-
H3rnand3zzz
Hi. Is there any file exchange ways/protocols that use encrypted channels, such as PGP?
-
Zash
Hello H3rnand3zzz. The currently common HTTP upload method should work just fine with PGP, same way it does with OMEMO.
-
Zash
https://xmpp.org/extensions/xep-0454.html
-
H3rnand3zzz
Omemo is great. But is there something for PGP?
-
Zash
Nothing about it should be specific to OMEMO
-
H3rnand3zzz
But the title os "XEP-0454: OMEMO Media sharing"✎ -
H3rnand3zzz
But the title is "XEP-0454: OMEMO Media sharing" ✏
-
Zash
The method itself has nothing to do with OMEMO, but of course you must respect the title. :)
-
Zash
Mostly it's done that way because of the old version of OMEMO that is used, that can only transport plain text messages.
-
Zash
No idea what is the state of methods involving full stanza encryption
-
H3rnand3zzz
But if I want to implement some kind of PGP transfer algorithm, how can I do it according to standard? Would it require developing of the proposal?
-
H3rnand3zzz
Full stanza encryption would probably require server-side support
-
Zash
No
-
H3rnand3zzz
What would be the most appropriate way to send PGP-encrypted file over XMPP protocol? Ideally, the recipient's client should automatically decrypt the file.
-
moparisthebest
H3rnand3zzz: Conversations just http uploads .pgp files
-
lovetox
Peter Waher, seems your client which is unknown to me uses sha-256 as hash algo for entity caps
-
lovetox
are you the developer of this client?
-
Peter Waher
yes
-
lovetox
any particular reason why you decided on sha-256, when its not mandatory for any client to implement?
-
Peter Waher
It is not prohibited, so we chose to use something else than sha-1 (which we consider should be phased out everywhere, if possible, as should md-algorithms). We interpret “MUST implement” in XEP-0115 to mean must support (as recipient of information), not MUST be used when publishing your hash (i.e. the words “An implementation MAY support other algorithms”). Clients should be encouraged to support more modern algorithms in our eyes.
-
MSavoritias (fae,ve)
0390 says for sha256
-
MSavoritias (fae,ve)
Or we dont follow that?
-
MSavoritias (fae,ve)
Mildly interested in whats the current thing here too
-
Link Mauve
Peter Waher, I would recommend you to go for it in XEP-0390 (or use an even better algorithm, for instance the faster blake3), but play safe with compatibility in XEP-0115 support.
-
jonas’
strictly speaking, https://xmpp.org/extensions/xep-0414.html is the reference for which hash functions to use within XMPP
-
MSavoritias (fae,ve)
Thanks 👍
-
jonas’
(and XEP-0300 has a common wire format for transporting hashes and announcing support for hashes, fwiw)
-
Peter Waher
XEP-0414 states SHA-1 SHOULD NOT be used, and SHA-256 MUST be supported… But XEP-0414 is also deferred, so I don’t know how much weight it has…
-
Link Mauve
jonas’, oh, XEP-0414 still hasn’t been updated for blake3.
-
MSavoritias (fae,ve)
Ah yeah 115 says only sha 1
-
pep.
Peter Waher, deferred is a lie, it's just that the spec is experimental :)
-
MSavoritias (fae,ve)
Which granted thats 390 exists✎ -
MSavoritias (fae,ve)
Which granted thats why 390 exists ✏
-
lovetox
Peter Waher, you are right that you are allowed to use anything you want when publishing, its just a weird decision for a protocol extension that is aimed at communicating capabilities to *other* clients, personally i would have chosen something that secures that as many clients as possible can deal with it. Especially as there is no gain in using something like sha256.
-
MSavoritias (fae,ve)
Yeah deffered means basically ask to implement imo
-
pep.
lovetox, "other clients" can include yourself too
-
jonas’
Link Mauve, as they say, patches welcome
-
Link Mauve
Sure, will do, I’m just writing other patches for other projects atm.
-
jonas’
MSavoritias (fae,ve), no, 390 exists because of collision attacks inherent to '115, the lack of hash agility could've been addressed in a much more simple manner
-
Peter Waher
Anyway: What algorithm you support shouldn’t really matter. I guess other clients just match (algorhm, hash) as string comparisons, to be one the safe side (i.e. support new algorithms as they arise), and do not try to decode or regenerate the digests.
-
Peter Waher
(before they decide to do a service discovery on an entity)
-
MSavoritias (fae,ve)
> MSavoritias (fae,ve), no, 390 exists because of collision attacks inherent to '115, the lack of hash agility could've been addressed in a much more simple manner Ah i thought it was the has agility ↺
-
MSavoritias (fae,ve)
Noted
-
pep.
What's the thing about 300 and 414, is one redundant?
-
jonas’
(the agility was part of it, granted, looking back at the motivation section)
-
jonas’
pep., no, one is wire format, one is recommendations for which things to actually use
-
pep.
