forked from xsf/xeps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathxep-0440.xml
258 lines (223 loc) · 9.8 KB
/
xep-0440.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY rfc5056 "<span class='ref'><link url='http://tools.ietf.org/html/rfc5056'>RFC 5056</link></span> <note>RFC 5056: On the Use of Channel Bindings to Secure Channels <<link url='http://tools.ietf.org/html/rfc5056'>http://tools.ietf.org/html/rfc5056</link>>.</note>" >
<!ENTITY iana-cb-types "<span class='ref'><link url='https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml'>IANA Channel-Binding Types Registry</link></span> <note>IANA Channel-Binding Types Registry <<link url='https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml'>https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml</link>>.</note>" >
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>SASL Channel-Binding Type Capability</title>
<abstract>This specification allows servers to annouce their supported SASL channel-binding types to clients.</abstract>
&LEGALNOTICE;
<number>0440</number>
<status>Experimental</status>
<lastcall>2024-05-20</lastcall>
<type>Standards Track</type>
<sig>Standards</sig>
<approver>Council</approver>
<dependencies>
<spec>XMPP Core</spec>
</dependencies>
<supersedes/>
<supersededby/>
<shortname>sasl-cb-types</shortname>
&flow;
<revision>
<version>0.4.2</version>
<date>2024-07-02</date>
<initials>egp</initials>
<remark>
<ul>
<li>Add an XML schema.</li>
<li>Mention that this specification does add a new namespace that should go to the registrar.</li>
<li>Fix indentation, typos, misuse of '' vs. </> for elements, etc.</li>
</ul>
</remark>
</revision>
<revision>
<version>0.4.1</version>
<date>2024-01-30</date>
<initials>fs</initials>
<remark>
Recommend the usage of tls-exporter over tls-server-end-point
</remark>
</revision>
<revision>
<version>0.4.0</version>
<date>2022-09-21</date>
<initials>dg</initials>
<remark>
Make sasl-channel-binding element a top level stream feature
</remark>
</revision>
<revision>
<version>0.3.0</version>
<date>2022-08-29</date>
<initials>tm</initials>
<remark>
Make implementation of tls-server-end-point a MUST for servers.
</remark>
</revision>
<revision>
<version>0.2.0</version>
<date>2020-08-04</date>
<initials>fs</initials>
<remark>
Discuss interaction with SASL mechanism and add security considerations.
Recommend implementation of tls-server-end-point.
</remark>
</revision>
<revision>
<version>0.1.0</version>
<date>2020-06-14</date>
<initials>XEP Editor (jsc)</initials>
<remark>Accepted by vote of Council on 2020-05-27.</remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2020-05-20</date>
<initials>fs</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1 topic='Introduction' anchor='intro'>
<p>SASL channel-binding is a technique to increase the security of
connections (&rfc5056;). Unfortunately, the SASL profile specified
in &rfc6120; lacks a method for the server to announce its supported
channel-binding types. This hinders the adoption of channel-binding,
especially since the error protocol to execute after a client
requested a channel-binding type unsupported by the server is
basically unspecified.</p>
<p>The extension defined herein fills the gap left by &rfc6120;, by
allowing the server the announce its supported channel-binding
types.</p>
</section1>
<section1 topic='Announcing the SASL Channel-Binding Type Capability' anchor='sasl-cb-type'>
<p>This protocol consists of a stream feature named <sasl-channel-binding/>
qualified by the 'urn:xmpp:sasl-cb:0' namespace.
