Browse Source

Add 01 archives

master
Hernâni Marques 4 years ago
parent
commit
b93a522124
3 changed files with 2443 additions and 0 deletions
  1. +853
    -0
      pep-handshake/archive/draft-marques-pep-handshake-01.html
  2. +672
    -0
      pep-handshake/archive/draft-marques-pep-handshake-01.txt
  3. +918
    -0
      pep-handshake/archive/draft-marques-pep-handshake-01.xml

+ 853
- 0
pep-handshake/archive/draft-marques-pep-handshake-01.html View File

@ -0,0 +1,853 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<title>pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
<link href="#rfc.section.2" rel="Chapter" title="2 Terms">
<link href="#rfc.section.3" rel="Chapter" title="3 Problem Statement">
<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Use Cases">
<link href="#rfc.section.3.2" rel="Chapter" title="3.2 Existing Solutions">
<link href="#rfc.section.4" rel="Chapter" title="4 The pEp Handshake Proposal">
<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Verification Process">
<link href="#rfc.section.4.1.1" rel="Chapter" title="4.1.1 Short, Long and Full Trustword Mapping">
<link href="#rfc.section.4.1.2" rel="Chapter" title="4.1.2 Display Modes">
<link href="#rfc.section.5" rel="Chapter" title="5 Security Considerations">
<link href="#rfc.section.6" rel="Chapter" title="6 Implementation Status">
<link href="#rfc.section.6.1" rel="Chapter" title="6.1 Introduction">
<link href="#rfc.section.6.2" rel="Chapter" title="6.2 Running Code">
<link href="#rfc.section.7" rel="Chapter" title="7 Acknowledgements">
<link href="#rfc.references" rel="Chapter" title="8 References">
<link href="#rfc.references.1" rel="Chapter" title="8.1 Normative References">
<link href="#rfc.references.2" rel="Chapter" title="8.2 Informative References">
<link href="#rfc.appendix.A" rel="Chapter" title="A Document Changelog">
<link href="#rfc.appendix.B" rel="Chapter" title="B Open Issues">
<link href="#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.9.8 - https://tools.ietf.org/tools/xml2rfc" />
<link rel="schema.dct" href="http://purl.org/dc/terms/" />
<meta name="dct.creator" content="Marques, H. and B. Hoeneisen" />
<meta name="dct.identifier" content="urn:ietf:id:draft-marques-pep-handshake-01" />
<meta name="dct.issued" scheme="ISO8601" content="2018-10-24" />
<meta name="dct.abstract" content="In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks." />
<meta name="description" content="In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks." />
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left">Network Working Group</td>
<td class="right">H. Marques</td>
</tr>
<tr>
<td class="left">Internet-Draft</td>
<td class="right">pEp Foundation</td>
</tr>
<tr>
<td class="left">Intended status: Informational</td>
<td class="right">B. Hoeneisen</td>
</tr>
<tr>
<td class="left">Expires: April 27, 2019</td>
<td class="right">Ucom.ch</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">October 24, 2018</td>
</tr>
</tbody>
</table>
<p class="title">pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake<br />
<span class="filename">draft-marques-pep-handshake-01</span></p>
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks.</p>
<p>This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily authenticate their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp).</p>
<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on April 27, 2019.</p>
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
<p>Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
<hr class="noprint" />
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Introduction</a>
</li>
<li>2. <a href="#rfc.section.2">Terms</a>
</li>
<li>3. <a href="#rfc.section.3">Problem Statement</a>
</li>
<ul><li>3.1. <a href="#rfc.section.3.1">Use Cases</a>
</li>
<li>3.2. <a href="#rfc.section.3.2">Existing Solutions</a>
</li>
</ul><li>4. <a href="#rfc.section.4">The pEp Handshake Proposal</a>
</li>
<ul><li>4.1. <a href="#rfc.section.4.1">Verification Process</a>
</li>
<ul><li>4.1.1. <a href="#rfc.section.4.1.1">Short, Long and Full Trustword Mapping</a>
</li>
<li>4.1.2. <a href="#rfc.section.4.1.2">Display Modes</a>
</li>
</ul></ul><li>5. <a href="#rfc.section.5">Security Considerations</a>
</li>
<li>6. <a href="#rfc.section.6">Implementation Status</a>
</li>
<ul><li>6.1. <a href="#rfc.section.6.1">Introduction</a>
</li>
<li>6.2. <a href="#rfc.section.6.2">Running Code</a>
</li>
</ul><li>7. <a href="#rfc.section.7">Acknowledgements</a>
</li>
<li>8. <a href="#rfc.references">References</a>
</li>
<ul><li>8.1. <a href="#rfc.references.1">Normative References</a>
</li>
<li>8.2. <a href="#rfc.references.2">Informative References</a>
</li>
</ul><li>Appendix A. <a href="#rfc.appendix.A">Document Changelog</a>
</li>
<li>Appendix B. <a href="#rfc.appendix.B">Open Issues</a>
</li>
<li><a href="#rfc.authors">Authors' Addresses</a>
</li>
</ul>
<h1 id="rfc.section.1">
<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
</h1>
<p id="rfc.section.1.p.1">In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed.</p>
<p id="rfc.section.1.p.2">Examples for key distribution include:</p>
<p></p>
<ul>
<li>Exchange public keys out-of-band before encrypted communication</li>
<li>Use of centralized public key stores (e.g., OpenPGP Key Servers)</li>
<li>Ship public keys in-band when communicating</li>
</ul>
<p id="rfc.section.1.p.4">To prevent man-in-the-middle (MITM) attacks, additionally the authenticity of a public key needs to be verified. Methods to authenticate public keys of peers include, e.g., to verify digital signatures of public keys (which may be signed in a hierarchical or flat manner, e.g., by a Web of Trust (WoT)), to compare the public key&#8217;s fingerprints via a suitable independent channel, or to scan a QR mapping of the fingerprint (cf. <a href="#problem-statement" class="xref">Section 3</a>).</p>
<p id="rfc.section.1.p.5">This document proposes a new method to verify the authenticity of public keys by a Handshake process that allows users to easily verify their communication channel. Fingerprints of the involved peers are combined and mapped to (common) Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a>. The successful manual comparison of these Trustwords is used to consider the communication channel as trusted.</p>
<p id="rfc.section.1.p.6">The proposed method is already implemented and used in applications of pretty Easy privacy (pEp) <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a>. This document is targeted to applications based on the pEp framework and Opportunistic Security <a href="#RFC7435" class="xref">[RFC7435]</a>. However, it may be also used in other applications as suitable.</p>
<p id="rfc.section.1.p.7">Note: The pEp framework <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a> proposes to automatize the use of end-to-end encryption for Internet users of email and other messaging applications and introduces methods to easily allow authentication.</p>
<h1 id="rfc.section.2">
<a href="#rfc.section.2">2.</a> <a href="#terms" id="terms">Terms</a>
</h1>
<pre>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in {{RFC2119}}.
