[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00 01

Network Working Group                                         H. Marques
Internet-Draft                                            pEp Foundation
Intended status: Informational                              B. Hoeneisen
Expires: January 1, 2019                                         Ucom.ch
                                                           June 30, 2018


 pretty Easy privacy (pEp): Contact and Channel Authentication through
                               Handshake
                     draft-marques-pep-handshake-00

Abstract

   In interpersonal messaging end-to-end encryption means for public key
   distribution and verification of its authenticity are needed; the
   latter to prevent man-in-the-middle (MITM) attacks.

   This document proposes a new method to easily verify a public key is
   authentic by a Handshake process that allows users to easily verify
   their communication channel.  The new method is targeted to
   Opportunistic Security scenarios and is already implemented in
   several applications of pretty Easy privacy (pEp).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 1, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of



Marques & Hoeneisen      Expires January 1, 2019                [Page 1]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Existing Solutions  . . . . . . . . . . . . . . . . . . .   4
   4.  The pEp Handshake Proposal  . . . . . . . . . . . . . . . . .   5
     4.1.  Verification Process  . . . . . . . . . . . . . . . . . .   5
       4.1.1.  Partial and Full Trustword Mapping  . . . . . . . . .   6
       4.1.2.  Display Modes . . . . . . . . . . . . . . . . . . . .   7
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  Implementation Status . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Introduction  . . . . . . . . . . . . . . . . . . . . . .   8
     6.2.  Running Code  . . . . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Appendix A.  Open Issues  . . . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   In interpersonal messaging end-to-end encryption means for public key
   distribution and verification of its authenticity are needed.

   Examples for key distribution include:

   o  Exchange keys out-of-band before encrypted communication

   o  Use of centralized public key stores (e.g., OpenPGP Key Servers)

   o  Ship the public key in-band when communicating

   To prevent man-in-the-middle (MITM) attacks, additionally the
   authenticity of a public key needs to be verified.  Methods to
   authenticate public keys of peers include, e.g., verify digital
   signatures of public keys (which may be signed in an hierarchical or
   flat manner, e.g., by a Web of Trust (WoT)), compare the public key's




Marques & Hoeneisen      Expires January 1, 2019                [Page 2]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


   fingerprints via a suitable independent channel, or scan a QR mapping
   of the fingerprint (cf.  Section 3).

   This document proposes a new method to verify the authenticity of
   public keys by a Handshake process that allows users to easily verify
   their communication channel.  Fingerprints of the involved peers are
   combined and mapped to (common) Trustwords [I-D.birk-pep-trustwords].
   The successful manual comparison of the these Trustwords is used to
   consider the communication channel as trusted.

   The proposed method is already implemented and used in applications
   of pretty Easy privacy (pEp) [I-D.birk-pep].  This document is
   targeted to applications based on the pEp framework and Opportunistic
   Security [RFC7435].  However, it may be also used in other
   applications as suitable.

2.  Terms

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   o  Handshake: The process when Alice - e.g. in-person or via phone -
      contacts Bob to verify Trustwords (or by fallback: fingerprints)
      is called Handshake.  In more detail, this is described in this
      draft.

   o  Trustwords: A scalar-to-word representation of 16-bit numbers (0
      to 65535) to natural language words.  When doing a Handshake,
      peers are shown combined Trustwords of both public keys involved
      to ease the comparison.  [I-D.birk-pep-trustwords]

   o  Trust on First Use (TOFU): cf. [RFC7435]

   o  Man-in-the-middle attack (MITM): cf. [RFC4949]

3.  Problem Statement

   To secure a communication channel, in public key cryptography the
   each involved peer needs a key pair.  Its public key needs to be
   shared to other peers by some means.  However, the key obtained by
   the receiver may have been substituted or tampered with to allow for
   re-encryption attacks.  To prevent such man-in-the-middle (MITM)
   attacks, an important step is to verify the authenticity of a public
   key obtained.






Marques & Hoeneisen      Expires January 1, 2019                [Page 3]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


3.1.  Use Cases

   Such a verification process is useful in at least two scenarios:

   o  Verify channels to peers, e.g., to make sure opportunistically
      exchanged keys for end-to-end encryption are authentic.

   o  Verify channels between own devices (in multi-device contexts),
      e.g., for the purpose of importing and synchronizing keys among
      different devices belonging to the same user (cf.
      [E-D.birk-pep-keysync]).  This scenario is comparable to Bluetooth
      pairing before starting data transfers.