Or one updating the other?
-
pep.
Ok
-
jonas’
pep., they were split from one another so that 300 could advance to Standards Track Stable, while 414 could become Informational Active
-
pep.
Ok cool 300 references 414
-
jonas’
(and all things can just refer to '414 for hash function recommendations even if they don't or cannot use the '300 wire format for whatever reason)
-
Link Mauve
Peter Waher, if a specification hardcodes a single hash in its examples, you can be sure many implementations will only ever support that one hash mechanism.
-
Peter Waher
You cannot consider all possible ways developers create bugs on the other hand…
-
Link Mauve
This one is a constant.
-
Peter Waher
where is it defined as a constant?
-
lovetox
im not sure what you mean by > and do not try to decode or regenerate the digests. I only except a hash into the cache if i verified that it was correctly computed, and thats why i need to compute it myself from the disco info, this means it depends on the language and ecosystem what hash algos are easily available✎ -
lovetox
im not sure what you mean by > and do not try to decode or regenerate the digests. I only accept a hash into the cache if i verified that it was correctly computed, and thats why i need to compute it myself from the disco info, this means it depends on the language and ecosystem what hash algos are easily available ✏
-
Link Mauve
Peter Waher, in human developers I guess.
-
moparisthebest
> These recommendations ought to be reviewed yearly by the XMPP Council
-
moparisthebest
https://burtrum.org/up/0e49768e-8b47-4c78-bf16-cebbd9b2c0d6/2zo1ki.jpg
-
jonas’
moparisthebest, it's not active yet!
-
pep.
What are you all waiting for! go make it active :P
-
Peter Waher
> i verified that it was correctly computed You cannot determine if it is correctly computed, unless you have the discovery information already (which you try to avoid to get). You can check if it has the correct length, but that would require you to recognize the algorithm used. But remember: The digest is not used to protect the information, just avoid performing a service discovery, similar to ETAG in HTTP, meaning, you perform the service discovery if you don’t recognize the digest from earlier. If it is “correct” or not, is really meaningless, from the receiving end. The point is to perform a new service discovery, only if the digest changes.
-
jonas’
Peter Waher, that is one way to use it, but I don't know of any client which implements it that way.
-
Peter Waher
(Also, if a client computes it “incorrectly”, but “consistently”, this method would still work.)
-
jonas’
The implementations I know have two maps: `jid -> digest` and `digest -> disco#info`. And they only accept entries in the second map after verifying that the digest matches the disco#info.
-
jonas’
(and they may persist the second map to disk, even)
-
Peter Waher
If you perform a validation of the digest as you say, you should support modern algorithms, btw.
-
jonas’
not for '115
-
jonas’
where the sha1 is the least of your problems, really
-
Peter Waher
anyway, let me know if I do anything incorrectly, that breaks any of the specifications. As I understand it, the use of SHA-256 does not break the specifications. Thanks for the input, good to know how others use the attribute.
-
lovetox
Peter Waher, if you dont verify that the hash was computed correctly it would be trivial to poisen your cache
-
Peter Waher
lovetox: Not if the cache was implemented as a cache (i.e. limiting number of digests / JID), as a cache should.
-
moparisthebest
Only if you share the cache across clients
-
Peter Waher
It is allowed to change hash often
-
jonas’
moparisthebest, across remote JIDs even
-
moparisthebest
Yes sorry that's what I meant
-
lovetox
Hm maybe i understand this wrong, you cache a hash per jid? would that make the cache less efficient?
-
Peter Waher
Also: You can only introduce new hash values from a JID, if you have access to that account. So a malicious actor injecting hash digests for a JID would have access to the credentials of those accounts. In such cases there are bigger problems.
-
Peter Waher
A client can change supported features often, and thus their digests
-
Peter Waher
If your cache is implemented to remember all digests over time, it will grow obviously
-
lovetox
i dont see how changing your hash because you change caps is of any relevance to the discussion
-
Peter Waher
Needlessly, btw
-
lovetox
so did i understand you correctly you save a hash per jid?
-
Peter Waher
no
-
Peter Waher
I do not save hashes per jid
-
Peter Waher
my caches work differently
-
Peter Waher
And include time and space considerations
-
Peter Waher
Unused elements are purged
-
lovetox
so if you query my disco info and i answer with almost no caps, but include the hash of your client, how will your client react to if it receives that hash from another user of your client?
-
Peter Waher
I don’t query disco, I receive presence with hash. If hash is not recognized from sender, I perform discovery. I consider every sender as its own universe, and do not assume digests mean the same thing from different senders, for the reasons mentioned above. I treat it as an ETAG basically.
