[Standards] Proposed XMPP Extension: Instant Stream Resumption
flo at geekplace.eu
Fri Feb 19 20:12:03 UTC 2016
On 18.02.2016 09:45, Thijs Alkemade wrote:
> Of course, there are situations where a certificate legitimately changes, but
> quick resumption failing once every 3 months and having to fall back to a
> normal XEP-0198 resume sounds fine to me. I'd assume the possibility of
> specifying the IP address + port on which to resume makes it easy to always
> redirect the client to the same server in the cluster.
Exactly my thought: It's not really an issue if once every few months
ISR would fail because of a changed cert.
> The YAP draft Dave linked looks interesting, though it only offers channel
> binding and not mutual authentication, but I think that can be easily fixed by
> something like:
> S: <enabled
> Resumption uses SASL with:
> C: id || HMAC(key, "Client" || ChannelBinding)
> S: HMAC(key, "Server" || ChannelBinding)
> Where the id is only necessary so the server can find the key efficiently (it
> could be made stateless by making the id an encrypted token containing key, or
> by deriving key from id using HMAC).
I'd like to take on this approach and modify it a bit:
- Instead of xsr:id we simply use the stream ID that's in <enabled/> if
resume=true. I'd assume that ISR supporting servers will always also
support (ver likely) xep198 stream resumption.
- I'd like to fix ChannelBinding to tls-server-end-point. Mostly because
the situation hasn't much improved since Tobias asked in 2011 : You
can't implement tls-unique in Java SE or Android without resorting to a
custom TLS stack.
- Don't use SASL for ISR. The XMPP session state after SASL <success/>
is a fundamentally different one then after <inst-resumed/>.
So basically we have now:
* Client receives <enabled/> with ISR key
* Client performs ISR with HMAC(isr:key, "Initiator" || cb)
from='juliet at im.example.com'
<hash xmlns='urn:xmpp:hashes:1' algo='sha-256'>initiator-hmac</hash>
* Server acknowledges ISR with HMAC(isr:key, "Responder" || cb)
to='juliet at im.example.com'
<hash xmlns='urn:xmpp:hashes:1' algo='sha-256'>responder-hmac</hash>
initiator-hmac = Base64(HMAC(key, "Initiator" || cb-tls-server-end-point))
responder-hmac = Base64(HMAC(key, "Responder" || cb-tls-server-end-point))
I'm not even sure if we need verify the server cert with the one at the
time of <enabled/>. I don't see a point, since the server is
authenticated by responder-hmac.
Or am I missing something? If not, then I'm going to change the ISR
ProtoXEP to this.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 603 bytes
Desc: OpenPGP digital signature
More information about the Standards