[Standards] Encrypted Jingle File Transfer

Remko Tronçon remko at el-tramo.be
Sun Jun 4 13:51:25 UTC 2017


On 4 June 2017 at 15:45, Vanitas Vitae <vanitasvitae at riseup.net> wrote:

> Thank you for your suggestion. I didn't knew about xmlenc, but it looks
> like it is (for now) only available for java, so restricting algorithms
> etc. definitely sounds like a good idea.
>
FYI, there's also XMLSec, the LibXML2-based C library, which has bindings
in many languages:

   https://www.aleksey.com/xmlsec/

I used that to play around with xmlsec recently.

Remko



>
> Am 04.06.2017 um 15:31 schrieb Remko Tronçon:
>
> Hi Vanitasvitae!
>
> I wonder if it would make sense to use something like xmlenc to have a
> 'generic' way to encrypt (parts of) stanzas. This way, you can decouple the
> encryption key info etc. from the things you want to encrypt, and you can
> choose to encrypt entire elements, or just parts of elements.
>
> For example, if you want to encrypt the entire <file> metadata:
>
> <iq>
>   <encrypted xmlns='urn:xmpp:omemo:0'>
>     <header sid='27183'>
>       <key rid='31415'>BASE64ENCODED...</key>
>       <key rid='12321'>BASE64ENCODED...</key>
>       ...
>     </header>
>   </encrypted>
>   <jingle xmlns='urn:xmpp:jingle:1'
>        action='session-initiate'
>        initiator='romeo at montague.example/dr4hcr0st3lup4c'
>        sid='851ba2'>
>   <content creator='initiator' name='a-file-offer' senders='initiator'>
>     <description xmlns='urn:xmpp:jingle:apps:encrypted:file-transfer:0'>
>       <!-- Encrypt entire file Element (#Element) -->
>       <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="
> http://www.w3.org/2001/04/xmlenc#Element">
>         <EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#aes256-cbc"/>
>         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>           <KeyName>omemo</KeyName>
>         </KeyInfo>
>         <CipherData>
>           <CipherValue>/7VSyS4tbcfsq7JYhZRgQE8bNkiyUJK
> i68FdmdoA2PIRjGumbfI35X2om/4mbfHteCAEBATpsr/l/
> HvQf7GERGtvmuupNFh7reGeSWl8wajwwYyfQi9BM6MfjZKi8D9Q94FhWz2p0
> LMVEjduI9svzKOf/uLI3JolK39nH70ezvyYebybpasDxC51SypmVU1p</CipherValue>
>         </CipherData>
>       </EncryptedData>
>     </description>
>   </content>
>   </jingle>
> </iq>
>
> Or, if you just want to encrypt only parts of the <file> (e.g. not the
> hash)
>
> <iq>
>   <encrypted xmlns='urn:xmpp:omemo:0'>
>     <header sid='27183'>
>       <key rid='31415'>BASE64ENCODED...</key>
>       <key rid='12321'>BASE64ENCODED...</key>
>       ...
>     </header>
>   </encrypted>
>   <jingle xmlns='urn:xmpp:jingle:1'
>        action='session-initiate'
>        initiator='romeo at montague.example/dr4hcr0st3lup4c'
>        sid='851ba2'>
>   <content creator='initiator' name='a-file-offer' senders='initiator'>
>     <description xmlns='urn:xmpp:jingle:apps:encrypted:file-transfer:0'>
>       <file>
>         <hash xmlns='urn:xmpp:hashes:2' algo='sha-1'>w0mcJylzCn+
> AfvuGdqkty2+KP48=</hash>
>
>         <!-- Encrypt only part of file content (#Content) -->
>         <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="
> http://www.w3.org/2001/04/xmlenc#Content">
>           <EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#aes256-cbc"/>
>           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>             <KeyName>omemo</KeyName>
>           </KeyInfo>
>           <CipherData>
>
> <CipherValue>/7VSyS4tbcfsq7JYhZRgQE8bNkiyUJKi68FdmdoA2PIRjGumbfI35X2om/
> 4mbfHteCAEBATpsr/l/HvQf7GERGtvmuupNFh7reGeSWl8waj
> wwYyfQi9BM6MfjZKi8D9Q94FhWz2p0LMVEjduI9svzKOf/
> uLI3JolK39nH70ezvyYebybpasDxC51SypmVU1p</CipherValue>
>           </CipherData>
>         </EncryptedData>
>       </file>
>     </description>
>   </content>
>   </jingle>
> </iq>
>
> KeyInfo could be used to distinguish where the key material is coming from
> for encryption (e.g. OMEMO element at the top of the IQ).
>
> I'm not saying xmlenc is very elegant, and it's very broad, but it has the
> advantage that you may get an implementation for free in your language? It
> might need some restricting of possible algorithms/keys/... for clients
> that need to implement this themselves if they don't have xmlenc available.
>
> Remko
>
>
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
>
>
>
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170604/2a997fab/attachment-0001.html>


More information about the Standards mailing list