[Security] e2e feedback
js at camaya.net
Wed Mar 21 10:00:58 CDT 2007
On Tue Mar 13 2007, Peter Saint-Andre wrote:
> We received some initial feedback from an IETF security guru regarding
> encrypted sessions (XEP-0116 etc.). He thinks that, based on our
> requirements, we could simply re-use TLS semantics in XMPP syntax rather
> than define a completely new security protocol (which is considered to
> be a bad idea). Essentially this would treat XMPP as the transport
> layer, so instead of doing TLS over TCP (as we do for channel
> encryption) we would do TLS over XMPP for encrypted sessions between
> endpoints, where we communicate TLS primitives in XML syntax.
I thought this was a very interesting idea when I first read this, especially
since I had most of the necessary infrastructure already in place in gloox.
So I sat down today and wrote a proof-of-concept of "XTLS".
Basically, what I do is base64() TLS handshake data and encrypted payload and
wrap it into a <xtls/> element inside a <message/> stanza.
With some caching it is possible to reduce the TLS anonymous handshake to 4
stanzas in total: 2 client --> server, 2 server --> client. Without caching
it would be 4 more.
This is with GnuTLS.
Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is
currently hard-coded in unit tests and a simple ping-pong example.
This is in no way meant as a recommendation from a cryptographic point of
view, I'll leave that to more knowledgable people.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20070321/c5397ba2/attachment.pgp
More information about the Security