<div dir="auto">While based on the old eSessions specification, it might well be worth looking at XEP-0200 for full-stanza encryption. ISTR it was implemented by Gajim back in the day, but I may be wrong - this specification was last updated just over a decade ago.#, and my memory really isn't *that* good...</div><div class="gmail_extra"><br><div class="gmail_quote">On 4 Jun 2017 16:47, "Fabian Beutel" <<a href="mailto:fabian.beutel@gmx.de">fabian.beutel@gmx.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey,<br>
<br>
I very much like the idea of having the option to encrypt complete<br>
stanzas! I think this could be implemented transparently and would allow<br>
all kind of jingle session meta data to be secret.<br>
<br>
I wrote about this on this list on two occasions already:<br>
<a href="https://mail.jabber.org/pipermail/standards/2016-October/031475.html" rel="noreferrer" target="_blank">https://mail.jabber.org/<wbr>pipermail/standards/2016-<wbr>October/031475.html</a><br>
<a href="https://mail.jabber.org/pipermail/standards/2016-September/031440.html" rel="noreferrer" target="_blank">https://mail.jabber.org/<wbr>pipermail/standards/2016-<wbr>September/031440.html</a><br>
<br>
<br>
Basically, I would love to see a specification which describes how to<br>
transparently encrypt arbitrary stanzas (or parts of stanzas).<br>
This should be kept in a separate XEP from encrypted<br>
Jingle-Filetransfer, however, the latter could then refer to the<br>
stanza-encryption-XEP for not leaking meta data etc.<br>
<br>
Best regards,<br>
Fabian<br>
<br>
<br>
On 04.06.2017 15:31, Remko Tronçon wrote:<br>
> Hi Vanitasvitae!<br>
><br>
> I wonder if it would make sense to use something like xmlenc to have a<br>
> 'generic' way to encrypt (parts of) stanzas. This way, you can decouple<br>
> the encryption key info etc. from the things you want to encrypt, and<br>
> you can choose to encrypt entire elements, or just parts of elements.<br>
><br>
> For example, if you want to encrypt the entire <file> metadata:<br>
><br>
> <iq><br>
>   <encrypted xmlns='urn:xmpp:omemo:0'><br>
>     <header sid='27183'><br>
>       <key rid='31415'>BASE64ENCODED...</<wbr>key><br>
>       <key rid='12321'>BASE64ENCODED...</<wbr>key><br>
>       ...<br>
>     </header><br>
>   </encrypted><br>
>   <jingle xmlns='urn:xmpp:jingle:1'<br>
>        action='session-initiate'<br>
>        initiator='romeo@montague.<wbr>example/dr4hcr0st3lup4c'<br>
>        sid='851ba2'><br>
>   <content creator='initiator' name='a-file-offer' senders='initiator'><br>
>     <description xmlns='urn:xmpp:jingle:apps:<wbr>encrypted:file-transfer:0'><br>
>       <!-- Encrypt entire file Element (#Element) --><br>
>       <EncryptedData xmlns="<a href="http://www.w3.org/2001/04/xmlenc#" rel="noreferrer" target="_blank">http://www.w3.org/2001/<wbr>04/xmlenc#</a>"<br>
> Type="<a href="http://www.w3.org/2001/04/xmlenc#Element" rel="noreferrer" target="_blank">http://www.w3.org/2001/<wbr>04/xmlenc#Element</a>"><br>
>         <EncryptionMethod<br>
> Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#aes256-cbc" rel="noreferrer" target="_blank">http://www.w3.org/<wbr>2001/04/xmlenc#aes256-cbc</a>"/><br>
>         <KeyInfo xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" rel="noreferrer" target="_blank">http://www.w3.org/2000/<wbr>09/xmldsig#</a>"><br>
>           <KeyName>omemo</KeyName><br>
>         </KeyInfo><br>
>         <CipherData><br>
><br>
> <CipherValue>/<wbr>7VSyS4tbcfsq7JYhZRgQE8bNkiyUJK<wbr>i68FdmdoA2PIRjGumbfI35X2om/<wbr>4mbfHteCAEBATpsr/l/<wbr>HvQf7GERGtvmuupNFh7reGeSWl8waj<wbr>wwYyfQi9BM6MfjZKi8D9Q94FhWz2p0<wbr>LMVEjduI9svzKOf/<wbr>uLI3JolK39nH70ezvyYebybpasDxC5<wbr>1SypmVU1p</CipherValue><br>