3.2.  Existing Solutions

   Current methods to authenticate public keys of peers include:

   o  Digitally signed public keys are verified by a chain of trust.
      Two trust models are common in today's implementations.

      *  Signing is carried out hierarchically, e.g. in a Public Key
         Infrastructure (PKI) [RFC5280], in which case the verification
         is based on a chain of trust with a Trust Anchor (TA) at the
         root.

      *  Signing of public keys is done in a flat manner (by a Web of
         Trust), e.g., key signing in OpenPGP [RFC4880], where users
         sign the public keys of other users.  Verification may be based
         on transitive trust.

   o  Peers are expected to directly compare the public key's
      fingerprints by any suitable independent channel - e.g, by phone
      or with a face-to-face meeting.  This method is often used in
      OpenPGP [RFC4880] contexts.

   o  The public keys' fingerprints are mapped into a QR code, which is
      expected to be scanned between the peers when they happen to meet
      face-to-face.  This method is e.g. used in the chat application
      Threema [threema].

   o  The public keys' fingerprints are mapped into numerical codes
      which decimal digits only, which makes the strings the humans need
      to compare longer and thus cumbersome.  This method is e.g. used
      in the chat application Signal [signal].

   Some of the methods can even be used in conjunction with Trustwords
   [I-D.birk-pep-trustwords] or the PGP Word list [PGP.wl].




Marques & Hoeneisen      Expires January 1, 2019                [Page 4]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


   None of the existing solutions meets all requirements set up by pEp
   [I-D.birk-pep], e.g.:

   o  Easy solution that can be handled easily by ordinary users

   o  In case privacy and security contradict each other, privacy is
      always preferred over security (e.g., the Web of Trust contradicts
      privacy)

   o  No central entities

   Most of today's systems lack easy ways for users to authenticate
   their communication channel.  Some methods leak private data (e.g.,
   their social graph) or depend on central entities.  Thus, none of
   today's systems fulfills all of the pEp requirements (cf. above).

4.  The pEp Handshake Proposal

   In pretty Easy privacy (pEp), the proposed approach for peers to
   authenticate each other is to engage in the pEp Handshake.

   In current pEp implementations (cf.  Section 6.2), the same kinds of
   keys as in OpenPGP are used.  Such keys include a fingerprint as
   cryptographic hash over the public key.  This fingerprint is normally
   represented in a hexadecimal form, consisting of ten 4-digit
   hexadecimal blocks, e.g.:

      8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19

   Each block may also be represented in decimal numbers from 0 to 65535
   or in other numerical forms, e.g.

   o  Hexadecimal: 8E31

   o  Decimal: 36401

   o  Binary: 1000111000110001

4.1.  Verification Process

   In the pEp Handshake the fingerprints of any two peers involved are
   combined and displayed in form of Trustwords
   [I-D.birk-pep-trustwords] for easy comparison by the involved
   parties.

   The default verification process involves three steps:

   1.  Combining fingerprints by XOR function



Marques & Hoeneisen      Expires January 1, 2019                [Page 5]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


       Any two peers' fingerprints are combined bit-by-bit using the
       Exclusive-OR (XOR) function resulting in the Combined Fingerprint
       (CFP).

   2.  Mapping result to Trustwords:

       The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit
       hexadecimal block is mapped to a given Trustword) resulting in
       the Trustword Mapping (TWM).

   3.  Verify Trustwords over independent channel

       The resulting Trustwords (TWM) are compared and verified over an
       independent channel, e.g., a phone line.  If this step was
       successful, the channel can be marked as authenticated.

4.1.1.  Partial and Full Trustword Mapping

   The more an ordinary user needs to contribute to a process, the less
   likely a user will carry out all steps carefully.  In particular, it
   was observed that a simple (manual) comparison of OpenPGP
   fingerprints is rarely carried out to the full extent, i.e., mostly
   only parts of the fingerprint are compared, if at all.

