1 / 18

An Analysis of XMPP Security

An Analysis of XMPP Security. Team “Vision” Chris Nelson Ashwin Kulkarni Nitin Khatri Taulant Haka Yong Chen. CMPE 209 Spring 2009. Agenda. HISTORY OF XMPP INTRODUCTION TO XMPP SECURITY IN XMPP Use of TLS ( Transport Layer Security)

ismael
Download Presentation

An Analysis of XMPP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of XMPP Security Team “Vision” Chris Nelson Ashwin Kulkarni Nitin Khatri Taulant Haka Yong Chen CMPE 209 Spring 2009

  2. Agenda • HISTORY OF XMPP • INTRODUCTION TO XMPP • SECURITY IN XMPP • Use of TLS (Transport Layer Security) • Use of SASL (Simple Authentication and Security Layer) • SECURITY CONCERNS IN XMPP • Conclusion

  3. HISTORY OF XMPP • 1998-Core technology was invented by Jeremie Miller • 1999-Jabber open-source community initially started to developed the protocol • 2000-Instant Messaging and Presence Protocol (IMPP) Working Group published the result • 2002 and 2003-XMPP protocol was formalized by IETF • 2004-The XMPP RFCs were published. • 2007-Jabber Software Foundation was renamed XMPP Standards Foundation

  4. Application using XMPP • Instant messaging • Presence • Media session management • Shared editing • Whiteboarding • Collaboration • Lightweight middleware • Content syndication • Generalized XML routing.

  5. The core protocols of Extensible Messaging and Presence Protocol • Jabber Client • Jabber Server • Presence and IM Session Establishment • Resource Binding • Server Dialback • Simple Authentication and Security Layer • S/MIME Encryption • Stanza Errors • Stream Errors • Transport Layer Security • XML Streams

  6. XMPP Communication • XMPP uses XML to communicate between two nodes • A client and a server • A server and a server • A client and another client via one or more servers

  7. XMPP Communication (cont.) • simplistic view of one-way communication using XMPP. • <stream> -open connection </stream> close connection • <presence> and </presence> indicate the start and end of the stanza • <iq> and </iq> information/query (iq) requests and responses

  8. SECURITY IN XMPP • XMPP is built on four layers • TCP as the reliable transport protocol • TLS for encryption of data sent over the TCP connection • SASL for authentication of nodes communicating over TLS and TCP • XMPP as an application communicating over the reliable, authenticated, and encrypted channel

  9. SECURITY IN XMPP Use of TLS • The initiating entity opens a TCP connection including the 'version' attribute • The receiving entity responds by opening a TCP connection including the 'version' attribute • The receiving entity offers the STARTTLS extension including a <required/> element as a child of the <starttls/>

  10. SECURITY IN XMPP Use of TLS (Cont) • The initiating entity issues the STARTTLS command • The receiving entity MUST reply with either a <proceed/> element or a <failure/> • The initiating entity and receiving entity attempt to complete a TLS negotiation • If the TLS negotiation is unsuccessful, the receiving entity MUST terminate the TCP connection

  11. SECURITY IN XMPP Use of SASL • The initiating entity requests SASL authentication by including the 'version' • The receiving entity advertises a list of available SASL authentication mechanisms • The initiating entity selects a mechanism by sending an <auth/> • The receiving entity challenges the initiating entity by sending a <challenge/> • The initiating entity responds to the challenge by sending a <response/>

  12. SECURITY IN XMPP Use of SASL (cont.) • If necessary, the receiving entity sends more challenges -- the initiating entity sends more responses until: • The initiating entity aborts the handshake by sending an <abort/> • The receiving entity reports failure of the handshake by sending a <failure/> • The receiving entity reports success of the handshake by sending a <success/>

  13. XMPP Extensions • Instant Messaging and Presence -- base XMPP extensions for instant messaging, contact lists, presence, and privacy blocking. (RFC 3921) • End-to-End Signing and Object Encryption (RFC 3923) • XMPP extensions with additional features including XML-RPC and SOAP bindings, in-band registration, extended presence, geolocation, and reliable message delivery (XEP series )

  14. XMPP Extensions (XEP series ) • Service Discovery -- a robust protocol for determining the features supported by other entities on an XMPP network (XEP-0030) • Data Forms -- a flexible protocol for forms-handling via XMPP, mainly used in workflow applications and for dynamic configuration (XEP-0004 ) • File Transfer -- a protocol for transferring files from one XMPP entity to another (XEP-0096) • HTTP Binding -- a binding of XMPP to HTTP rather than TCP, mainly used for devices that cannot maintain persistent TCP connections to a server (XEP-0124 )

  15. SECURITY CONCERNS IN XMPP • Security depend on user • User trust a certificate from an unknown source • And/Or implementation • Performing SASL negotiations before securing the channel with TLS • sending message, presence, or iq data before completing the TLS or SASL negotiations

  16. Conclusion • XMPP was designed with security in mind • Its architecture is solid • The implementation is secure • Susceptible to careless users

  17. References • Summary of XMPP. (2007, January 16). Retrieved March 8, 2008, from http://www.xmpp.org/about/summary.shtml • Extensible Messaging and Presence Protocol. Retrieved March 8, 2008, from http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol • Extensible Messaging and Presence Protocol (XMPP): Core. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920 • Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3921 • 6 End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3923 • End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP). (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3923 • The XMPP Federation. Retrieved March 8, 2008 from https://www.xmpp.net • Simple Authentication and Security Layer (SASL). (2006, June). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc4422 • Extensible Messaging and Presence Protocol (XMPP): Core. (2004, October). Retrieved March 8, 2008, from http://tools.ietf.org/html/rfc3920

  18. Questions and Answers Thank You!

More Related