[Security] [Standards] Proposed changes for ESessions
Peter Saint-Andre
stpeter at stpeter.im
Mon Aug 4 14:36:04 CDT 2008
Jonathan Schleifer wrote:
> Hi!
>
> I'm a Gajim developer and we have implemented ESessions. However, as
> we're currently the only XMPP client to my knowledge implementing it
> and the XEP is currently deferred, we plan to make a few changes and
> like to get them back in the XEP.
We talk some about end-to-end encryption at the XMPP Summit recently
(nothing formal -- just a dinner discussion among people who are
interested in the topic). The rough consensus was that we'll work to
implement and deploy end-to-end streams and upgrade using TLS. It's a
bit of a hack, but has some good features. I'll post about that in a
separate thread.
> 1.) While the Sessions XEP explicitly states that session should NOT be
> regarded as ended, we think that this is fine for normal sessions,
> but not for ESessions.
> The reason is quite simple: If a contact changed his status to
> unavailable, the reason might be that the connection was lost due
> to lost TCP packages. That also means that maybe messages we sent
> got lost. As ESessions don't work when a message was lost and thus
> decrypting of further messages is not possible, we would like to
> regard an ESession as terminated when a contact signs off and
> re-establish a new ESession as soon as that user becomes available
> again.
> We also thought about keeping the thread ID and sending
> unencrypted. However, I'm against that as it could be that the
> other client reconnected and still think it's in an ESession and
> gets problems with this. That's why I prefer to use a new thread ID
> then.
That is good input to the definition of a session (or chat session),
which is still a bit unclear.
> 2.) I'm not completely satisfied with the security of ESessions. They
> give an attacker pretty much possibilities for known plain-text and
> timing attacks.
> Thus, I propose the following changes:
>
> * Add a <random> tag to every stanza before encryption to make
> sure an attacker never knows the full plain-text. With the
> current version of the XEP, an attacker would know the full
> plain-text for example on typing notifications, which can be
> spotted very easily on their size (another issue I'll talk
> about later).
True.
> * Typing notifications make it easy for an attacker to do a
> timing attack. There are attacks that lets an attacker guess
> the content of a message by looking at how long was typed and
> the timing distance to the last message.
> The solution I'd propose is to send a bogus stanza from time to
> time, only including a <random> tag, but with a value a bit
> longer than proposed in the first point of 2.).
> Additionally, a XEP-0184 receipt request should be added to
> SOME of those bogus packets - whether or not that receipt is
> added is random. If the client does not support XEP-0184, a
> receipt is never requested, of course, therefore the bogus
> packets won't request it as well then.
> * XEP-0184 receipt requests are always answered instantly. So an
> attacker knows by just the timing that a packet is an answer to
> a XEP-0184 receipt request. That's why I propose to ALWAYS
> answer XEP-0184 receipt requests unencrypted, as the attacker
> would only get data for a known full-plain-text attack from
> this.
> Additionally, bogus XEP-0184 receipt requests should be sent
> from time to time - this would already be covered by the point
> before this one (bogus stanzas that randomly include a XEP-0184
> receipt request)
I don't we have that problem with an end-to-end stream, do we?
> * Add padding with a random length, so it's impossible to analyze
> the message on it's length. Without this, it's easy to guess
> from the length of a packet if it's for example a typing
> notification, allowing the before mentioned timing attack. Plus
> the size of an encrypted message already gives a clue about the
> possible content.
>
> 3.) This suggestion is optional and I personally would NOT implement it,
> as IMHO, this is against the idea of instant messaging:
>
> Add a random delay to packets, not a big one, only a small time.
> This would make timing attacks even harder.
>
> I would add that as an optional thing to the XEP, maybe something
> the clients can enable on demand when messaging doesn't need to be
> so instant.
What exactly is the timing attack?
> I'd be glad to hear some opinions to these proposals before we
> implement them. Maybe someone got even better ideas on how to solve the
> current deficiencies?
I've been doing some research on Short Authentication Strings (SAS), and
I think the usage of SAS in ESessions may be close to worthless. But
I'll post about that separately.
> However, we are very likely going to do something against these
> deficiencies and of course it would be nice if the XEP could be
> enhanced by fixes for these deficiencies, so we don't have to give up
> being XEP-complaint for ESessions.
Given that Ian Paterson seems to have disappeared, you could become a
maintainer for the ESessions specs.
> It's not that we're only going to implement it exactly in the way I
> described above, but we'd really like to see something similar to these
> proposals. Of course, we're open to better approaches then those I had
> in mind.
Sure, we can discuss other approaches, too. But it seems that not so
many people are interested on this list. Perhaps we'd get a more active
conversation going on the security at xmpp.org list (cc'd here)?
http://mail.jabber.org/mailman/listinfo/security
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080804/f79fcf47/attachment.bin
More information about the Security
mailing list