The <sasl-channel-binding/> element MUST contain one or
more <channel-binding/> elements, of which each MUST have an
attribute with the name 'type'. The value of the 'type' attribute
SHOULD be the "Channel-binding unique prefix" of a channel-binding
type which was registered with the &iana-cb-types;.</p>
<p>A server declares that it supports particular channel-binding
types by listing the supported types via the <sasl-channel-binding/>
stream feature defined herein. The <sasl-channel-binding/> element could
appear next to the SASL <mechanisms/>
stream-feature element, qualified by the
'urn:ietf:params:xml:ns:xmpp-sasl' namespace, as specified in
&rfc6120;. Another potential appearance of
<sasl-channel-binding/> is next to the
<authentication/> stream-feature element as specified in the
&xep0388;.</p>
<example caption='Example <mechanisms/> stream feature with SASL Channel-Binding Type Capability.'><![CDATA[
<stream:features>
<sasl-channel-binding xmlns='urn:xmpp:sasl-cb:0'>
<channel-binding type='tls-server-end-point'/>
<channel-binding type='tls-exporter'/>
</sasl-channel-binding>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>EXTERNAL</mechanism>
<mechanism>SCRAM-SHA-1-PLUS</mechanism>
<mechanism>PLAIN</mechanism>
</mechanisms>
</stream:features>]]></example>
</section1>
<section1 topic='Interaction with SASL mechanisms' anchor='sasl-mech-interaction'>
<p>Some channel-binding enabled SASL mechanisms reflect the server's
presumed channel-binding abilities back to the server. This prevents
SASL mechanism stripping attacks, where a Man in the Middle (MITM)
removes certain SASL mechanisms in an attempt to downgrade the
mechanism choosen for authentication to a non-channel-binding enabled
one. An example of a SASL mechanism family with this feature is
&rfc5802;. This standard specifies the gs2-cbind-flag. The flag has a
tristate value of "I don't support channel-binding" (n), "I think you
do not support channel-binding, but I do" (y), or, "Let us use
channel-binding type X" (p).</p>
<p>Clients using the information provided
via <sasl-channel-binding/> MAY want to indicate to the server
that they do not support channel-binding (even if they do) if no
mutual supported channel-binding type was found. The only alternative
is, that the client signals the server that it believes that the server
does not support channel binding. But this may cause the server to
terminate the connection, because it indicates a potential ongoing
SASL mechanism stripping attack.</p>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>If a client signals to the server that it does not support
channel binding, because it found no mutual supported
channel-binding types, another MITM attack
vector is introduced. An active attacker could replace the
<sasl-channel-binding;> list with channel bindings unlikely
(or impossible) to be supported by the client. If the client is
configured to use non-channel-binding SASL mechanisms as a fallback,
this could be used to downgrade the connection security. Note that
this attack is a different one than the SASL mechanism stripping one:
Here the attacker tempers with the announced channel-binding types,
i.e., the values within <sasl-channel-binding;></p>
<p>Depending on the application's security policy, clients may
refrain from falling back to non-channel-binding SASL mechanisms
if no mutual supported channel-binding type is available.
Alternatively, they may try channel-binding with a supported type
nevertheless. To mitigate the attack describe above, clients
could "pin" the announced channel bindings types by a service. In that
case, implementations may want to allow the set of pinned channel-binding
types to be extended to stronger ones.</p>
<p>As further mitigation, servers MUST and clients are RECOMMENDED to
at least implement the channel-binding type tls-server-end-point (&rfc5929;)
to increase the probability of a mutual supported channel-binding type. However,
due its improved security properties, the tls-exporter (&rfc9266;) channel-binding
type should be prefered over tls-server-end-point.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>Add the 'urn:xmpp:sasl-cb:0' namespace to the registry:</p>
<code caption='Registry Submission'><![CDATA[
<var>
<name>urn:xmpp:sasl-cb:0</name>
<desc>Expose supported channel-binding types to clients</desc>
<doc>XEP-0440</doc>
</var>
]]></code>
</section1>
<section1 topic='XML Schema' anchor='schema'>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
xmlns='urn:xmpp:sasl-cb:0'
targetNamespace='urn:xmpp:sasl-cb:0'
elementFormDefault='qualified'>
<xs:annotation>
<xs:documentation>
The protocol documented by this schema is defined in
XEP-0440: https://xmpp.org/extensions/xep-0440.html
</xs:documentation>
</xs:annotation>
<xs:element name='sasl-channel-binding'>
<xs:complexType>
<xs:sequence>
<xs:element ref='channel-binding' maxOccurs='unbounded'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='channel-binding'>
<xs:complexType>
<xs:attribute name='type' type='xs:string'/>
</xs:complexType>
</xs:element>
</xs:schema>
]]></code>
</section1>
<section1 topic='Acknowledgements' anchor='acknowledgements'>
<p>Thanks to Sam Whited for the discussion about the underlying
issue and incentivizing me to come up with this extension. Further
thanks goes to Ruslan N. Marchenko for pointing out the possible
MITM attack vector. Last but not least, Dave Cridland, Thilo Molitor,
and Simon Josefsson provided valuable feedback.</p>
</section1>
</xep>