   For usability reasons and to create incentive for people to actually
   carry out Handshake (while maintaining an certain level of entropy),
   pEp allows for different entropy levels, i.e.:

   1.  Full Trustword Mapping (F-TWM) [aka Full Trustwords] MUST
       represent the maximum entropy achievable by the mapping.  This
       means all Trustwords of a TWM MUST be displayed and compared.

       e.g. the fingerprint

          F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13

       is mapped to:

          dog house brother town fat bath school banana kite task

   2.  Partial Trustword Mapping (P-TWM) [aka Short Trustwords] requires
       a number of Trustwords that MUST retain at least 64-bit of
       entropy.  This means while the first part of the TWM is displayed
       and compared, the remaining Trustwords are omitted.

       e.g. the fingerprint

          F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]



Marques & Hoeneisen      Expires January 1, 2019                [Page 6]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


       is mapped to:

          dog house brother town fat [ remaining Trustwords omitted ]

4.1.2.  Display Modes

   The pEp Handshake has three display modes for the verification
   process.  All of the following modes MUST be implemented:

   1.  P-TWM mode (default)

       By default the P-TWM SHOULD be displayed to the user for
       comparison and verification.  An easy way to switch to F-TWM mode
       MUST be implemented and an easy way to switch to fingerprint mode
       SHOULD be implemented.

   2.  F-TWM mode

       There are situations, where P-TWM is not sufficient (e.g.,
       communication parties that are more likely under attack), in
       which the F-TWM MAY be displayed to the user by default.  An easy
       way to switch to P-TWM mode MUST be implemented and an easy way
       to switch to fingerprint mode SHOULD be implemented.

   3.  Fingerprint mode (fallback)

       To retain compatibility to existing OpenPGP users (that know
       nothing about Trustwords), the fingerprint mode, a fallback to
       compare the original fingerprints (usually in hexadecimal form)
       MAY be used.  Easy ways to switch to P-TWM and F-TWM modes SHOULD
       be implemented.

   If the verification process was successful, the user confirms it,
   e.g. by setting a check mark.  Once the user has confirmed it, the
   trust level [E-D.birk-pep-trust-rating] for this channel MUST be
   updated accordingly.

5.  Security Considerations

   A (global) adversary can pre-generate all Trustwords any two users
   expect to compare and try to engage in MITM attacks which fit - it
   MUST NOT be assumed public keys and thus fingerprints to be something
   to stay secret, especially as in pEp public keys are aggressively
   distributed to all peers.  Also similar Trustwords can be generated,
   which spelled on the phone might sound very similar.






Marques & Hoeneisen      Expires January 1, 2019                [Page 7]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


6.  Implementation Status

6.1.  Introduction

   This section records the status of known implementations of the
   protocol defined by this specification at the time of posting of this
   Internet-Draft, and is based on a proposal described in [RFC7942].
   The description of implementations in this section is intended to
   assist the IETF in its decision processes in progressing drafts to
   RFCs.  Please note that the listing of any individual implementation
   here does not imply endorsement by the IETF.  Furthermore, no effort
   has been spent to verify the information presented here that was
   supplied by IETF contributors.  This is not intended as, and must not
   be construed to be, a catalog of available implementations or their
   features.  Readers are advised to note that other implementations may
   exist.

   According to [RFC7942], "[...] this will allow reviewers and working
   groups to assign due consideration to documents that have the benefit
   of running code, which may serve as evidence of valuable
   experimentation and feedback that have made the implemented protocols
   more mature.  It is up to the individual working groups to use this
   information as they see fit."

6.2.  Running Code

   In pEp for email [E-D.birk-pep-email] contexts, Handshakes are
   already implemented for the following platforms:

   o  Android, in pEp for Android - release [SRC.pepforandroid]

   o  Enigmail, in the Enigmail/pEp mode - release used for new Enigmail
      users of version 2.0 [SRC.enigmailpep]

   o  iOS, in pEp for iOS - not yet released [SRC.pepforios]

   o  Outlook, in pEp for Outlook - commercial release
      [SRC.pepforoutlook]

   In pEp for Outlook also keys from other devices can be imported by
   the Handshake method.

7.  Acknowledgements

   Special thanks to Volker Birk and Leon Schumacher who developed the
   original concept of the pEp Handshake.





Marques & Hoeneisen      Expires January 1, 2019                [Page 8]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


   This work was initially created by pEp Foundation, and then reviewed
   and extended with funding by the Internet Society's Beyond the Net
   Programme on standardizing pEp.  [ISOC.bnet]

8.  References

8.1.  Normative References

   [I-D.birk-pep]
              Birk, V., Marques, H., and S. Shelburn, "pretty Easy
              privacy (pEp): Privacy by Default", draft-birk-pep-02
              (work in progress), June 2018.

