Simple Encryption for XMPP (alt: Strawman Encrypted eXchange)

Goal: low-complexity minimal E2EE library for modern XMPP use cases

Design decisions:

• SEX follows KISS principle
• use of libsodium / NaCl wire format (low complexity and dependencies; excludes OMEMO, PGP)
• explicitly no Perfect Forward Secrecy (to allow easier device onboarding from MAM; excludes OMEMO, OTR)
• weak / no replay attack protection (display timestamps in the UI?)
• multi-device, but no per-device keys (excludes OMEMO)
• no frills
• no cryptowhores

Notation: [b64-xyz] is the url-safe base64 encoding of xyz

1:1 Message Encryption

Input:

• own keypair
• recipient’s public key (unverified from a PEP node, verified via “Key Exchange”)
• message payload XML, MUST have delay tag (msg)

<message from="bare" to="bare">
  <delay .../>
  <body>Look at my yak!</body>
  <oob url="...yakpic..."/>
</message>

Encryption:

1. Create nonce: nonce = randombytes_buf(sizeof nonce)
2. Encrypt message: box = crypto_box(msg, nonce, recipient_pk, my_sk)
3. Send

<message to="recipient">
  <box xmlns="urn:xmpp:sex:0" nonce="[b64-nonce]">
    [b64-box]
  </box>
</message>

Decryption:

1. Decrypt payload XML: msg = crypto_box_open(box,nonce,sender_pk,my_sk)

1:N Message Encryption

• own keypair
• list of [recipient, public key]
• message payload XML (msg)

Encryption:

1. Create nonce: nonce = randombytes_buf(sizeof nonce)
2. Create symmetric key: key = crypto_secretbox_keygen()
3. Encrypt message: sbox = crypto_secretbox_easy(msg, nonce, key)
4. Encrypt key for each recipient:
   • keynonce[i] = randombytes_buf(sizeof keynonce[i])
   • keybox[i] = crypto_box(key, keynonce[i], recipient_pk[i], my_sk)
5. Send

<message to="groupchat">
  <multibox xmlns="urn:xmpp:sex:0">
    <keybox nonce="[b64-keynonce[0]]">[b64-keybox[0]]</keybox>
    ...
    <keybox nonce="[b64-keynonce[N]]">[b64-keybox[N]]</keybox>
    <box nonce="[b64-nonce]">
      [b64-sbox]
    </box>
  </multibox>
</message>

Decryption:

TODO

Key Exchange (optional)

The key exchange is an optional protocol to reliably transmit a given secret token between two devices. A possible use case is “masturbation”: synchronize your private key from one of your devices to another (have SEX with yourself).

Goal:

• mutual authentication of two devices to transmit especially sensitive data
  • either user’s old device and user’s new device
  • or user’s device and friend’s device

There are two entities, “client” and “server” (in libsodium parlance):

• “server” is the device showing a QR code
• “client” is the device scanning it and requesting the key exchange

Protocol flow:

1. Server creates key pair: crypto_kx_keypair(server_pk, server_sk)
2. Client creates key pair: crypto_kx_keypair(client_pk, client_sk)
3. Server displays QR code: xmpp:serveruser@domain/resource;sex=[b64-server_pk]
4. Client scans QR code
5. Client performs handshake: crypto_kx_client_session_keys(client_rx, client_tx, client_pk, client_sk, server_pk)
6. Client encrypts own public key with symmetric secret key:
   • keynonce = randombytes_buf(sizeof keynonce)
   • keybox = crypto_secretbox_easy(user_pk, keynonce, client_tx)
7. Client sends SEX-KEX (key exchange) message:

<iq to="serveruser@domain/resource" id="f00">
  <sexkex xmlns="urn:xmpp:sex:0">
    <keybox nonce="[b64-keynonce]" pubkey="[b64-client_pk]">[b64-keybox]</keybox>
  </sexkex>
</iq>