Year of the OX

XMPP-Meetup Berlin, 10.2.2021, 18:00 CET
Online - https://meet.in-berlin.de/YearOfTheOX (Please don't post on public social media - save us from jitsi bombing)

Buffalo Bull Ruminant

Topic: OpenPGP for XMPP (OX)

Agenda

18:00 - Welcome chat
18:15 - Talk: OpenPGP for XMPP [slides] (Holger)
18:30 - Panel: Introduction of panelists, comments and additions
18:45 - Panel: Initial questions
19:00 - Panel: Questions from the audience
19:30 - Open discussion

Panelists

DebXWoody - implementor of OX in Profanity
defanor - implementor of OX in rexmpp
Florian - co-author of the OX standards
lovetox - implementor of OX for Gajim
Paul - implementor of OX in Smack

Questions

Initial questions (moderator)

Please introduce yourself and tell us about your relationship with XMPP.
Do you have any comments or additions to Holger's talk?
Why did you implement OX and what is your use case?
What makes OX interesting for you compared to other encryption protocols, like OMEMO?
Do you have any security concerns related to this specification?

Questions from the audience

OX uses only one key pair per account not per device: Will it be easier to access old messages from archive on a new device? (debacle)
- Answer: Yes.
In company context or similar, will a key escrow scheme is probably easier to implement than with OMEMO? (debacle)
- Answer: It is probably easy, esp. by just storing the primary key somewhere.
Depending on implementation it might be possible to use a crypto token, such as Nitrokey or Yubikey? (debacle)
- Answer: Possible, but very difficult for client design (lovetox), i.e. how should the client behave when the key is not available. Also not well usable with mobile phones (DebXWoody).
With the evolution of computers, especially quantum computers these days, do you think OpenPGP and OX is the way to go and a solid solution for end-to-end encryption in the future? (Jeybe)
- if quantum computers become a thing, we have bigger problems -> rabbit hole
- quantum computing can solve specific currently unsolvable problems, but not all
- there is ongoing research for algorithms that are resistant to quantum computer attacks, also encryption algorithms based on quantum computing
- OpenPGP is agnostic to the algorithms it uses: new algorithms added to OpenPGP may mitigate the problem and can be added without reimplemeting everything
- both clients need to support the new algorithm
- elliptic curves are not resistant to quantum computing wiki pdf
- potential (minimal) advantage of OX: symmetric encryption might be less affected by quantum computers; while OMEMO and asymmetric encryption is f** anyway
What has to be done to implement group encryption? (marek)
- needs to be specified and implemented - ideally by the same person/group
- smaller group chats are easier to implement
- MLS (message layer security) IETF standard seems better for bigger group chats
- for bigger groups message encryption is most likely not as important as for smaller groups
What is the primary goal of OX: To be an E2EE solution for those who prefer it for whatever reason (Nerds ;-)) or is the intention to actually bring OpenPGP for instant messaging to the masses? (Jeybe)
- Multiple goals: IoT as well as bridge between nerds and normal users
- Also: To be compatible to the different clients
- one fingerprint is an advantage over multiple - easier for the masses
- why divide the user base into nerds and normal users? You can use your own key if you want or a generated one if you don't care
- OX can be even easier than OMEMO for the user (in theory)
- OpenPGP/OX may be used in conjunction with OMEMO to enable easier fingerprint verification on the latter? -> See Keyoxide, with which you can sign your JID and the corresponding OMEMO fingerprints (paul)
Maybe OX can be used to sign public messages or posts in Movim or Libervia or other XMPP based social networks? (debacle)
- https://keyoxide.org/guides/xmpp
- Might be tricky (Flow), because of XML normalization or lack thereof. But there is a middle ground: if the use case is known, specify how the to-be-signed bytes are calculated
- If you know the structure of the data, you can know what parts to sign
- Many social networks are web-based so you basically have to trust the application server, too; so another option would be to leave the verfication up to the provider
Anyone knows any good GPG Python libraries? (lovetox)
- https://sequoia-pgp.org/projects/
- GPGME has a Python binding
Daniel, are you (already) considering to add OX to Conversations? (felix)
- Yes, but no high priority at the moment
- Autocrypt for lttrs is similar to OX - maybe it is going to be implemented as a library reusable for Conversations
- OX is not considered as a replacement for OMEMO but for XEP-0027
  - There is usage/need for forward secrecy
OpenKeychain as a manager for keys might not be needed once Autocrypt is implemented (Daniel)
- centralized manager might be handy though
- PEP is like a Web Key Directory for uploading the keys (DebXwoody)
If I understand OMEMO correctly, then the keys are changed whereas OpenPGP keys are static. So, it would be possible to keep OpenPGP keys in a TPM, but it is not possible to store OMEMO keys there. Is that correct? That seems like a significant security advantage (neal)
- OMEMO messages are en- and decrypted using the ratchet, which always changes. Identity key is not needed for every rachet move and might be placed in TPM, but not sure what that brings to the table - so OX is more suitable for TPM
How can a normal user transfer a private (generated) key from one device (device lost or broken) to another device? (Holger)
- if PEP is used - key should not be stored there for a long time (DebXwoody)
- Either you trust or don't trust the backup password (Paul)
- Maybe ask the Delta Chat developers how they do it

