Re: [xmpp] New(ish) draft: Secure Messaging in XMPP
Andreas Straub <andy@strb.org> Thu, 29 October 2015 18:05 UTC
Return-Path: <andy@strb.org>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A881B30E1 for <xmpp@ietfa.amsl.com>; Thu, 29 Oct 2015 11:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id If6vMIA3epaG for <xmpp@ietfa.amsl.com>; Thu, 29 Oct 2015 11:05:56 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D45651B30E0 for <xmpp@ietf.org>; Thu, 29 Oct 2015 11:05:55 -0700 (PDT)
Received: by wicll6 with SMTP id ll6so50064663wic.1 for <xmpp@ietf.org>; Thu, 29 Oct 2015 11:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strb.org; s=google; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=S8eWLMUyaDgoz2SsYvbUFlz4QtLx9MDregCqSHZTGOo=; b=iv0JJ5FNpdYQzeeUPNCZUeO4Apa8f+Utfi3Ec2wwCRN59Lyd7gHRL3cafgpD6BXqGM McYFCm+VfGN1BR3xguI5BDF7TB4bhAop86nx0EgQ2SJCOQZWlYhnQnSJP0QXQ4/iGE5k WGgmxf7XAXgGYLG7G0okg9q9e5Oj2tpK8+WA8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=S8eWLMUyaDgoz2SsYvbUFlz4QtLx9MDregCqSHZTGOo=; b=Ofju54HrxGe8lG0RoFhpTBh9KZrrQOOrJCRmhGy4OkPZ+yvZwSKykfwioTMWjxlgP9 rZe9Ic1qBLEMtgnO2uh6lOiRWxm/d0vhiV0QWhALugrpVdN/Y67+2WiVKZQjbYVOvO88 m/nRLh71jUCjHmgiKw8KcUIqgiPz+SVM3Om2ISTVMk35hRUrPAzQs0Dmgc/oe68GS/mh OHScRYterVbKuJcV+ISeY92+jh1dfL5guXoFinjVPN/R2MwqfvDV7/GEFfepVrJtlZSB gORDLwLa256GtYK4sjzIA0z3tOHZgYqZGcbHdfDJKPPaf9+InJ0nQj7jgvZfxgstigh1 JcXg==
X-Gm-Message-State: ALoCoQn+ksvwJRb+ZAMEn8bu9ZseeB/exu0AUPUyGmT6aqIolRe9F36EL4JkdTIak7TsCnCDecmU
X-Received: by 10.28.92.16 with SMTP id q16mr9242775wmb.94.1446141954334; Thu, 29 Oct 2015 11:05:54 -0700 (PDT)
Received: from [137.226.109.174] (ip2-174.halifax.rwth-aachen.de. [137.226.109.174]) by smtp.googlemail.com with ESMTPSA id 20sm10343176wmh.8.2015.10.29.11.05.53 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Oct 2015 11:05:53 -0700 (PDT)
Message-ID: <56326001.1010300@strb.org>
Date: Thu, 29 Oct 2015 19:05:53 +0100
From: Andreas Straub <andy@strb.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, XMPP Group <xmpp@ietf.org>
References: <562AA40E.40407@nostrum.com> <562E5F53.9060104@geekplace.eu> <CABkgnnXHLAdMwA9V_7U-5Yh=8rYtvZw-KatcJc3gVQwzzuFK0w@mail.gmail.com> <5630C2C7.6030907@geekplace.eu> <CABkgnnWb3Hyjh1RX3L_6eE-+zo-Q99dCjPxN5L08RDg9PUNYNg@mail.gmail.com> <CABkgnnUPWA0fr95PeqCoEpVHXzzvJNBXXCN++tGF9V+06_Nyww@mail.gmail.com>
In-Reply-To: <CABkgnnUPWA0fr95PeqCoEpVHXzzvJNBXXCN++tGF9V+06_Nyww@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/CtRZ7c2aW_waD2mxcMRUQohDGk8>
Subject: Re: [xmpp] New(ish) draft: Secure Messaging in XMPP
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 18:06:56 -0000
Hi, I'm the person behind the OMEMO spec, so I'm obviously a bit biased, but I thought I would weigh in on this specific point. > For a system where the messages are stored, this is largely a > pointless exercise. Destroying the messages is also necessary to > ensure that they cannot be recovered. I feel strongly that there's nevertheless a significant benefit to be gained from some form of forward secrecy. It's still the difference between an attacker having to break one secret and being able to decrypt the entire history, versus having to break one secret per message (or sub-chain in the axolotl world). I would actually argue that in a stored-messages scenario, frequent key update is *even more important*, because the impact of a broken secret can be so much higher. > (Other systems address this in part by provisioning a > public store with shares ahead of any need for others to use them, but > these systems work poorly in multi-party scenarios.) Are there any specific problems with multi-party scenarios you could elaborate on? We've been using just this approach with OMEMO (and I'd argue it's been pretty successful so far), so I'd be very interested if there is something that we've neglected to consider here. > In the case where there are multiple agents in a chat - a scenario we > consider to be critical for usability reasons - if any one user agent > is offline, any message encrypted for that agent has to use a key that > can only be unilaterally updated. Messages destined for the offline > agent will necessarily depend on the private keying material on that > agent, which cannot be updated. You make a good point here, in that conversations that involve a device that is offline for long periods of time must necessarily degrade their forward secrecy accordingly. However, this is not necessarily the average use-case. In fact, its a rare edge case. I would argue that a protocol which always provides the highest level of forward secrecy that is possible in any situation is preferable, even if in certain pathological cases, the security will degrade to a fixed-secret equivalent level. > We value function over perfect security and consider logging to be a > critical part of a functional chat system. I agree wholeheartedly. People have come to expect such features from a modern instant messaging service, and rightfully so. But OMEMO actually achieves these while also providing forward secrecy. I don't think that we should give up on forward secrecy altogether just because we can't achieve *perfect* forward secrecy in every situation. Cheers, Andy
- [xmpp] New(ish) draft: Secure Messaging in XMPP Adam Roach
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Thijs Alkemade
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Philipp Hancke
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Florian Schmaus
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Florian Schmaus
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Andreas Straub
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Simon Josefsson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Bartosz Małkowski
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Dave Cridland
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Bartosz Małkowski
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Dave Cridland