* Handshake: The process when Alice -- e.g. in-person or via phone --
contacts Bob to verify Trustwords (or by fallback: fingerprints) is
called Handshake. {{I-D.marques-pep-handshake}}
* Trustwords: A scalar-to-word representation of 16-bit numbers (0 to
65535) to natural language words. When doing a Handshake, peers are
shown combined Trustwords of both public keys involved to ease the
comparison. {{I-D.birk-pep-trustwords}}
* Trust on First Use (TOFU): cf. {{RFC7435}}
* Man-in-the-middle attack (MITM): cf. {{RFC4949}}
</pre>
<h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#problem-statement" id="problem-statement">Problem Statement</a>
</h1>
<p id="rfc.section.3.p.1">To secure a communication channel, in public key cryptography each involved peer needs a key pair. Its public key needs to be shared to other peers by some means. However, the key obtained by the receiver may have been substituted or tampered with to allow for re-encryption attacks. To prevent such man-in-the-middle (MITM) attacks, an important step is to verify the authenticity of a public key obtained.</p>
<h1 id="rfc.section.3.1">
<a href="#rfc.section.3.1">3.1.</a> <a href="#use-cases" id="use-cases">Use Cases</a>
</h1>
<p id="rfc.section.3.1.p.1">Such a verification process is useful in at least two scenarios:</p>
<p></p>
<ul>
<li>Verify channels to peers, e.g., to make sure opportunistically exchanged keys for end-to-end encryption are authentic.</li>
<li>Verify channels between own devices (in multi-device contexts), e.g., for the purpose of importing and synchronizing keys among different devices belonging to the same user (cf. <a href="#E-D.birk-pep-keysync" class="xref">[E-D.birk-pep-keysync]</a>). This scenario is comparable to Bluetooth pairing before starting data transfers.</li>
</ul>
<h1 id="rfc.section.3.2">
<a href="#rfc.section.3.2">3.2.</a> <a href="#existing-solutions" id="existing-solutions">Existing Solutions</a>
</h1>
<p id="rfc.section.3.2.p.1">Current methods to authenticate public keys of peers include:</p>
<p></p>
<ul>
<li>Digitally signed public keys are verified by a chain of trust. Two trust models are common in today&#8217;s implementations. <ul>
<li>Signing is carried out hierarchically, e.g. in a Public Key Infrastructure (PKI) <a href="#RFC5280" class="xref">[RFC5280]</a>, in which case the verification is based on a chain of trust with a Trust Anchor (TA) at the root.</li>
<li>Signing of public keys is done in a flat manner (by a Web of Trust), e.g., key signing in OpenPGP <a href="#RFC4880" class="xref">[RFC4880]</a>, where users sign the public keys of other users. Verification may be based on transitive trust.</li>
</ul>
</li>
<li>Peers are expected to directly compare the public key&#8217;s fingerprints by any suitable independent channel &#8211; e.g, by phone or with a face-to-face meeting. This method is often used in OpenPGP <a href="#RFC4880" class="xref">[RFC4880]</a> contexts.</li>
<li>The public keys&#8217; fingerprints are mapped into a QR code, which is expected to be scanned between the peers when they happen to meet face-to-face. This method is e.g. used in the chat application Threema <a href="#threema" class="xref">[threema]</a>.</li>
<li>The public keys&#8217; fingerprints are mapped into numerical codes which decimal digits only (so-called &#8220;safety numbers&#8221;), which makes the strings the humans need to compare easier in respect to hexacodes, but longer and thus nevertheless cumbersome. This method is e.g. used in the chat application Signal <a href="#signal" class="xref">[signal]</a>.</li>
</ul>
<p id="rfc.section.3.2.p.3">Some of the methods can even be used in conjunction with Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a> or the PGP Word list <a href="#PGP.wl" class="xref">[PGP.wl]</a>.</p>
<p id="rfc.section.3.2.p.4">None of the existing solutions meets all requirements set up by pEp <a href="#I-D.birk-pep" class="xref">[I-D.birk-pep]</a>, e.g.:</p>
<p></p>
<ul>
<li>Easy solution that can be handled easily by ordinary users</li>
<li>In case privacy and security contradict each other, privacy is always preferred over security (e.g., the Web of Trust contradicts privacy)</li>
<li>No central entities</li>
</ul>
<p id="rfc.section.3.2.p.6">Most of today&#8217;s systems lack easy ways for users to authenticate their communication channel. Some methods leak private data (e.g., their social graph) or depend on central entities. Thus, none of today&#8217;s systems fulfills all of the pEp requirements (cf. above).</p>
<h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#the-pep-handshake-proposal" id="the-pep-handshake-proposal">The pEp Handshake Proposal</a>
</h1>
<p id="rfc.section.4.p.1">In pretty Easy privacy (pEp), the proposed approach for peers to authenticate each other is to engage in the pEp Handshake.</p>
<p id="rfc.section.4.p.2">In current pEp implementations (cf. <a href="#running-code" class="xref">Section 6.2</a>), the same kinds of keys as in OpenPGP are used. Such keys include a fingerprint as cryptographic hash over the public key. This fingerprint is normally represented in a hexadecimal form, consisting of ten 4-digit hexadecimal blocks, e.g.:</p>
<p></p>
<ul class="empty"><li>8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19</li></ul>
<p id="rfc.section.4.p.4">Each block may also be represented in decimal numbers from 0 to 65535 or in other numerical forms, e.g.</p>
<p></p>
<ul>
<li>Hexadecimal: 8E31</li>
<li>Decimal: 36401</li>
<li>Binary: 1000111000110001</li>
</ul>
<h1 id="rfc.section.4.1">
<a href="#rfc.section.4.1">4.1.</a> <a href="#verification-process" id="verification-process">Verification Process</a>
</h1>
<p id="rfc.section.4.1.p.1">In the pEp Handshake the fingerprints of any two peers involved are combined and displayed in form of Trustwords <a href="#I-D.birk-pep-trustwords" class="xref">[I-D.birk-pep-trustwords]</a> for easy comparison by the involved parties.</p>
<p id="rfc.section.4.1.p.2">The default verification process involves three steps:</p>
<p></p>
<ol>
<li>Combining fingerprints by XOR function <br><br> Any two peers&#8217; fingerprints are combined bit-by-bit using the Exclusive-OR (XOR) function resulting in the Combined Fingerprint (CFP).</li>
<li>Mapping result to Trustwords: <br><br> The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit hexadecimal block is mapped to a given Trustword) resulting in the Trustword Mapping (TWM).</li>
<li>Verify Trustwords over independent channel <br><br> The resulting Trustwords (TWM) are compared and verified over an independent channel, e.g., a phone line. If this step was successful, the channel can be marked as authenticated.</li>
