Date post: | 08-Jan-2018 |
Category: |
Documents |
Upload: | allan-bond |
View: | 219 times |
Download: | 0 times |
An Analysis of XMPP An Analysis of XMPP SecuritySecurity
Team “Vision” Team “Vision” Chris Nelson Chris Nelson Ashwin Kulkarni Ashwin Kulkarni Nitin Khatri Nitin Khatri Taulant Haka Taulant Haka Yong ChenYong Chen
CMPE 209 Spring 2009
AgendaAgenda
HISTORY OF XMPP HISTORY OF XMPP INTRODUCTION TO XMPP INTRODUCTION TO XMPP SECURITY IN XMPP SECURITY IN XMPP
• Use of TLS (Transport Layer Security)Use of TLS (Transport Layer Security)• Use of SASL (Simple Authentication and Use of SASL (Simple Authentication and
Security Layer)Security Layer) SECURITY CONCERNS IN XMPP SECURITY CONCERNS IN XMPP ConclusionConclusion
HISTORY OF XMPPHISTORY OF XMPP 1998-Core technology was invented by 1998-Core technology was invented by
JeremieJeremie Miller Miller 1999-Jabber open-source community 1999-Jabber open-source community
initially started to developed the protocolinitially started to developed the protocol 2000-Instant Messaging and Presence 2000-Instant Messaging and Presence
Protocol (IMPP) Working Group published Protocol (IMPP) Working Group published the result the result
2002 and 2003-XMPP protocol was 2002 and 2003-XMPP protocol was formalized by formalized by IETFIETF
2004-The 2004-The XMPP XMPP RFCsRFCs were published. were published. 2007-Jabber Software Foundation was 2007-Jabber Software Foundation was
renamed XMPP Standards Foundation renamed XMPP Standards Foundation
Application using XMPP Application using XMPP Instant messagingInstant messaging PresencePresence Media session managementMedia session management Shared editingShared editing WhiteboardingWhiteboarding CollaborationCollaboration Lightweight middlewareLightweight middleware Content syndicationContent syndication Generalized XML routing. Generalized XML routing.
The core protocols of Extensible The core protocols of Extensible Messaging and Presence Protocol Messaging and Presence Protocol
Jabber ClientJabber Client Jabber ServerJabber Server Presence and IM Session EstablishmentPresence and IM Session Establishment Resource BindingResource Binding Server Server DialbackDialback Simple Authentication and Security LayerSimple Authentication and Security Layer S/MIME EncryptionS/MIME Encryption Stanza ErrorsStanza Errors Stream ErrorsStream Errors Transport Layer SecurityTransport Layer Security XML StreamsXML Streams
XMPP CommunicationXMPP Communication XMPP uses XML to communicate between two nodes
A client and a serverA server and a serverA client and another client via one or more servers
XMPP Communication XMPP Communication (cont.)(cont.)
simplistic view of one-way simplistic view of one-way communication using XMPP.communication using XMPP.
<stream> -open connection<stream> -open connection</stream> close connection</stream> close connection
<presence> and </presence> <presence> and </presence> indicate the start and end of the indicate the start and end of the stanzastanza
<iq> and </iq> <iq> and </iq> information/query (iq) requests information/query (iq) requests and responsesand responses
SECURITY IN XMPP SECURITY IN XMPP XMPP is built on four layersXMPP is built on four layers
• TCP as the reliable transport protocolTCP as the reliable transport protocol• TLS for encryption of data sent over the TLS for encryption of data sent over the
TCP connectionTCP connection• SASL for authentication of nodes SASL for authentication of nodes
communicating over TLS and TCPcommunicating over TLS and TCP• XMPP as an application communicating XMPP as an application communicating
over the reliable, authenticated, and over the reliable, authenticated, and encrypted channel encrypted channel
SECURITY IN XMPP Use of TLS SECURITY IN XMPP Use of TLS
The initiating entity opens a TCP The initiating entity opens a TCP connection including the 'version' attribute connection including the 'version' attribute
The receiving entity responds by opening The receiving entity responds by opening a TCP connection including the 'version' a TCP connection including the 'version' attribute attribute
The receiving entity offers the STARTTLS The receiving entity offers the STARTTLS extension including a <required/> extension including a <required/> element as a child of the <starttls/> element as a child of the <starttls/>
SECURITY IN XMPP Use of TLS SECURITY IN XMPP Use of TLS (Cont) (Cont)
The initiating entity issues the STARTTLS The initiating entity issues the STARTTLS command command
The receiving entity MUST reply with The receiving entity MUST reply with either a <proceed/> element or a either a <proceed/> element or a <failure/> <failure/>
The initiating entity and receiving entity The initiating entity and receiving entity attempt to complete a TLS negotiation attempt to complete a TLS negotiation
If the TLS negotiation is unsuccessful, the If the TLS negotiation is unsuccessful, the receiving entity MUST terminate the TCP receiving entity MUST terminate the TCP connection connection
SECURITY IN XMPP Use of SASL SECURITY IN XMPP Use of SASL
The initiating entity requests SASL The initiating entity requests SASL authentication by including the 'version'authentication by including the 'version'
The receiving entity advertises a list of The receiving entity advertises a list of available SASL authentication mechanisms available SASL authentication mechanisms
The initiating entity selects a mechanism The initiating entity selects a mechanism by sending an <auth/> by sending an <auth/>
The receiving entity challenges the The receiving entity challenges the initiating entity by sending a <challenge/> initiating entity by sending a <challenge/>
The initiating entity responds to the The initiating entity responds to the challenge by sending a <response/> challenge by sending a <response/>
SECURITY IN XMPP Use of SASL SECURITY IN XMPP Use of SASL (cont.) (cont.)
