krawczyk, June 12 2003) <http://www.ee.technion.ac.il/~hugo/sigma.ps>.

23. Like RFC 2409, this protocol uses variant (ii), as described in Secion 5.4 of the SIGMA paper.

24. RFC 2631: Diffie-Hellman Key Agreement Method <http://tools.ietf.org/html/rfc2631>.

25. RFC 2409: The Internet Key Exchange (IKE) <http://tools.ietf.org/html/rfc2409>.

26. RFC 4306: Internet Key Exchange (IKEv2) Protocol <http://tools.ietf.org/html/rfc4306>.

27. This combination of techniques underpins the ZRTP key agreement protocol.

28. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.

29. The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <http://www.xmpp.org/registrar/>.


Revision History

Version 0.3 (2006-11-27)

Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange

(ip)

Version 0.2 (2006-07-19)

Removed public key IDs from Offline options

(ip)

Version 0.1 (2006-07-18)

Initial version (extracted from XEP-0116 version 0.9).

(ip)

END