February 2006 Lemonade Internet Draft: LZIP S. H. Maes Document: draft-maes-lemonade-xencrypted-00 R. Cromwell (Editors) Expires: August 2006 February 2006 XENCRYPTED Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Some deployment models for Lemonade [LEMONADEPROFILE] may require a non-pass-through proxy to fit OMA requirements. The proxy sits between the client and the backend Lemonade server and executes commands on behalf of the client, and rewriting some of the responses. XENCRYPT introduces a new encrypted literal type that allows the backend Lemonade server to end-to-end encrypt sensitive Maes Expires – August 2006 [Page 1]  February 2006 data returned from the mail store, such as message bodies and headers. Conventions used in this document In examples, "C:" and "S:" indicate lines sent by the client and server respectively. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. An implementation is not compliant if it fails to satisfy one or more of the MUST or REQUIRED level requirements for the protocol(s) it implements. An implementation that satisfies all the MUST or REQUIRED level and all the SHOULD level requirements for a protocol is said to be "unconditionally compliant" to that protocol; one that satisfies all the MUST level requirements but not all the SHOULD level requirements is said to be "conditionally compliant." When describing the general syntax, some definitions are omitted as they are defined in [RFC3501]. Table of Contents Status of this Memo...............................................1 Copyright Notice..................................................1 Abstract..........................................................1 Conventions used in this document.................................2 Table of Contents.................................................2 1. Introduction...................................................2 2. The CAPABILITY Command.........................................3 3. XENCRYPTED literal.............................................3 4. Formal Syntax..................................................4 Security Considerations...........................................4 References........................................................5 Future Work.......................................................6 Version History...................................................6 Acknowledgments...................................................6 Authors Addresses.................................................7 Intellectual Property Statement...................................7 Disclaimer of Validity............................................8 Copyright Statement...............................................8 1. Introduction XENCRYPTED introduces a new encrypted literal type which allows a Lemonade IMAP server to perform end-to-end encryption on selected Maes Expires – August 2006 [Page 2]  February 2006 message attributes such as headers and body parts, as well as allowing the client to encrypt selected literals. XENCRYPTED is designed to lower some of the security risks inherent in a proxy deployment model that are required by OMA and desired by mobile operators. [MEMAIL][OMA-ME-RD] 2. The CAPABILITY Command Servers which support XENCRYPTED MUST return ‘XENCRYPTED’ in the response list to a capability command followed ‘=’ and the algorithm used. Example: A LEMONADE server that implements XENCRYPTED C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=LOGIN IDLE XENCRYPTED=3DES S: a001 OK CAPABILITY completed 3. XENCRYPTED literal To support selective encryption of any value returned in the response, a new encrypted literal is introduced that parallels the techniques used by IMAP [BINARY] literal and [LITERAL+] and is designed to work in conjunction with them. It is expected that untrusted users such as operator proxies will log in on behalf of the user with separate credentials. A server which recognizes an untrusted proxy user SHOULD encrypt all message envelope data as well as body parts with encrypted literals. The server must apply this rule even to [URLAUTH]/[BURL] requests. Upon recognizing and encrypted literal, the client decodes the literal according to content transfer encoding used, followed by decryption according to the algorithm specified in the capability response. If the client wishes to send an encrypted literal, such as during an APPEND, it first encrypts the payload, and sends the literal with content transfer encoding of its choice (8-bit or base64) Example: logged in as user john.smith+proxy, XENCRYPTED=3DES returned in CAPABILITY response C: a1 FETCH 2 BINARY[1] S: * 2 FETCH (BINARY[1] ~{X123} S: …binary and encrypted with 3DES data… Maes Expires – August 2006 [Page 3]  February 2006 S: ) C: a1 FETCH completed The mechanism for key exchange is not defined in this document as of yet, but is discussed in the security concerns section. 