</ol>
<p id="rfc.section.4.1.p.4">Note: In prior implementations of pEp the fingerprints of any two peers were concatenated. While this has the advantage that the own identity&#8217;s Trustwords can be printed on a business card (like with fingerprints) or on contact sites or in signature texts of emails, this at the same time has the drawback that users might not carefully compare the words as they start to remember and recognize their Trustwords in the concatenated mapping. The avoid to train users in doing so, Trustwords for any peer-to-peer combination shall very probably differ.</p>
<h1 id="rfc.section.4.1.1">
<a href="#rfc.section.4.1.1">4.1.1.</a> <a href="#short-long-and-full-trustword-mapping" id="short-long-and-full-trustword-mapping">Short, Long and Full Trustword Mapping</a>
</h1>
<p id="rfc.section.4.1.1.p.1">The more an ordinary user needs to contribute to a process, the less likely a user will carry out all steps carefully. In particular, it was observed that a simple (manual) comparison of OpenPGP fingerprints is rarely carried out to the full extent, i.e., mostly only parts of the fingerprint are compared, if at all.</p>
<p id="rfc.section.4.1.1.p.2">For usability reasons and to create incentives for people to actually carry out a Handshake (while maintaining an certain level of entropy), pEp allows for different entropy levels, i.e.:</p>
<p></p>
<ol>
<li>Full Trustword Mapping (F-TWM) [aka Full Trustwords] MUST represent the maximum entropy achievable by the mapping. This means all Trustwords of a TWM MUST be displayed and compared. <br><br> E.g., the fingerprint <ul class="empty"><li>F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13</li></ul>
<p> is mapped to </p>
<ul class="empty"><li>dog house brother town fat bath school banana kite task</li></ul>
</li>
<li>Long Trustword Mapping (L-TWM) [aka Long Trustwords] requires a number of Trustwords that MUST retain at least 128 bits of entropy. This means that a usually larger part of the FWM is displayed, only a smaller fraction might be omitted. <br><br> E.g., the fingerprint <ul class="empty"><li>F482 E952 2F48 618B 01BC 31DC 5428 D7FA [ ACDC 3F13 ]</li></ul>
<p> is mapped to </p>
<ul class="empty"><li>dog house brother town fat bath school banana [ remaining Trustwords omitted ]</li></ul>
</li>
<li>Short Trustword Mapping (S-TWM) [aka Short Trustwords] requires a number of Trustwords that MUST retain at least 64 bits of entropy. This means that a part of the TWM is displayed and compared, the remaining Trustwords are omitted. <br><br> E.g., the fingerprint <ul class="empty"><li>F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]</li></ul>
<p> is mapped to </p>
<ul class="empty"><li>dog house brother town fat [ remaining Trustwords omitted ]</li></ul>
</li>
</ol>
<h1 id="rfc.section.4.1.2">
<a href="#rfc.section.4.1.2">4.1.2.</a> <a href="#display-modes" id="display-modes">Display Modes</a>
</h1>
<p id="rfc.section.4.1.2.p.1">The pEp Handshake has three display modes for the verification process. All of the following modes MUST be implemented:</p>
<p></p>
<ol>
<li>S-TWM mode (default) <br><br> By default the S-TWM SHOULD be displayed to the user for comparison and verification. An easy way to switch to F-TWM mode MUST be implemented and an easy way to switch to fingerprint mode SHOULD be implemented.</li>
<li>L-TWM mode <br><br> There are situations, where S-TWM is not sufficient (e.g., communication parties that are more likely under attack), in which the F-TWM MAY be displayed to the user by default. An easy way to switch to L-TWM mode MUST be implemented and a way to switch to fingerprint mode SHOULD be implemented, too.</li>
<li>F-TWM mode <br><br> A way to display the full Trustword mapping achievable SHOULD be provided, too.</li>
<li>Fingerprint mode (fallback) <br><br> To retain compatibility to existing OpenPGP users (that know nothing about Trustwords), the fingerprint mode, a fallback to compare the original fingerprints (usually in hexadecimal form) MAY be used. Easy ways to switch back to the TWM modes supported MUST be implemented.</li>
</ol>
<p id="rfc.section.4.1.2.p.3">If the verification process was successful, the user confirms it, e.g. by setting a check mark. Once the user has confirmed it, the Privacy Status <a href="#I-D.marques-pep-rating" class="xref">[I-D.marques-pep-rating]</a> for this channel MUST be updated accordingly.</p>
<h1 id="rfc.section.5">
<a href="#rfc.section.5">5.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
</h1>
<p id="rfc.section.5.p.1">A (global) adversary can pre-generate all Trustwords any two users expect to compare and try to engage in MITM attacks which fit &#8211; it MUST NOT be assumed public keys and thus fingerprints to be something to stay secret, especially as in pEp public keys are aggressively distributed to all peers. Also similar Trustwords can be generated, which spelled on the phone might sound very similar.</p>
<h1 id="rfc.section.6">
<a href="#rfc.section.6">6.</a> <a href="#implementation-status" id="implementation-status">Implementation Status</a>
</h1>
<h1 id="rfc.section.6.1">
<a href="#rfc.section.6.1">6.1.</a> <a href="#introduction-1" id="introduction-1">Introduction</a>
</h1>
<p id="rfc.section.6.1.p.1">This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <a href="#RFC7942" class="xref">[RFC7942]</a>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.</p>
<p id="rfc.section.6.1.p.2">According to <a href="#RFC7942" class="xref">[RFC7942]</a>, &#8220;[&#8230;] this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit.&#8221;</p>
<h1 id="rfc.section.6.2">
<a href="#rfc.section.6.2">6.2.</a> <a href="#running-code" id="running-code">Running Code</a>
</h1>
<p id="rfc.section.6.2.p.1">In pEp for email <a href="#I-D.marques-pep-email" class="xref">[I-D.marques-pep-email]</a> contexts, Handshakes are already implemented for the following platforms:</p>
<p></p>
<ul>
<li>Android, in pEp for Android &#8211; release <a href="#SRC.pepforandroid" class="xref">[SRC.pepforandroid]</a>
</li>
<li>Enigmail, in the Enigmail/pEp mode &#8211; release used for new Enigmail users of version 2.0 <a href="#SRC.enigmailpep" class="xref">[SRC.enigmailpep]</a>
</li>
<li>iOS, in pEp for iOS &#8211; not yet released <a href="#SRC.pepforios" class="xref">[SRC.pepforios]</a>
</li>
<li>Outlook, in pEp for Outlook &#8211; commercial release <a href="#SRC.pepforoutlook" class="xref">[SRC.pepforoutlook]</a>
</li>
</ul>
<p id="rfc.section.6.2.p.3">In pEp for Outlook also keys from other devices can be imported by the Handshake method.</p>
