[Security] e2e feedback

Jakob Schroeter js at camaya.net
Wed Mar 21 10:00:58 CDT 2007


Hi all,

On Tue Mar 13 2007, Peter Saint-Andre wrote:
> We received some initial feedback from an IETF security guru regarding
> encrypted sessions (XEP-0116 etc.). He thinks that, based on our
> requirements, we could simply re-use TLS semantics in XMPP syntax rather
> than define a completely new security protocol (which is considered to
> be a bad idea). Essentially this would treat XMPP as the transport
> layer, so instead of doing TLS over TCP (as we do for channel
> encryption) we would do TLS over XMPP for encrypted sessions between
> endpoints, where we communicate TLS primitives in XML syntax.

I thought this was a very interesting idea when I first read this, especially 
since I had most of the necessary infrastructure already in place in gloox. 
So I sat down today and wrote a proof-of-concept of "XTLS".

Basically, what I do is base64() TLS handshake data and encrypted payload and 
wrap it into a <xtls/> element inside a <message/> stanza.

With some caching it is possible to reduce the TLS anonymous handshake to 4 
stanzas in total: 2 client --> server, 2 server --> client. Without caching 
it would be 4 more.
This is with GnuTLS.

Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is 
currently hard-coded in unit tests and a simple ping-pong example.

This is in no way meant as a recommendation from a cryptographic point of 
view, I'll leave that to more knowledgable people.

Jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20070321/c5397ba2/attachment.pgp


More information about the Security mailing list