4. Formal Syntax The following syntax specification uses the Augmented Backus-Naur Form (ABNF) notation. Elements not defined here can be found in the formal syntax of the [ABNF], [RFC3501], and [ABNFEXTEND]. The create ABNF grammar in [RFC3501] is hereby modified to the grammar defined in [ABNFEXTEND] literalx = “~{X“ number [“+”] “}“ CRLF *BINCHAR / “{X” number [“+”] “}” CRLF base64 string =/ literalx BINCHAR = <0x00 – 0xFF> Security Considerations In some proxy deployments, the client may connect to a proxy that sits in an operator network, but the backend email storage server sits in a separate network (e.g. enterprise). The enterprise network is assumed to be secure, but the operator network may not be trusted. If unencrypted information lies in the operator network, that information is vulnerable to attacks. If no operator specific enhancements are being added by an operator proxy, then an SSL pass-through proxy with SASL authentication is a far lower risk. If a server is implemented with additional command processing done on the proxy, there are more complex security issues. This proxy must be able to send commands to the backend email server to accomplish its tasks, as well as read information coming from the backend server. An attacker who compromises the proxy thus can send commands to the backend to change the state of the mail storage, possibly corrupting it. In addition, it can read responses from the mail server that might contain confidential email information. This proxy may also send bogus responses back to the client. Clearly, this setup is not ideal and exposes numerous risks. Maes Expires – August 2006 [Page 4]  February 2006 XENCRYPTED is not intended to solve all of these problems, it is only intended to solve the problem of information confidentiality for the message store. Untagged XENCRYPTED literals should be used in FETCH responses, which contain encrypted message information to be passed through the Lemonade proxy on the operator network. The key exchange for encryption should not occur through the proxy due to the risk of man-in-the-middle attacks. It has to be done through another channel such as manually entered by user (e.g. password), or via an out of band protocol, such as an HTTP SSL request to the enterprise server or the key exchange mechanism via outband notifications as proposed in [NOTIFICATIONS]. Any other additional server responses containing sensitive information (passwords, etc.) should be XENCRYPTED. It is beyond the scope of this document to define the implementation of transcoding services. In general, it is recommended that they reside within the same domain as the IMAP server, and are not performed by third party services, which may compromise the privacy of the data being transcoded. A proxy implementation of transcoding cannot be secured by XENCRYPTED. References [BURL] Newman, C., "Message Composition", draft-ietf-lemonade-burl-xx (work in progress). [LEMONADEPROFILE] Maes, S.H. and Melnikov A., "Lemonade Profile", draft-ietf-lemonade-profile-XX.txt, (work in progress). [MEMAIL] Maes, S.H., “Lemonade and Mobile e-mail", draft-maes- lemonade-mobile-email-xx.txt, (work in progress). [NOTIFICATIONS] Maes, S.H. , "Lemonade notifications and filters", draft-ietf-lemonade-notifications-0x (work in progress). [OMA-ME-RD] Open Mobile Alliance Mobile Email Requirement Document, (Work in progress). http://www.openmobilealliance.org/ [P-IMAP] Maes, S.H., Lima R., Kuang, C., Cromwell, R., Ha, V. and Chiu, E., Day, J., Ahad R., Jeong W-H., Rosell G., Sini, J., Sohn S-M., Xiaohui F. and Lijun Z., "Push Extensions to the IMAP Protocol (P-IMAP)", draft-maes-lemonade-p-imap-xx.txt, (work in progress). Maes Expires – August 2006 [Page 5]  February 2006 [RFC2119] Brader, S. "Keywords for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119 [RFC3501] Crispin, M. "IMAP4, Internet Message Access Protocol Version 4 rev1", RFC 3501, March 2003. http://www.ietf.org/rfc/rfc3501 [BINARY] Nerenberg, L. “IMAP4 Binary Content Extension”, RFC3516, April 2003. http://www.ietf.org/rfc/rfc3516 [URLAUTH] Crispin, M., "Internet Message Access Protocol (IMAP) - URLAUTH Extension", draft-ietf-lemonade-urlauth-08 (work in progress), October 2005. Future Work - Allow multiple encryption schemes? (CAPABILITY XENCRYPTED=3DES,RC4,AES etc) - Allow client to select preferred algorithm - Enhanced security concerns section, dealing with proxy hiding stronger encryption schemes - MUST implements (3DES?) - Key Management, how to provision and revoke keys. MUST haves? SASL be leveraged to generate a session key which is not subject to man-in-the-middle? Version History Release 00 Initial release published in February 2006 Acknowledgments The following contributed to the authoring of XENCRYPTED. The authors want to thank all who have contributed key insight and extensively reviewed and discussed the concepts of LPSEARCH and its early introduction P-IMAP [P-IMAP]. In particular, this includes the authors of the P-IMAP draft: Rafiul Ahad – Oracle Corporation, Eugene Chiu – Oracle Corporation, Ray Cromwell – Oracle Corporation, Jia-der Day – Oracle Corporation, Vi Ha – Oracle Corporation, Wook-Hyun Jeong – Samsung Electronics Co. LTF, Chang Kuang – Oracle Corporation, Rodrigo Lima – Oracle Corporation, Stephane H. Maes – Oracle Corporation, Gustaf Rosell - Sony Ericsson, Jean Sini – Symbol Maes Expires – August 2006 [Page 6]  February 2006 Technologies, Sung-Mu Son – LG Electronics, Fan Xiaohui - CHINA MOBILE COMMUNICATIONS CORPORATION (CMCC), Zhao Lijun - CHINA MOBILE COMMUNICATIONS CORPORATION (CMCC). Authors Addresses Stephane H. Maes Oracle Corporation 500 Oracle Parkway M/S 4op634 Redwood Shores, CA 94065 USA Phone: +1-650-607-6296 Email: stephane.maes@oracle.com Ray Cromwell Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065 USA Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 7878 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Maes Expires – August 2006 [Page 7]  February 2006 Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Maes Expires – August 2006 [Page 8]