[Standards] MUC E2E encryption
dave at cridland.net
Thu Jan 15 16:39:30 UTC 2009
On Thu Jan 15 15:35:57 2009, Okano, Stephen wrote:
> I have been following the forums on end-to-end encryption for a
> while as I am involved in a project developing group end-to-end
> encryption. It looks like the XEPs currently are focused on e2e
> encryption between two entities. Is there any framework for
> implementing encryption in a Multi-User Chat framework?
Not really, but various approaches have been tried in the field.
> If so which XEPs are most relevant? We have extended pidgin's
> implementation of XMPP to enable group e2e encryption using our own
> XMPP tags, but I can imagine there might already be a standardized
> way for specifying group e2e in XMPP. Thanks for any help!
Encryption in a MUC implies encrypting the message such that all
authorized occupants can see it.
There's essentially two approaches:
1) The sender encrypts for each occupant of the room. (ie, the master
key is sent to each authorized occupant).
2) The sender encrypts for the room, the room encrypts for each
(2) can be achieved using e2e encryption with the room or MUC
service, of course, but requires the room itself be trusted - I think
it's the more sensible approach, however, for most circumstances,
although it needs special server support.
(1) Could be done if each occupant sent, individually, the same
master key encrypted for each individual occupant, and then, using
their master key, encrypted each message prior to sending to the MUC,
signed with their public key. You could do this without server
support, or else you could combine both approaches.
I suspect that even for (2), you'd want to sign each stanza to avoid
at least forgery, and that's useful technology on its own, since we
can reuse that for authenticated retransmissions of various kinds,
such as PubSub. There are a few deployed sites doing
PKI-authenticated stanzas, I think.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards