XEP-xxxx: Automatic Trust Transfer (ATT)

Abstract: ATT specifies an automatic transfer of trust in public identity keys used by the end-to-end encryption protocol OMEMO.
Author:Melvin Keskin
Copyright:© 1999 – 2018 XMPP Standards Foundation. SEE LEGAL NOTICES.
Status:ProtoXEP
Type:Standards Track
Version:0.0.1
Last Updated:2019-03-22

WARNING: This document has not yet been accepted for consideration or approved in any official manner by the XMPP Standards Foundation, and this document is not yet an XMPP Extension Protocol (XEP). If this document is accepted as a XEP by the XMPP Council, it will be published at <http://xmpp.org/extensions/> and announced on the <standards@xmpp.org> mailing list.


Table of Contents


1. Introduction
2. Glossary
3. Advantages
4. General Procedure
    4.1. Authentication
    4.2. Revocation
5. Trust Message URI
6. Use Cases
    6.1. Authenticating the Key of a Contact's Device
       6.1.1. Sending
       6.1.2. Receiving
    6.2. Authenticating the Key of an Own Device
       6.2.1. Sending
       6.2.2. Receiving
    6.3. Revoking the Trust in a Key
7. Implementation Notes
    7.1. Storing Trust Message Information from Devices with Unauthenticated Keys
    7.2. Storing Trust Message Information for Unknown Keys
    7.3. Reducing The Number of Trust Messages
       7.3.1. Using URIs Containing Multiple Keys
       7.3.2. Using Message Carbons
    7.4. GUI Considerations
8. Security Considerations
    8.1. Notification
    8.2. Recommended Security Policy
9. IANA Considerations
10. XMPP Registrar Considerations
11. XML Schema

Appendices
    A: Document Information
    B: Author Information
    C: Legal Notices
    D: Relation to XMPP
    E: Discussion Venue
    F: Requirements Conformance
    G: Notes
    H: Revision History


1. Introduction

ATT is used in conjunction with OMEMO Encryption (XEP-0384) [1] for automatically establishing secure channels protected against active attacks between a new device and existing ones after a single mutual manual authentication between the new device and one of the existing ones. It preserves the security level as if all devices had authenticated their keys manually. A trusted third party is not required since an ordinary OMEMO message is used for transferring the information needed to authenticate a public identity key or revoke the trust in that key. Additionally, it preserves the anonymity of the authentication and revocation since those messages are only sent to devices with authenticated public identity keys. That means an attacker cannot detect whether an authentication or revocation took place.

End-to-end encryption without verifying the authenticity of the exchanged public identity keys only enables users to protect their communication against passive attacks. This means an attacker cannot read encrypted messages in transit without actively intervening in the key exchange. However, without any other precautions active attacks are still possible. If an attacker replaces the exchanged keys with malicious ones, the end-to-end encrypted messages can be read and manipulated by the attacker.

When using OMEMO, a public identity key is transmitted over a channel which is not protected against active attacks. That key has to be authenticated by the receiving device over a channel which is protected against active attacks to maintain the confidentiality of sent OMEMO messages and ensuring the authenticity and integrity of received OMEMO messages.

When using OMEMO, each device has a unique identity key. For that reason it is not necessary to copy an existing private identity key to a new device enabling it to use end-to-end encryption. Additionally, it can be used to stop encrypting for a specific device. For example, that could be done automatically after a given number of sent messages without any reaction from the receiving device that would forward the double ratchet to ensure forward and backward secrecy.

However, the downside of that approach is that it increases the number of key authentications users need to do for each new device to be protected against active attacks. Without ATT all n-1 mutual authentications per new key have to be done manually. With ATT though, only one mutual manual authentication per new key is required.

2. Glossary

OMEMO message
Message encrypted using OMEMO
Device
See Device in OMEMO glossary [2]
Key
Public part of IdentityKey in OMEMO glossary [2]
Key identifier
Identifier for a key (e.g., a fingerprint or the key itself)
Key authentication
Verification that a key received over an insecure channel is actually the one of the assumed device
Manual key authentication
Key authentication with user interaction (e.g., QR code scanning, fingerprint verification)
Automatic key authentication
Key authentication without user interaction (e.g., via ATT)
Mutual key authentication
Key authentication in which two devices authenticate each other's key
Key revocation
Revoking the trust in a key
Manual key revocation
Key revocation with user interaction (e.g., clicking a "Revoke" button)
Automatic key revocation
Key revocation without user interaction (e.g., via ATT)
Trust message
OMEMO message which indicates that specific keys can be trusted (authentication) or no longer trusted (revocation). A trust message for a device's key sent to another device is a trust message that contains the key identifer of the given key for authentication or revocation.
Authentication message
Trust message which only contains key identifiers for authentication. If a trust message contains authentication and revocation parts, the term authentication message is used for referring to the trust message without revocation parts.
Revocation message
Trust message which only contains key identifiers for revocation. If a trust message contains authentication and revocation parts, the term revocation message is used for referring to the trust message without authentication parts.

3. Advantages

The goal of key authentication is to create an end-to-end encrypted communication network exclusively of devices with authenticated keys. As a result every communication channel between those devices is resistant against active attacks.

The network of devices which authenticated each other's keys can be seen as a complete graph where each device is a node and each mutual authentication is an edge. The number of edges grows for each new device by the number of existing nodes. This is due to the fact that in order to sustain secure channels between all devices, a new key has to be authenticated by all n existing devices and vice versa.

One of those n mutual authentications requires user interaction like scanning each other's QR code or comparing each other's key identifier by hand. That is the initial mutual manual authentication. The remaining authentications can be automated relying on the secure channel established by the inital mutual manual authentication and the secure channels already created by the same procedure between the rest of the devices.

For creating the described complete graph with n nodes, a total of T(n) = (n*(n-1))/2 ∊ O(n²) mutual authentications are needed. When using ATT, only T(n) = n-1 ∊ O(n) of them have to be made manually. All remaining authentications can be performed automatically. Thus, less user interaction is needed for authenticating all keys involved in the secure communication while preserving the same security level.

4. General Procedure

This section explains the basic procedure of autmomatically authenticating or revoking a key by a trust message. It does not specify the detailed behaviour which can be found in section Use Cases. Instead, this section should rather show the fundamental idea behind ATT.

4.1 Authentication

  1. Device 1 manually authenticates the key of device 2. Device 1 automatically sends an authentication message for device 2's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 2.

  2. Device 2 manually authenticates the key of device 1. Device 2 automatically sends an authentication message for device 1's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 1.

  3. Device 1 automatically authenticates the keys of the authentication message from device 2. Each device receiving an authentication message from device 1 automatically authenticates device 2's key, if device 1's key has already been authenticated by it. Each device receiving an authentication message from device 2 automatically authenticates the corresponding keys, if device 2's key has been authenticated by it.

  4. Device 2 automatically authenticates the keys of the authentication message from device 1. Each device receiving an authentication message from device 2 automatically authenticates device 1's key, if device 2's key has already been authenticated by it. Each device receiving an authentication message from device 1 automatically authenticates the corresponding keys, if device 1's key has been authenticated by it.

4.2 Revocation

Device 1 manually revokes the trust in the key of device 2. Device 1 automatically sends a revocation message for device 2's key to devices whose keys it has already authenticated. Each device receiving a revocation message from device 1 automatically revokes the trust in device 2's key, if device 1's key has already been authenticated by it.

5. Trust Message URI

A trust message contains an XMPP URI (see XMPP URI Query Components (XEP-0147) [3]) defined by the following scheme:

Example 1. Scheme of a Trust Message URI

xmpp:<bare-jid>?omemo-trust;<auth|revoke>=<key-identifier-1>;<auth|revoke>=<key-identifier-2>;<...>;<auth|revoke>=<key-identifier-n>

Example 2. Example of a Trust Message URI

xmpp:user@example.org?omemo-trust;auth=623548d3835c6d33ef5cb680f7944ef381cf712bf23a0119dabe5c4f252cd02f;auth=d9f849b6b828309c5f2c8df4f38fd891887da5aaa24a22c50d52f69b4a80817e;revoke=b423f5088de9a924d51b31581723d850c7cc67d0a4fe6b267c3d301ff56d2413

6. Use Cases

Alice would like to use OMEMO when communicating with Bob. Alice has the devices A1, A2 and A3. Bob has the device B1. A1 has already authenticated A2's key. The other devices have not authenticated each other's key.

Note that the examples in the following use cases are consecutive and therefore must be read chronologically to properly understand them.

6.1 Authenticating the Key of a Contact's Device

6.1.1 Sending

Example: A1 authenticates B1's key.

A device that manually authenticates the key of a contact's device MUST send an authentication message for

  1. the key that has been authenticated, to each own device with an already authenticated key.

    Example: A1 sends an authentication message for B1's key to A2.

  2. each already authenticated key of all own devices, to the device whose key has been authenticated.

    Example: A1 sends an authentication message for A2's key to B1.

6.1.2 Receiving

A device that receives an authentication message for a key of a contact's device from

  1. an own device

    Example: A2 authenticates B1's key by the authentication message from A1 as soon as A2 authenticated A1's key.

  2. or another device of that contact

    Example: B1 authenticates A2's key by the authentication message from A1 as soon as B1 authenticated A1's key.

MUST authenticate the key as soon as the receiving device authenticated the key of the device which sent the authentication message.

6.2 Authenticating the Key of an Own Device

6.2.1 Sending

Example: A2 has already authenticated A1's and B1's key. A2 authenticates A3's key.

A device that manually authenticates the key of an own device MUST send an authentication message for

  1. the key that has been authenticated to each other device with an already authenticated key.

    Example: A2 sends an authentication message for A3's key to A1 and B1.

  2. each already authenticated key of all devices to the device whose key has been authenticated.

    Example: A2 sends an authentication message for A1's and B1's key to A3.

6.2.2 Receiving

A device that receives an authentication message for a key of an own device from another own device MUST authenticate the key as soon as the receiving device authenticated the key of the device which sent the authentication message.

Example: A1 authenticates A3's key by the authentication message from A2 as soon as A1 authenticated A2's key.

6.3 Revoking the Trust in a Key

A client MAY send a revocation message for a key that is not trusted anymore by the sending client so that key will no longer be trusted by the receiving client. A client receiving a revocation message SHOULD revoke the trust in the corresponding key.

// TODO Further discussion has to take place before finalizing this section.

7. Implementation Notes

7.1 Storing Trust Message Information from Devices with Unauthenticated Keys

A client MUST save the information of a trust message until the key of the device which sent the trust message is authenticated, so that the key can then be authenticated or revoked. Storing data of a trust message from a device with an unauthenticated key is necessary because the receiving device can only use that data after authenticating the sending device's key and that data might not be received again. Afterwards the information of the trust message MAY be deleted.

Example: When Alice's device A1 authenticates the key of Bob's device B1, A1 sends a trust message containing the keys of Alice's other device A2 to B1. If B1 has not already authenticated A1's key, B1 stores the information provided by the trust message. B1 authenticates A1's key and is then able to automatically authenticate A2's key.

7.2 Storing Trust Message Information for Unknown Keys

A client MUST save the information of a trust message until it has fetched the corresponding key so that the key can then be authenticated or revoked. Afterwards the information of the trust message can be deleted.

Example: Alice's device A1 receives an authentication message from Bob's device B1. That authentication message contains the key for Bob's other device B2. If A1 has not already fetched B2's key, A1 stores the information provided by the trust message. A1 fetches B2's key and is then able to automatically authenticate A2's key.

7.3 Reducing The Number of Trust Messages

7.3.1 Using URIs Containing Multiple Keys

For reducing the number of trust messages sent to a device, a client MAY use a URI containing multiple keys that have been authenticated shortly after another.

Example: Alice's device A1 authenticates the keys of Bob's devices B1 and B2 after scanning Bob's QR code containing their key identifiers. A1 sends one authentication message for all of the authenticated keys.

7.3.2 Using Message Carbons

Furthermore, a client MAY use Message Carbons (XEP-0280) [4] for sending a trust message to all devices of a contact or to all own devices at once. Then, by sending a trust message to the contact, each device of the contact and each own device gets the same trust message by the server. Thus, a client needs to send the same trust message only once. If not all devices of the contact should receive the trust message, the trust message MAY be sent to specific devices of the contact but for all own devices Message Carbons MAY be used and vice versa. Even when a client does not already have a contact, the client MAY use Message Carbons for delivering a trust message to all own devices. If a client receives a trust message with its own full JID as the sender, it SHOULD discard that message.

Example: Alice's device A1 authenticates the key of her device A2. A1 sends the trust message for A2's key only once to all of Alice's and Bob's devices by using Message Carbons.

Attention: In that context, sending a trust message to all devices of a contact or to all own devices does not mean to encrypt it with the keys of all those devices. Instead, it only means that all of those devices should receive the trust message even if it is not encrypted for some of them and thereby not decryptable by those devices. Keep in mind that a trust message MUST only be encrypted for devices with authenticated keys.

The drawback of using Message Carbons is that clients may show a message to the user that an OMEMO message received which has not been encrypted for the corresponding device.

7.4 GUI Considerations

A client that receives a trust message SHOULD NOT display its bare content to the user. Instead, the trust message SHOULD be hidden and the automatic authentication or revocation SHOULD take place in the background.

8. Security Considerations

8.1 Notification

After a successful authentication or revocation, the user MAY be informed of that event. The client MAY offer an option for requesting the user's confirmation before any automatic authentication or automatic revocation is performed.

8.2 Recommended Security Policy

It is more secure to be protected against passive attacks instead of not using any encryption. If it is not possible to authenticate a key before encrypting with it but it is desired to communicate with the key's device, it is RECOMMENDED to blindly trust new keys until the first authentication has been made.

Even ATT cannot protect the user against an attacker with a blindly trusted and undetected malicious key. For this reason it is important to take special care of the following security aspects.

If keys are blindly trusted until the first authentication, keys which are not authenticated by then MUST NOT be used any longer for encryption until they have been authenticated too. New keys MUST also only be used for encryption after they have been authenticated. Without these two additional precautions it is not possible to protect the user against attackers who introduced malicious keys before or after the first authentication.

9. IANA Considerations

REQUIRED.

10. XMPP Registrar Considerations

REQUIRED.

11. XML Schema

REQUIRED for protocol specifications.


Appendices


Appendix A: Document Information

Series: XEP
Number: xxxx
Publisher: XMPP Standards Foundation
Status: ProtoXEP
Type: Standards Track
Version: 0.0.1
Last Updated: 2019-03-22
Approving Body: XMPP Council
Dependencies: XMPP Core, XEP-0001, XEP-0147, XEP-0384
Supersedes: None
Superseded By: None
Short Name: NOT_YET_ASSIGNED
This document in other formats: XML  PDF


Appendix B: Author Information

Melvin Keskin

Email: melvo@olomono.de
JabberID: melvo@olomono.de


Appendix C: Legal Notices

Copyright

This XMPP Extension Protocol is copyright © 1999 – 2018 by the XMPP Standards Foundation (XSF).

Permissions

Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.

Disclaimer of Warranty

## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. ##

Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.

IPR Conformance

This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which can be found at <https://xmpp.org/about/xsf/ipr-policy> or obtained by writing to XMPP Standards Foundation, P.O. Box 787, Parker, CO 80134 USA).

Appendix D: Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 6120) and XMPP IM (RFC 6121) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.


Appendix E: Discussion Venue

The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.

Discussion on other xmpp.org discussion lists might also be appropriate; see <http://xmpp.org/about/discuss.shtml> for a complete list.

Errata can be sent to <editor@xmpp.org>.


Appendix F: Requirements Conformance

The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".


Appendix G: Notes

1. XEP-0384: OMEMO Encryption <https://xmpp.org/extensions/xep-0384.html>.

2. OMEMO glossary <https://xmpp.org/extensions/xep-0384.html#glossary-general>.

3. XEP-0147: XMPP URI Query Components <https://xmpp.org/extensions/xep-0147.html>.

4. XEP-0280: Message Carbons <https://xmpp.org/extensions/xep-0280.html>.


Appendix H: Revision History

Note: Older versions of this specification might be available at http://xmpp.org/extensions/attic/

Version 0.0.1 (2019-03-22)

First draft.

(mk)

END