Minutes

30 people (this is crazy!) :-)
end-to-end-encryption (E2EE) is not a feature of "core" XMPP
there were multiple attempts to add it as an extension (XMPP is all about extensions)
modern: OMEMO, OX (our topic today)
PGP is from the 90s
used to be used extensively in e-mail communication
sign and encrypt
OMEMO is more modern, includes forward secrecy
trade-off: usability vs secrecy
legacy PGP doesn't do everything ~~you~~ Holger wants
OX solves (many or all of) these problems
- key exchange via PEP (publish and subscribe technology in XMPP)
- encryption + signing
- operates on all kinds of XML elements
- mitigates replay attacks by using address/timestamp
- …
https://wiki.xmpp.org/web/XMPP_E2E_Security
https://conversations.im/omemo
DebXWoody: PGP has advantages over OMEMO; you don't have tons of keys all over the place; using a device like a Nitrokey, you can quickly and effortlessly encrypt everywhere in a secure manner
defanor: (sorry, I had bad audio, add a sentence here…)
Flow: there was a gap between E2E encryption with forward secrecy and "no encryption at all"
- old XEP horrible ;-)
- we need to raise the floor for end-to-end encryption
- (some) encryption is better than no encryption
Paul: works on Smack
- Google summer of code OMEMO + OX
- OX is like "the older brother" of OMEMO
OMEMO vs OX
- Message history: with OMEMO it needs to be decrypted on the device, with PGP you can choose to have it either way
- OX allows for revocation
- OX allows for multiple algorithms
- the identity a key is assigned to can be within the key with OX
lovetox: current maintainer of Gajim
- OX has full stanza encryption (we need that)
- full archive on the server is possible
- OX is more complex
- people bring their existing PGP keys, you need to "pick them up" somehow
- application (?!)…
OX specification was build to serve many use cases
not every possibility needs to be exposed to the user/application
it is probably a good idea to make things (as) simple (as you can) for the user
possible solution for applications (like Gajim): let the "pros" upload/insert their key into the application, otherwise just generate a key out of thin air
keys can also be unencrypted PGP subkeys
on a compromised machine the unencrypted PGP key is easy to be stolen - nothing new
OpenPGP key ID cannot be extracted from an encrypted key
- XEP 0373
- if you use more than one key, you cannot distinguish them
Why is the Symmetric Key Encrypted Session Key Packet to backup the secret key chosen over the OpenPGP packet specified for this purpose?
More information about OX and further discussion in the XMPP wiki tech page
There's also a XEP remarks page
Flow: Experiences from implementation should flow back into the specifications. This is currently a problem with the XMPP community

In other news

cognitive project about communication with services to get answers to a search term. Answers might take a long time. (eevvoor)

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.