If necessary, the receiving entity If necessary, the receiving entity sends more challenges -- the sends more challenges -- the initiating entity sends more initiating entity sends more responses until:responses until:• The initiating entity aborts the The initiating entity aborts the
handshake by sending an <abort/> handshake by sending an <abort/> • The receiving entity reports failure of The receiving entity reports failure of
the handshake by sending a <failure/> the handshake by sending a <failure/> • The receiving entity reports success of The receiving entity reports success of
the handshake by sending a <success/> the handshake by sending a <success/>
XMPP Extensions XMPP Extensions Instant Messaging and Presence -- base Instant Messaging and Presence -- base
XMPP extensions for instant messaging, XMPP extensions for instant messaging, contact lists, presence, and privacy contact lists, presence, and privacy blocking. (RFC 3921)blocking. (RFC 3921)
End-to-End Signing and Object Encryption End-to-End Signing and Object Encryption (RFC 3923)(RFC 3923)
XMPP extensions with additional features XMPP extensions with additional features including XML-RPC and SOAP bindings, in-including XML-RPC and SOAP bindings, in-band registration, extended presence, band registration, extended presence, geolocation, and reliable message delivery geolocation, and reliable message delivery (XEP series ) (XEP series )
XMPP Extensions XMPP Extensions ((XEP series ) )
Service Discovery -- a robust protocol for Service Discovery -- a robust protocol for determining the features supported by other determining the features supported by other entities on an XMPP network (XEP-0030)entities on an XMPP network (XEP-0030)
Data Forms -- a flexible protocol for forms-Data Forms -- a flexible protocol for forms-handling via XMPP, mainly used in workflow handling via XMPP, mainly used in workflow applications and for dynamic configuration (XEP-applications and for dynamic configuration (XEP-0004 ) 0004 )
File Transfer -- a protocol for transferring files from File Transfer -- a protocol for transferring files from one XMPP entity to another (XEP-0096)one XMPP entity to another (XEP-0096)
HTTP Binding -- a binding of XMPP to HTTP rather HTTP Binding -- a binding of XMPP to HTTP rather than TCP, mainly used for devices that cannot than TCP, mainly used for devices that cannot maintain persistent TCP connections to a server maintain persistent TCP connections to a server (XEP-0124 ) (XEP-0124 )
SECURITY CONCERNS IN XMPP SECURITY CONCERNS IN XMPP
Security depend on user Security depend on user • User trust a certificate from an unknown User trust a certificate from an unknown
sourcesource And/Or implementationAnd/Or implementation
• Performing SASL negotiations before Performing SASL negotiations before securing the channel with TLSsecuring the channel with TLS
• sending message, presence, or iq data sending message, presence, or iq data before completing the TLS or SASL before completing the TLS or SASL negotiationsnegotiations
ConclusionConclusion XMPP was designed with security in XMPP was designed with security in
mindmind Its architecture is solidIts architecture is solid The implementation is secureThe implementation is secure Susceptible to careless usersSusceptible to careless users
ReferencesReferences Summary of XMPP. (2007, January 16). Retrieved March 8, 2008, from Summary of XMPP. (2007, January 16). Retrieved March 8, 2008, from
http://www.xmpp.org/about/summary.shtml http://www.xmpp.org/about/summary.shtml Extensible Messaging and Presence Protocol. Retrieved March 8, 2008, Extensible Messaging and Presence Protocol. Retrieved March 8, 2008,
from from http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol
Extensible Messaging and Presence Protocol (XMPP): Core. (2004, Extensible Messaging and Presence Protocol (XMPP): Core. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920 October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920
Extensible Messaging and Presence Protocol (XMPP): Instant Messaging Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence. (2004, October). Retrieved March 8, 2008, from and Presence. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3921 http://tools.ietf.org/html/rfc3921
6 End-to-End Signing and Object Encryption for the Extensible Messaging 6 End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, and Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3923 from http://tools.ietf.org/html/rfc3923
End-to-End Signing and Object Encryption for the Extensible Messaging and End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3923 from http://tools.ietf.org/html/rfc3923
The XMPP Federation. Retrieved March 8, 2008 from The XMPP Federation. Retrieved March 8, 2008 from https://www.xmpp.net https://www.xmpp.net
Simple Authentication and Security Layer (SASL). (2006, June). Retrieved Simple Authentication and Security Layer (SASL). (2006, June). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc4422 March 8, 2008, from http://tools.ietf.org/html/rfc4422
Extensible Messaging and Presence Protocol (XMPP): Core. (2004, Extensible Messaging and Presence Protocol (XMPP): Core. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920 October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920
Questions and AnswersQuestions and Answers
Thank You!Thank You!