-
lovetox
sound to me like you store hash per sender
-
moparisthebest
That's the only secure way to do it if you don't validate
-
lovetox
of course, and it makes caching less efficient
-
moparisthebest
But it's a nice way to support new-shiny-hash-algorithm without even knowing it exists
-
lovetox
because it means you will query each and every member of a 1000 member room, even if they all have the same client with the same caps
-
moparisthebest
Trade-offs all the way down
-
moparisthebest
You could do a combo
-
moparisthebest
Validated shared cache for algorithms you understand, per jid for those you don't
-
Peter Waher
Good idea.
-
lovetox
i mean all this means nothing if you dont support any p2p stuff anyway
-
lovetox
nobody uses disco info for anything serious other than jingle
-
Peter Waher
we definitely use it for other things than jingle
-
lovetox
for example?
-
Peter Waher
IoT and E2EE, just to mention two
-
Peter Waher
oh, and social networking capabilities, digital identities, smart contracts, tokenization and monetization.
-
lovetox
and all these things dont need to work if someone is offline? Because then the disco info query will not work
-
moparisthebest
Even jingle shouldn't really use caps right? If I log into a client that doesn't support calls I still want to see my missed calls when my other clients come back online
-
lovetox
yes i think this was solved for jingle calls
-
lovetox
they send now some message which is stored in MAM
-
lovetox
dont know if this is available for filetransfer as well
-
moparisthebest
Yea kind of makes sense for jingle file transfer though
-
lovetox
but yeah, ... seems you dont even need disco info for that
-
lovetox
now its just for "which client does this user use"
-
lovetox
its kind of important for services though, server, MUC etc
-
Peter Waher
BTW: If you share hashes between clients, as mentioned above (in the MUC case), you actually have the possibility to inject/poison caches (if using SHA-1): Consider a malicious user knowing about a new set of disco info, before others on a server (perhaps taking it forom another server). It calculates the hash, reports it to a new server (or many servers) who then perform service discovery, where the malicious user responds with some fake service discovery (which results in the same digest, as is possible now it seems, with SHA-1). As the server takes this as the defacto-response, it will not ask again, when other non-malicious users ask, and services will stop working on the new server, if service discovery is an intrinsical part of the operation. Not sure why anyone would do this, but there always seems to be one…✎ -
Peter Waher
BTW: If you share hashes between clients, as mentioned above (in the MUC case), you actually have the possibility to inject/poison caches (if using SHA-1): Consider a malicious user knowing about a new set of disco info, before others on a server (perhaps taking it from another server, or guessing it). It calculates the hash, reports it to a new server (or many servers) who then perform service discovery, where the malicious user responds with some fake service discovery (which results in the same digest, as is possible now it seems, with SHA-1). As the server takes this as the defacto-response, it will not ask again, when other non-malicious users ask, and services will stop working on the new server, if service discovery is an intrinsical part of the operation. Not sure why anyone would do this, but there always seems to be one… ✏
-
moparisthebest
I didn't think generating sha1 collisions was cheap enough to worry about that yet
-
Peter Waher
surely it will get cheaper
-
moparisthebest
I mean, git is a way juicier target if so
-
Peter Waher
yes
-
moparisthebest
We shouldn't worry about XMPP until high profile git repos start getting attacked :)
-
Peter Waher
but attackers attack what they can get away with
-
Peter Waher
also, there's state-sponsored hacking✎ -
Peter Waher
also, there's state-sponsored "hacking" ✏
-
moparisthebest
I agree it's just going to get cheaper/easier though
-
lovetox
lot of work/money to poisen a single hash, of course could happen
-
Link Mauve
Peter Waher, XEP-0115 makes it much easier to generate collisions than breaking SHA-1, see http://web.archive.org/web/20230118035239/https://mail.jabber.org/pipermail/security/2009-July/000812.html
-
Link Mauve
Much easier.
-
lovetox
and with again almost no gain, as said almost nobody uses disco info for anything serious
-
lovetox
Does anyone know why the XEP says > Because of how the hash output is used in entity capabilities, the protocol will not be subject to collision attacks even if the hash function used is found to be vulnerable to collision attacks.
-
lovetox
great, Link Mauve, so basically to be save against collisions the sha algo does not matter and we would need to cache per jid
-
Link Mauve
Correct.
-
flow
no, we need ecaps2
-
Link Mauve
Or indeed, XEP-0390.
-
Peter Waher
It is allowed to note multiple vulnerabilities (plural), and not only consider the most severe vulnerability, one at a time, of course. Especially if discussing implementation.
-
Peter Waher
it was a side note, btw
-
flow
lovetox, regarding the statement in the xep: that is a good question
-
flow
that sentence was added with https://github.com/xsf/xeps/commit/df683bc14448c51796d2bd4c657ad5fab38b01c0#diff-7317d93667443a69e313bdffd7125c1213ad5d6b38c8a2bdf26237fa902737e7R449
-
flow
so maybe ask psa