<h1 id="rfc.section.7">
<a href="#rfc.section.7">7.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
</h1>
<p id="rfc.section.7.p.1">Special thanks to Volker Birk and Leon Schumacher who developed the original concept of the pEp Handshake.</p>
<p id="rfc.section.7.p.2">This work was initially created by pEp Foundation, and then reviewed and extended with funding by the Internet Society&#8217;s Beyond the Net Programme on standardizing pEp. <a href="#ISOC.bnet" class="xref">[ISOC.bnet]</a></p>
<h1 id="rfc.references">
<a href="#rfc.references">8.</a> References</h1>
<h1 id="rfc.references.1">
<a href="#rfc.references.1">8.1.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="I-D.birk-pep">[I-D.birk-pep]</b></td>
<td class="top">
<a>Birk, V.</a>, <a>Marques, H.</a> and <a>S. Shelburn</a>, "<a href="https://tools.ietf.org/html/draft-birk-pep-02">pretty Easy privacy (pEp): Privacy by Default</a>", Internet-Draft draft-birk-pep-02, June 2018.</td>
</tr>
<tr>
<td class="reference"><b id="I-D.birk-pep-trustwords">[I-D.birk-pep-trustwords]</b></td>
<td class="top">
<a>Birk, V.</a>, <a>Marques, H.</a> and <a>B. Hoeneisen</a>, "<a href="https://tools.ietf.org/html/draft-birk-pep-trustwords-02">IANA Registration of Trustword Lists: Guide, Template and IANA Considerations</a>", Internet-Draft draft-birk-pep-trustwords-02, June 2018.</td>
</tr>
<tr>
<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
<td class="top">
<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
</tr>
<tr>
<td class="reference"><b id="RFC4949">[RFC4949]</b></td>
<td class="top">
<a>Shirey, R.</a>, "<a href="https://tools.ietf.org/html/rfc4949">Internet Security Glossary, Version 2</a>", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7435">[RFC7435]</b></td>
<td class="top">
<a>Dukhovni, V.</a>, "<a href="https://tools.ietf.org/html/rfc7435">Opportunistic Security: Some Protection Most of the Time</a>", RFC 7435, DOI 10.17487/RFC7435, December 2014.</td>
</tr>
</tbody></table>
<h1 id="rfc.references.2">
<a href="#rfc.references.2">8.2.</a> Informative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="E-D.birk-pep-keysync">[E-D.birk-pep-keysync]</b></td>
<td class="top">
<a>Birk, V.</a> and <a>H. Marques</a>, "<a href="https://pep.foundation/dev/repos/internet-drafts/file/tip/pep-keysync/draft-birk-pep-keysync-NN.txt">pretty Easy privacy (pEp): Key Synchronization Protocol</a>", June 2018.<p>Early draft</p>
</td>
</tr>
<tr>
<td class="reference"><b id="I-D.marques-pep-email">[I-D.marques-pep-email]</b></td>
<td class="top">
<a>Marques, H.</a>, "<a href="https://tools.ietf.org/html/draft-marques-pep-email-01">pretty Easy privacy (pEp): Email Formats and Protocols</a>", Internet-Draft draft-marques-pep-email-01, July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="I-D.marques-pep-rating">[I-D.marques-pep-rating]</b></td>
<td class="top">
<a>Marques, H.</a> and <a>B. Hoeneisen</a>, "<a href="https://tools.ietf.org/html/draft-marques-pep-rating-00">pretty Easy privacy (pEp): Mapping of Privacy Rating</a>", Internet-Draft draft-marques-pep-rating-00, July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="ISOC.bnet">[ISOC.bnet]</b></td>
<td class="top">
<a>Simao, I.</a>, "<a href="https://www.internetsociety.org/blog/2017/06/12-innovative-projects-selected-for-beyond-the-net-funding/">Beyond the Net. 12 Innovative Projects Selected for Beyond the Net Funding. Implementing Privacy via Mass Encryption: Standardizing pretty Easy privacy&#8217;s protocols</a>", June 2017.</td>
</tr>
<tr>
<td class="reference"><b id="PGP.wl">[PGP.wl]</b></td>
<td class="top">"<a href="https://en.wikipedia.org/w/index.php?title=PGP_word_list&amp;oldid=749481933">PGP word list</a>", November 2017.</td>
</tr>
<tr>
<td class="reference"><b id="RFC4880">[RFC4880]</b></td>
<td class="top">
<a>Callas, J.</a>, <a>Donnerhacke, L.</a>, <a>Finney, H.</a>, <a>Shaw, D.</a> and <a>R. Thayer</a>, "<a href="https://tools.ietf.org/html/rfc4880">OpenPGP Message Format</a>", RFC 4880, DOI 10.17487/RFC4880, November 2007.</td>
</tr>
<tr>
<td class="reference"><b id="RFC5280">[RFC5280]</b></td>
<td class="top">
<a>Cooper, D.</a>, <a>Santesson, S.</a>, <a>Farrell, S.</a>, <a>Boeyen, S.</a>, <a>Housley, R.</a> and <a>W. Polk</a>, "<a href="https://tools.ietf.org/html/rfc5280">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>", RFC 5280, DOI 10.17487/RFC5280, May 2008.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7942">[RFC7942]</b></td>
<td class="top">
<a>Sheffer, Y.</a> and <a>A. Farrel</a>, "<a href="https://tools.ietf.org/html/rfc7942">Improving Awareness of Running Code: The Implementation Status Section</a>", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016.</td>
</tr>
<tr>
<td class="reference"><b id="signal">[signal]</b></td>
<td class="top">"<a href="https://signal.org/">Signal</a>", n.d..</td>
</tr>
<tr>
<td class="reference"><b id="SRC.enigmailpep">[SRC.enigmailpep]</b></td>
<td class="top">"<a href="https://enigmail.net/index.php/en/download/source-code">Source code for Enigmail/pEp</a>", July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="SRC.pepforandroid">[SRC.pepforandroid]</b></td>
<td class="top">"<a href="https://pep-security.lu/gitlab/android/pep">Source code for pEp for Android</a>", July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="SRC.pepforios">[SRC.pepforios]</b></td>
<td class="top">"<a href="https://pep-security.ch/dev/repos/pEp_for_iOS/">Source code for pEp for iOS</a>", July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="SRC.pepforoutlook">[SRC.pepforoutlook]</b></td>
<td class="top">"<a href="https://pep-security.lu/dev/repos/pEp_for_Outlook/">Source code for pEp for Outlook</a>", July 2018.</td>
</tr>
<tr>
<td class="reference"><b id="threema">[threema]</b></td>
<td class="top">"<a href="https://threema.ch">Threema - Seriously secure messaging</a>", n.d..</td>
</tr>
</tbody></table>
<h1 id="rfc.appendix.A">
<a href="#rfc.appendix.A">Appendix A.</a> <a href="#document-changelog" id="document-changelog">Document Changelog</a>
</h1>
<p id="rfc.section.A.p.1">[[ RFC Editor: This section is to be removed before publication ]]</p>
<p></p>
<ul>
<li>draft-marques-pep-handshake-01: <ul>
<li>Fix references</li>
<li>Minor editorial changes</li>
<li>Add reason why not to concatenate and map fingerprints instead</li>
</ul>
</li>
<li>draft-marques-pep-handshake-00: <ul><li>Initial version</li></ul>
</li>
</ul>
<h1 id="rfc.appendix.B">
<a href="#rfc.appendix.B">Appendix B.</a> <a href="#open-issues" id="open-issues">Open Issues</a>
</h1>
<p id="rfc.section.B.p.1">[[ RFC Editor: This section should be empty and is to be removed before publication ]]</p>