>         </CipherData><br>
>       </EncryptedData><br>
>     </description><br>
>   </content><br>
>   </jingle><br>
> </iq><br>
><br>
> Or, if you just want to encrypt only parts of the <file> (e.g. not the hash)<br>
><br>
> <iq><br>
>   <encrypted xmlns='urn:xmpp:omemo:0'><br>
>     <header sid='27183'><br>
>       <key rid='31415'>BASE64ENCODED...</<wbr>key><br>
>       <key rid='12321'>BASE64ENCODED...</<wbr>key><br>
>       ...<br>
>     </header><br>
>   </encrypted><br>
>   <jingle xmlns='urn:xmpp:jingle:1'<br>
>        action='session-initiate'<br>
>        initiator='romeo@montague.<wbr>example/dr4hcr0st3lup4c'<br>
>        sid='851ba2'><br>
>   <content creator='initiator' name='a-file-offer' senders='initiator'><br>
>     <description xmlns='urn:xmpp:jingle:apps:<wbr>encrypted:file-transfer:0'><br>
>       <file><br>
>         <hash xmlns='urn:xmpp:hashes:2'<br>
> algo='sha-1'>w0mcJylzCn+<wbr>AfvuGdqkty2+KP48=</hash><br>
><br>
>         <!-- Encrypt only part of file content (#Content) --><br>
>         <EncryptedData xmlns="<a href="http://www.w3.org/2001/04/xmlenc#" rel="noreferrer" target="_blank">http://www.w3.org/2001/<wbr>04/xmlenc#</a>"<br>
> Type="<a href="http://www.w3.org/2001/04/xmlenc#Content" rel="noreferrer" target="_blank">http://www.w3.org/2001/<wbr>04/xmlenc#Content</a>"><br>
>           <EncryptionMethod<br>
> Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#aes256-cbc" rel="noreferrer" target="_blank">http://www.w3.org/<wbr>2001/04/xmlenc#aes256-cbc</a>"/><br>
>           <KeyInfo xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" rel="noreferrer" target="_blank">http://www.w3.org/2000/<wbr>09/xmldsig#</a>"><br>
>             <KeyName>omemo</KeyName><br>
>           </KeyInfo><br>
>           <CipherData><br>
><br>
> <CipherValue>/<wbr>7VSyS4tbcfsq7JYhZRgQE8bNkiyUJK<wbr>i68FdmdoA2PIRjGumbfI35X2om/<wbr>4mbfHteCAEBATpsr/l/<wbr>HvQf7GERGtvmuupNFh7reGeSWl8waj<wbr>wwYyfQi9BM6MfjZKi8D9Q94FhWz2p0<wbr>LMVEjduI9svzKOf/<wbr>uLI3JolK39nH70ezvyYebybpasDxC5<wbr>1SypmVU1p</CipherValue><br>
>           </CipherData><br>
>         </EncryptedData><br>
>       </file><br>
>     </description><br>
>   </content><br>
>   </jingle><br>
> </iq><br>
><br>
> KeyInfo could be used to distinguish where the key material is coming<br>
> from for encryption (e.g. OMEMO element at the top of the IQ).<br>
><br>
> I'm not saying xmlenc is very elegant, and it's very broad, but it has<br>
> the advantage that you may get an implementation for free in your<br>
> language? It might need some restricting of possible algorithms/keys/...<br>
> for clients that need to implement this themselves if they don't have<br>
> xmlenc available.<br>
><br>
> Remko<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Standards mailing list<br>
> Info: <a href="https://mail.jabber.org/mailman/listinfo/standards" rel="noreferrer" target="_blank">https://mail.jabber.org/<wbr>mailman/listinfo/standards</a><br>
> Unsubscribe: <a href="mailto:Standards-unsubscribe@xmpp.org">Standards-unsubscribe@xmpp.org</a><br>
> ______________________________<wbr>_________________<br>
><br>
<br>
______________________________<wbr>_________________<br>
Standards mailing list<br>
Info: <a href="https://mail.jabber.org/mailman/listinfo/standards" rel="noreferrer" target="_blank">https://mail.jabber.org/<wbr>mailman/listinfo/standards</a><br>
Unsubscribe: <a href="mailto:Standards-unsubscribe@xmpp.org">Standards-unsubscribe@xmpp.org</a><br>
______________________________<wbr>_________________<br>
</blockquote></div></div>