   [I-D.birk-pep-trustwords]
              Birk, V., Marques, H., and B. Hoeneisen, "IANA
              Registration of Trustword Lists: Guide, Template and IANA
              Considerations", draft-birk-pep-trustwords-02 (work in
              progress), June 2018.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <https://www.rfc-editor.org/info/rfc4949>.

   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
              Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
              December 2014, <https://www.rfc-editor.org/info/rfc7435>.

8.2.  Informative References

   [E-D.birk-pep-email]
              Birk, V. and H. Marques, "pretty Easy privacy (pEp):
              Secure and Trusted Email Communication", June 2018,
              <https://pep.foundation/dev/repos/internet-
              drafts/file/tip/pep-email/draft-birk-pep-email-NN.txt>.

              Early draft

   [E-D.birk-pep-keysync]
              Birk, V. and H. Marques, "pretty Easy privacy (pEp): Key
              Synchronization Protocol", June 2018,
              <https://pep.foundation/dev/repos/internet-
              drafts/file/tip/pep-keysync/
              draft-birk-pep-keysync-NN.txt>.



Marques & Hoeneisen      Expires January 1, 2019                [Page 9]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


              Early draft

   [E-D.birk-pep-trust-rating]
              Birk, V. and H. Marques, "pretty Easy privacy (pEp): Trust
              Rating System", June 2018,
              <https://pep.foundation/trac/browser/internet-drafts/pep-
              rating/draft-marques-pep-rating-00.txt>.

              Early draft

   [ISOC.bnet]
              Simao, I., "Beyond the Net. 12 Innovative Projects
              Selected for Beyond the Net Funding. Implementing Privacy
              via Mass Encryption: Standardizing pretty Easy privacy's
              protocols", June 2017, <https://www.internetsociety.org/
              blog/2017/06/12-innovative-projects-selected-for-beyond-
              the-net-funding/>.

   [PGP.wl]   "PGP word list", November 2017,
              <https://en.wikipedia.org/w/
              index.php?title=PGP_word_list&oldid=749481933>.

   [RFC4880]  Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
              Thayer, "OpenPGP Message Format", RFC 4880,
              DOI 10.17487/RFC4880, November 2007,
              <https://www.rfc-editor.org/info/rfc4880>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC7942]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
              Code: The Implementation Status Section", BCP 205,
              RFC 7942, DOI 10.17487/RFC7942, July 2016,
              <https://www.rfc-editor.org/info/rfc7942>.

   [signal]   "Signal", n.d., <https://signal.org/>.

   [SRC.enigmailpep]
              "Source code for Enigmail/pEp", June 2018,
              <https://enigmail.net/index.php/en/download/source-code>.

   [SRC.pepforandroid]
              "Source code for pEp for Android", June 2018,
              <https://pep-security.lu/gitlab/android/pep>.




Marques & Hoeneisen      Expires January 1, 2019               [Page 10]


Internet-Draft     pretty Easy privacy (pEp) Handshake         June 2018


   [SRC.pepforios]
              "Source code for pEp for iOS", June 2018,
              <https://pep-security.ch/dev/repos/pEp_for_iOS/>.

   [SRC.pepforoutlook]
              "Source code for pEp for Outlook", June 2018,
              <https://pep-security.lu/dev/repos/pEp_for_Outlook/>.

   [threema]  "Threema - Seriously secure messaging", n.d.,
              <https://threema.ch>.

Appendix A.  Open Issues

   [[ RFC Editor: This section should be empty and is to be removed
   before publication ]]

   o  Add description for further processes to change the trust level,
      e.g., to remove trust or even mistrust a peer and alike.

Authors' Addresses

   Hernani Marques
   pEp Foundation
   Oberer Graben 4
   CH-8400 Winterthur
   Switzerland

   Email: hernani.marques@pep.foundation
   URI:   https://pep.foundation/


   Bernie Hoeneisen
   Ucom Standards Track Solutions GmbH
   CH-8046 Zuerich
   Switzerland

   Phone: +41 44 500 52 44
   Email: bernie@ietf.hoeneisen.ch (bernhard.hoeneisen AT ucom.ch)
   URI:   https://ucom.ch/












Marques & Hoeneisen      Expires January 1, 2019               [Page 11]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/