<p></p>
<ul><li>Add description for further processes to change the trust level, e.g., to remove trust or even mistrust a peer and alike.</li></ul>
<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Hernani Marques</span>
<span class="n hidden">
<span class="family-name">Marques</span>
</span>
</span>
<span class="org vcardline">pEp Foundation</span>
<span class="adr">
<span class="vcardline">Oberer Graben 4</span>
<span class="vcardline">
<span class="locality">CH-8400 Winterthur</span>,
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline">Switzerland</span>
</span>
<span class="vcardline">EMail: <a href="mailto:hernani.marques@pep.foundation">hernani.marques@pep.foundation</a></span>
<span class="vcardline">URI: <a href="https://pep.foundation/">https://pep.foundation/</a></span>
</address>
</div><div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Bernie Hoeneisen</span>
<span class="n hidden">
<span class="family-name">Hoeneisen</span>
</span>
</span>
<span class="org vcardline">Ucom Standards Track Solutions GmbH</span>
<span class="adr">
<span class="vcardline">
<span class="locality">CH-8046 Zuerich</span>,
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline">Switzerland</span>
</span>
<span class="vcardline">Phone: +41 44 500 52 44</span>
<span class="vcardline">EMail: <a href="mailto:bernie@ietf.hoeneisen.ch%20(bernhard.hoeneisen%20AT%20ucom.ch)">bernie@ietf.hoeneisen.ch (bernhard.hoeneisen AT ucom.ch)</a></span>
<span class="vcardline">URI: <a href="https://ucom.ch/">https://ucom.ch/</a></span>
</address>
</div>
</body>
</html>

+ 672
- 0
pep-handshake/archive/draft-marques-pep-handshake-01.txt View File

@ -0,0 +1,672 @@
Network Working Group H. Marques
Internet-Draft pEp Foundation
Intended status: Informational B. Hoeneisen
Expires: April 27, 2019 Ucom.ch
October 24, 2018
pretty Easy privacy (pEp): Contact and Channel Authentication through
Handshake
draft-marques-pep-handshake-01
Abstract
In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed; the
latter to prevent man-in-the-middle (MITM) attacks.
This document proposes a new method to easily verify a public key is
authentic by a Handshake process that allows users to easily
authenticate their communication channel. The new method is targeted
to Opportunistic Security scenarios and is already implemented in
several applications of pretty Easy privacy (pEp).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 27, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
Marques & Hoeneisen Expires April 27, 2019 [Page 1]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Existing Solutions . . . . . . . . . . . . . . . . . . . 4
4. The pEp Handshake Proposal . . . . . . . . . . . . . . . . . 5
4.1. Verification Process . . . . . . . . . . . . . . . . . . 5
4.1.1. Short, Long and Full Trustword Mapping . . . . . . . 6
4.1.2. Display Modes . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 8
6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 8
6.2. Running Code . . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Document Changelog . . . . . . . . . . . . . . . . . 11
Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed.
Examples for key distribution include:
o Exchange public keys out-of-band before encrypted communication
o Use of centralized public key stores (e.g., OpenPGP Key Servers)
o Ship public keys in-band when communicating
To prevent man-in-the-middle (MITM) attacks, additionally the
authenticity of a public key needs to be verified. Methods to
authenticate public keys of peers include, e.g., to verify digital
signatures of public keys (which may be signed in a hierarchical or
flat manner, e.g., by a Web of Trust (WoT)), to compare the public
Marques & Hoeneisen Expires April 27, 2019 [Page 2]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
key's fingerprints via a suitable independent channel, or to scan a
QR mapping of the fingerprint (cf. Section 3).
This document proposes a new method to verify the authenticity of
public keys by a Handshake process that allows users to easily verify
their communication channel. Fingerprints of the involved peers are
combined and mapped to (common) Trustwords [I-D.birk-pep-trustwords].
The successful manual comparison of these Trustwords is used to
consider the communication channel as trusted.
The proposed method is already implemented and used in applications
of pretty Easy privacy (pEp) [I-D.birk-pep]. This document is
targeted to applications based on the pEp framework and Opportunistic
Security [RFC7435]. However, it may be also used in other
applications as suitable.
Note: The pEp framework [I-D.birk-pep] proposes to automatize the use
of end-to-end encryption for Internet users of email and other
messaging applications and introduces methods to easily allow
authentication.
2. Terms
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in {{RFC2119}}.
* Handshake: The process when Alice -- e.g. in-person or via phone --
contacts Bob to verify Trustwords (or by fallback: fingerprints) is
called Handshake. {{I-D.marques-pep-handshake}}
* Trustwords: A scalar-to-word representation of 16-bit numbers (0 to
65535) to natural language words. When doing a Handshake, peers are
shown combined Trustwords of both public keys involved to ease the
comparison. {{I-D.birk-pep-trustwords}}
* Trust on First Use (TOFU): cf. {{RFC7435}}
* Man-in-the-middle attack (MITM): cf. {{RFC4949}}
3. Problem Statement
To secure a communication channel, in public key cryptography each
involved peer needs a key pair. Its public key needs to be shared to
other peers by some means. However, the key obtained by the receiver
may have been substituted or tampered with to allow for re-encryption
attacks. To prevent such man-in-the-middle (MITM) attacks, an
Marques & Hoeneisen Expires April 27, 2019 [Page 3]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
important step is to verify the authenticity of a public key
obtained.
3.1. Use Cases
Such a verification process is useful in at least two scenarios:
o Verify channels to peers, e.g., to make sure opportunistically
exchanged keys for end-to-end encryption are authentic.
o Verify channels between own devices (in multi-device contexts),
e.g., for the purpose of importing and synchronizing keys among
different devices belonging to the same user (cf.
[E-D.birk-pep-keysync]). This scenario is comparable to Bluetooth
pairing before starting data transfers.
3.2. Existing Solutions
Current methods to authenticate public keys of peers include:
o Digitally signed public keys are verified by a chain of trust.
Two trust models are common in today's implementations.
* Signing is carried out hierarchically, e.g. in a Public Key
Infrastructure (PKI) [RFC5280], in which case the verification
is based on a chain of trust with a Trust Anchor (TA) at the
root.
* Signing of public keys is done in a flat manner (by a Web of
Trust), e.g., key signing in OpenPGP [RFC4880], where users
sign the public keys of other users. Verification may be based
on transitive trust.
o Peers are expected to directly compare the public key's
fingerprints by any suitable independent channel - e.g, by phone
or with a face-to-face meeting. This method is often used in
OpenPGP [RFC4880] contexts.
o The public keys' fingerprints are mapped into a QR code, which is
expected to be scanned between the peers when they happen to meet
face-to-face. This method is e.g. used in the chat application
Threema [threema].
o The public keys' fingerprints are mapped into numerical codes
which decimal digits only (so-called "safety numbers"), which
makes the strings the humans need to compare easier in respect to
hexacodes, but longer and thus nevertheless cumbersome. This
method is e.g. used in the chat application Signal [signal].
Marques & Hoeneisen Expires April 27, 2019 [Page 4]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
Some of the methods can even be used in conjunction with Trustwords
[I-D.birk-pep-trustwords] or the PGP Word list [PGP.wl].
None of the existing solutions meets all requirements set up by pEp
[I-D.birk-pep], e.g.:
o Easy solution that can be handled easily by ordinary users
o In case privacy and security contradict each other, privacy is
always preferred over security (e.g., the Web of Trust contradicts
privacy)
o No central entities
Most of today's systems lack easy ways for users to authenticate
their communication channel. Some methods leak private data (e.g.,
their social graph) or depend on central entities. Thus, none of
today's systems fulfills all of the pEp requirements (cf. above).
4. The pEp Handshake Proposal
In pretty Easy privacy (pEp), the proposed approach for peers to
authenticate each other is to engage in the pEp Handshake.
In current pEp implementations (cf. Section 6.2), the same kinds of
keys as in OpenPGP are used. Such keys include a fingerprint as
cryptographic hash over the public key. This fingerprint is normally
represented in a hexadecimal form, consisting of ten 4-digit
hexadecimal blocks, e.g.:
8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19
Each block may also be represented in decimal numbers from 0 to 65535
or in other numerical forms, e.g.
o Hexadecimal: 8E31
o Decimal: 36401
o Binary: 1000111000110001
4.1. Verification Process
In the pEp Handshake the fingerprints of any two peers involved are
combined and displayed in form of Trustwords
[I-D.birk-pep-trustwords] for easy comparison by the involved
parties.
Marques & Hoeneisen Expires April 27, 2019 [Page 5]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
The default verification process involves three steps:
1. Combining fingerprints by XOR function
Any two peers' fingerprints are combined bit-by-bit using the
Exclusive-OR (XOR) function resulting in the Combined Fingerprint
(CFP).
2. Mapping result to Trustwords:
The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit
hexadecimal block is mapped to a given Trustword) resulting in
the Trustword Mapping (TWM).
3. Verify Trustwords over independent channel
The resulting Trustwords (TWM) are compared and verified over an
independent channel, e.g., a phone line. If this step was
successful, the channel can be marked as authenticated.
Note: In prior implementations of pEp the fingerprints of any two
peers were concatenated. While this has the advantage that the own
identity's Trustwords can be printed on a business card (like with
fingerprints) or on contact sites or in signature texts of emails,
this at the same time has the drawback that users might not carefully
compare the words as they start to remember and recognize their
Trustwords in the concatenated mapping. The avoid to train users in
doing so, Trustwords for any peer-to-peer combination shall very
probably differ.
4.1.1. Short, Long and Full Trustword Mapping
The more an ordinary user needs to contribute to a process, the less
likely a user will carry out all steps carefully. In particular, it
was observed that a simple (manual) comparison of OpenPGP
fingerprints is rarely carried out to the full extent, i.e., mostly
only parts of the fingerprint are compared, if at all.
For usability reasons and to create incentives for people to actually
carry out a Handshake (while maintaining an certain level of
entropy), pEp allows for different entropy levels, i.e.:
1. Full Trustword Mapping (F-TWM) [aka Full Trustwords] MUST
represent the maximum entropy achievable by the mapping. This
means all Trustwords of a TWM MUST be displayed and compared.
E.g., the fingerprint
Marques & Hoeneisen Expires April 27, 2019 [Page 6]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13
is mapped to
dog house brother town fat bath school banana kite task
2. Long Trustword Mapping (L-TWM) [aka Long Trustwords] requires a
number of Trustwords that MUST retain at least 128 bits of
entropy. This means that a usually larger part of the FWM is
displayed, only a smaller fraction might be omitted.
E.g., the fingerprint
F482 E952 2F48 618B 01BC 31DC 5428 D7FA [ ACDC 3F13 ]
is mapped to
dog house brother town fat bath school banana [ remaining
Trustwords omitted ]
3. Short Trustword Mapping (S-TWM) [aka Short Trustwords] requires a
number of Trustwords that MUST retain at least 64 bits of
entropy. This means that a part of the TWM is displayed and
compared, the remaining Trustwords are omitted.
E.g., the fingerprint
F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]
is mapped to
dog house brother town fat [ remaining Trustwords omitted ]
4.1.2. Display Modes
The pEp Handshake has three display modes for the verification
process. All of the following modes MUST be implemented:
1. S-TWM mode (default)
By default the S-TWM SHOULD be displayed to the user for
comparison and verification. An easy way to switch to F-TWM mode
MUST be implemented and an easy way to switch to fingerprint mode
SHOULD be implemented.
2. L-TWM mode
Marques & Hoeneisen Expires April 27, 2019 [Page 7]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
There are situations, where S-TWM is not sufficient (e.g.,
communication parties that are more likely under attack), in
which the F-TWM MAY be displayed to the user by default. An easy
way to switch to L-TWM mode MUST be implemented and a way to
switch to fingerprint mode SHOULD be implemented, too.
3. F-TWM mode
A way to display the full Trustword mapping achievable SHOULD be
provided, too.
4. Fingerprint mode (fallback)
To retain compatibility to existing OpenPGP users (that know
nothing about Trustwords), the fingerprint mode, a fallback to
compare the original fingerprints (usually in hexadecimal form)
MAY be used. Easy ways to switch back to the TWM modes supported
MUST be implemented.
If the verification process was successful, the user confirms it,
e.g. by setting a check mark. Once the user has confirmed it, the
Privacy Status [I-D.marques-pep-rating] for this channel MUST be
updated accordingly.
5. Security Considerations
A (global) adversary can pre-generate all Trustwords any two users
expect to compare and try to engage in MITM attacks which fit - it
MUST NOT be assumed public keys and thus fingerprints to be something
to stay secret, especially as in pEp public keys are aggressively
distributed to all peers. Also similar Trustwords can be generated,
which spelled on the phone might sound very similar.
6. Implementation Status
6.1. Introduction
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
Marques & Hoeneisen Expires April 27, 2019 [Page 8]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "[...] this will allow reviewers and working
groups to assign due consideration to documents that have the benefit
of running code, which may serve as evidence of valuable
experimentation and feedback that have made the implemented protocols
more mature. It is up to the individual working groups to use this
information as they see fit."
6.2. Running Code
In pEp for email [I-D.marques-pep-email] contexts, Handshakes are
already implemented for the following platforms:
o Android, in pEp for Android - release [SRC.pepforandroid]
o Enigmail, in the Enigmail/pEp mode - release used for new Enigmail
users of version 2.0 [SRC.enigmailpep]
o iOS, in pEp for iOS - not yet released [SRC.pepforios]
o Outlook, in pEp for Outlook - commercial release
[SRC.pepforoutlook]
In pEp for Outlook also keys from other devices can be imported by
the Handshake method.
7. Acknowledgements
Special thanks to Volker Birk and Leon Schumacher who developed the
original concept of the pEp Handshake.
This work was initially created by pEp Foundation, and then reviewed
and extended with funding by the Internet Society's Beyond the Net
Programme on standardizing pEp. [ISOC.bnet]
8. References
8.1. Normative References
[I-D.birk-pep]
Birk, V., Marques, H., and S. Shelburn, "pretty Easy
privacy (pEp): Privacy by Default", draft-birk-pep-02
(work in progress), June 2018.
Marques & Hoeneisen Expires April 27, 2019 [Page 9]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
[I-D.birk-pep-trustwords]
Birk, V., Marques, H., and B. Hoeneisen, "IANA
Registration of Trustword Lists: Guide, Template and IANA
Considerations", draft-birk-pep-trustwords-02 (work in
progress), June 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>.
8.2. Informative References
[E-D.birk-pep-keysync]
Birk, V. and H. Marques, "pretty Easy privacy (pEp): Key
Synchronization Protocol", June 2018,
<https://pep.foundation/dev/repos/internet-
drafts/file/tip/pep-keysync/
draft-birk-pep-keysync-NN.txt>.
Early draft
[I-D.marques-pep-email]
Marques, H., "pretty Easy privacy (pEp): Email Formats and
Protocols", draft-marques-pep-email-01 (work in progress),
July 2018.
[I-D.marques-pep-rating]
Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp):
Mapping of Privacy Rating", draft-marques-pep-rating-00
(work in progress), July 2018.
[ISOC.bnet]
Simao, I., "Beyond the Net. 12 Innovative Projects
Selected for Beyond the Net Funding. Implementing Privacy
via Mass Encryption: Standardizing pretty Easy privacy's
protocols", June 2017, <https://www.internetsociety.org/
blog/2017/06/12-innovative-projects-selected-for-beyond-
the-net-funding/>.
Marques & Hoeneisen Expires April 27, 2019 [Page 10]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
[PGP.wl] "PGP word list", November 2017,
<https://en.wikipedia.org/w/
index.php?title=PGP_word_list&oldid=749481933>.
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880,
DOI 10.17487/RFC4880, November 2007,
<https://www.rfc-editor.org/info/rfc4880>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>.
[signal] "Signal", n.d., <https://signal.org/>.
[SRC.enigmailpep]
"Source code for Enigmail/pEp", July 2018,
<https://enigmail.net/index.php/en/download/source-code>.
[SRC.pepforandroid]
"Source code for pEp for Android", July 2018,
<https://pep-security.lu/gitlab/android/pep>.
[SRC.pepforios]
"Source code for pEp for iOS", July 2018,
<https://pep-security.ch/dev/repos/pEp_for_iOS/>.
[SRC.pepforoutlook]
"Source code for pEp for Outlook", July 2018,
<https://pep-security.lu/dev/repos/pEp_for_Outlook/>.
[threema] "Threema - Seriously secure messaging", n.d.,
<https://threema.ch>.
Appendix A. Document Changelog
[[ RFC Editor: This section is to be removed before publication ]]
o draft-marques-pep-handshake-01:
* Fix references
Marques & Hoeneisen Expires April 27, 2019 [Page 11]
Internet-Draft pretty Easy privacy (pEp) Handshake October 2018
* Minor editorial changes
* Add reason why not to concatenate and map fingerprints instead
o draft-marques-pep-handshake-00:
* Initial version
Appendix B. Open Issues
[[ RFC Editor: This section should be empty and is to be removed
before publication ]]
o Add description for further processes to change the trust level,
e.g., to remove trust or even mistrust a peer and alike.
Authors' Addresses
Hernani Marques
pEp Foundation
Oberer Graben 4
CH-8400 Winterthur
Switzerland
Email: hernani.marques@pep.foundation
URI: https://pep.foundation/
Bernie Hoeneisen
Ucom Standards Track Solutions GmbH
CH-8046 Zuerich
Switzerland
Phone: +41 44 500 52 44
Email: bernie@ietf.hoeneisen.ch (bernhard.hoeneisen AT ucom.ch)
URI: https://ucom.ch/
Marques & Hoeneisen Expires April 27, 2019 [Page 12]

+ 918
- 0
pep-handshake/archive/draft-marques-pep-handshake-01.xml View File

@ -0,0 +1,918 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc comments="yes"?>
<rfc docName="draft-marques-pep-handshake-01" category="info">
<front>
<title abbrev="pretty Easy privacy (pEp) Handshake">pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake</title>
<author initials="H." surname="Marques" fullname="Hernani Marques">
<organization>pEp Foundation</organization>
<address>
<postal>
<street>Oberer Graben 4</street>
<city>CH-8400 Winterthur</city>
<country>Switzerland</country>
</postal>
<email>hernani.marques@pep.foundation</email>
<uri>https://pep.foundation/</uri>
</address>
</author>
<author initials="B." surname="Hoeneisen" fullname="Bernie Hoeneisen">
<organization abbrev="Ucom.ch">Ucom Standards Track Solutions GmbH</organization>
<address>
<postal>
<street></street>
<city>CH-8046 Zuerich</city>
<country>Switzerland</country>
</postal>
<phone>+41 44 500 52 44</phone>
<email>bernie@ietf.hoeneisen.ch (bernhard.hoeneisen AT ucom.ch)</email>
<uri>https://ucom.ch/</uri>
</address>
</author>
<date year="2018" month="October" day="24"/>
<abstract>
<t>In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed; the latter
to prevent man-in-the-middle (MITM) attacks.</t>
<t>This document proposes a new method to easily verify a public key is
authentic by a Handshake process that allows users to easily
authenticate their communication channel. The new method is targeted to
Opportunistic Security scenarios and is already implemented in several
applications of pretty Easy privacy (pEp).</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed.</t>
<t>Examples for key distribution include:</t>
<t><list style="symbols">
<t>Exchange public keys out-of-band before encrypted communication</t>
<t>Use of centralized public key stores (e.g., OpenPGP Key Servers)</t>
<t>Ship public keys in-band when communicating</t>
</list></t>
<t>To prevent man-in-the-middle (MITM) attacks, additionally the
authenticity of a public key needs to be verified. Methods to
authenticate public keys of peers include, e.g., to verify digital
signatures of public keys (which may be signed in a hierarchical or
flat manner, e.g., by a Web of Trust (WoT)), to compare the public
key’s fingerprints via a suitable independent channel, or to scan a QR
mapping of the fingerprint (cf. <xref target="problem-statement"/>).</t>
<t>This document proposes a new method to verify the authenticity of
public keys by a Handshake process that allows users to easily verify
their communication channel. Fingerprints of the involved peers are
combined and mapped to (common) Trustwords
<xref target="I-D.birk-pep-trustwords"/>. The successful manual comparison of
these Trustwords is used to consider the communication channel as
trusted.</t>
<t>The proposed method is already implemented and used in applications of
pretty Easy privacy (pEp) <xref target="I-D.birk-pep"/>. This document is targeted
to applications based on the pEp framework and Opportunistic Security
<xref target="RFC7435"/>. However, it may be also used in other applications as
suitable.</t>
<t>Note: The pEp framework <xref target="I-D.birk-pep"/> proposes to automatize the
use of end-to-end encryption for Internet users of email and other
messaging applications and introduces methods to easily allow
authentication.</t>
</section>
<section anchor="terms" title="Terms">
<figure><artwork><![CDATA[
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in {{RFC2119}}.
* Handshake: The process when Alice -- e.g. in-person or via phone --
contacts Bob to verify Trustwords (or by fallback: fingerprints) is
called Handshake. {{I-D.marques-pep-handshake}}
* Trustwords: A scalar-to-word representation of 16-bit numbers (0 to
65535) to natural language words. When doing a Handshake, peers are
shown combined Trustwords of both public keys involved to ease the
comparison. {{I-D.birk-pep-trustwords}}
* Trust on First Use (TOFU): cf. {{RFC7435}}
* Man-in-the-middle attack (MITM): cf. {{RFC4949}}
]]></artwork></figure>
</section>
<section anchor="problem-statement" title="Problem Statement">
<t>To secure a communication channel, in public key cryptography each
involved peer needs a key pair. Its public key needs to be shared to
other peers by some means. However, the key obtained by the receiver
may have been substituted or tampered with to allow for re-encryption
attacks. To prevent such man-in-the-middle (MITM) attacks, an
important step is to verify the authenticity of a public key obtained.</t>
<section anchor="use-cases" title="Use Cases">
<t>Such a verification process is useful in at least two scenarios:</t>
<t><list style="symbols">
<t>Verify channels to peers, e.g., to make sure opportunistically
exchanged keys for end-to-end encryption are authentic.</t>
<t>Verify channels between own devices (in multi-device contexts),
e.g., for the purpose of importing and synchronizing keys among
different devices belonging to the same user
(cf. <xref target="E-D.birk-pep-keysync"/>). This scenario is comparable to
Bluetooth pairing before starting data transfers.</t>
</list></t>
</section>
<section anchor="existing-solutions" title="Existing Solutions">
<t>Current methods to authenticate public keys of peers include:</t>
<t><list style="symbols">
<t>Digitally signed public keys are verified by a chain of trust. Two
trust models are common in today’s implementations. <list style="symbols">
<t>Signing is carried out hierarchically, e.g. in a Public Key
Infrastructure (PKI) <xref target="RFC5280"/>, in which case
the verification is based on a chain of trust with a Trust Anchor
(TA) at the root.</t>
<t>Signing of public keys is done in a flat manner (by a Web of
Trust), e.g., key signing in OpenPGP <xref target="RFC4880"/>, where users sign
the public keys of other users. Verification may be based on
transitive trust.</t>
</list></t>
<t>Peers are expected to directly compare the public key’s fingerprints
by any suitable independent channel – e.g, by phone or with a
face-to-face meeting. This method is often used in OpenPGP
<xref target="RFC4880"/> contexts.</t>
<t>The public keys’ fingerprints are mapped into a QR code, which is
expected to be scanned between the peers when they happen to meet
face-to-face. This method is e.g. used in the chat application
Threema <xref target="threema"/>.</t>
<t>The public keys’ fingerprints are mapped into numerical codes which
decimal digits only (so-called “safety numbers”), which makes the strings
the humans need to compare easier in respect to hexacodes, but longer and
thus nevertheless cumbersome. This method is e.g. used in the
chat application Signal <xref target="signal"/>.</t>
</list></t>
<t>Some of the methods can even be used in conjunction with Trustwords
<xref target="I-D.birk-pep-trustwords"/> or the PGP Word list <xref target="PGP.wl"/>.</t>
<t>None of the existing solutions meets all requirements set up by pEp
<xref target="I-D.birk-pep"/>, e.g.:</t>
<t><list style="symbols">
<t>Easy solution that can be handled easily by ordinary users</t>
<t>In case privacy and security contradict each other, privacy is
always preferred over security (e.g., the Web of Trust contradicts
privacy)</t>
<t>No central entities</t>
</list></t>
<t>Most of today’s systems lack easy ways for users to authenticate their
communication channel. Some methods leak private data (e.g., their
social graph) or depend on central entities. Thus, none of today’s
systems fulfills all of the pEp requirements (cf. above).</t>
</section>
</section>
<section anchor="the-pep-handshake-proposal" title="The pEp Handshake Proposal">
<t>In pretty Easy privacy (pEp), the proposed approach for peers to
authenticate each other is to engage in the pEp Handshake.</t>
<t>In current pEp implementations (cf. <xref target="running-code"/>), the same kinds
of keys as in OpenPGP are used. Such keys include a fingerprint as
cryptographic hash over the public key. This fingerprint is normally
represented in a hexadecimal form, consisting of ten 4-digit
hexadecimal blocks, e.g.:</t>
<t><list style='empty'>
<t>8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19</t>
</list></t>
<t>Each block may also be represented in decimal numbers from 0 to 65535
or in other numerical forms, e.g.</t>
<t><list style="symbols">
<t>Hexadecimal: 8E31</t>
<t>Decimal: 36401</t>
<t>Binary: 1000111000110001</t>
</list></t>
<section anchor="verification-process" title="Verification Process">
<t>In the pEp Handshake the fingerprints of any two peers involved are
combined and displayed in form of Trustwords <xref target="I-D.birk-pep-trustwords"/> for
easy comparison by the involved parties.</t>
<t>The default verification process involves three steps:</t>