March 2006 Lemonade Internet Draft: XENCRYPTED S. H. Maes Document: draft-maes-lemonade-xencrypted-01 R. Cromwell (Editors) Expires: September 2006 March 2006 XENCRYPTED Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Some deployment models for Lemonade [LEMONADEPROFILE] may require a non-pass-through proxy to fit OMA requirements. The proxy sits between the client and the backend Lemonade server and executes commands on behalf of the client, and rewriting some of the responses. XENCRYPT introduces a new encrypted literal type that allows the backend Lemonade server to end-to-end encrypt sensitive Maes Expires – September 2006 [Page 1]  March 2006 data returned from the mail store, such as message bodies and headers. Conventions used in this document In examples, "C:" and "S:" indicate lines sent by the client and server respectively. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. An implementation is not compliant if it fails to satisfy one or more of the MUST or REQUIRED level requirements for the protocol(s) it implements. An implementation that satisfies all the MUST or REQUIRED level and all the SHOULD level requirements for a protocol is said to be "unconditionally compliant" to that protocol; one that satisfies all the MUST level requirements but not all the SHOULD level requirements is said to be "conditionally compliant." When describing the general syntax, some definitions are omitted as they are defined in [RFC3501]. Table of Contents Status of this Memo...............................................1 Copyright Notice..................................................1 Abstract..........................................................1 Conventions used in this document.................................2 Table of Contents.................................................2 1. Introduction...................................................2 2. The CAPABILITY Command.........................................3 3. XENCRYPTED literal.............................................3 4. Key Management / Provisioning..................................4 5. Formal Syntax..................................................4 Security Considerations...........................................4 References........................................................6 Future Work.......................................................7 Version History...................................................7 Acknowledgments...................................................7 Authors Addresses.................................................8 Intellectual Property Statement...................................8 Disclaimer of Validity............................................8 Copyright Statement...............................................9 Acknowledgement...................................................9 1. Introduction Maes Expires – September 2006 [Page 2]  March 2006 XENCRYPTED introduces a new encrypted literal type which allows a Lemonade IMAP server to perform end-to-end encryption on selected message attributes such as headers and body parts, as well as allowing the client to encrypt selected literals. XENCRYPTED is designed to lower some of the security risks inherent in a proxy deployment model that are required by OMA and desired by mobile operators. [MEMAIL][OMA-ME-RD] 2. The CAPABILITY Command Servers which support XENCRYPTED MUST return ‘XENCRYPTED’ in the response list to a capability command followed ‘=’ and the algorithm used. Example: A LEMONADE server that implements XENCRYPTED C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=LOGIN IDLE XENCRYPTED=3DES S: a001 OK CAPABILITY completed 3. XENCRYPTED literal To support selective encryption of any value returned in the response, a new encrypted literal is introduced that parallels the techniques used by IMAP [BINARY] literal and [LITERAL+] and is designed to work in conjunction with them. It is expected that untrusted users such as operator proxies will log in on behalf of the user with separate credentials. A server which recognizes an untrusted proxy user SHOULD encrypt all message envelope data as well as body parts with encrypted literals. The server must apply this rule even to [URLAUTH]/[BURL] requests. Upon recognizing and encrypted literal, the client decodes the literal according to content transfer encoding used, followed by decryption decoding according to the algorithm specified in the capability response. If the client wishes to send an encrypted literal, such as during an APPEND, it first encrypts the payload according to the encryption method, and sends the literal with content transfer encoding of its choice (8-bit or base64) Example: logged in as authorization identity (user john.smith+proxy), XENCRYPTED=3DES returned in CAPABILITY response C: a1 FETCH 2 BINARY[1] Maes Expires – September 2006 [Page 3]  March 2006 S: * 2 FETCH (BINARY[1] ~{X123} S: …binary and encrypted with 3DES data… S: ) C: a1 FETCH completed 4. Key Management / Provisioning The key used to encrypt data using algorithms such as 3DES or AES, must be computed or provisioned into the device. If the client uses SASL [RFC2222] to authenticate, then a session key should be computed according to Section 2.4 of [RFC2831]. Otherwise, a key must be provisioned via a mechanism which is out-of-band with respect to the proxy server, either through an alternate TCP or HTTP mechanism, such as a TLS or HTTPS connection, a secure SMS, or manually by user entry of a shared secret. The user’s password or shared secret with the server may also be used to derive this key. 5. Formal Syntax The following syntax specification uses the Augmented Backus-Naur Form (ABNF) notation. Elements not defined here can be found in the formal syntax of the [ABNF], [RFC3501], and [ABNFEXTEND]. The create ABNF grammar in [RFC3501] is hereby modified to the grammar defined in [ABNFEXTEND] literalx = “~{X“ number [“+”] “}“ CRLF *BINCHAR / “{X” number [“+”] “}” CRLF base64 string =/ literalx BINCHAR = <0x00 – 0xFF> ; encrypted data payload ; subject to RFC2630 Section 6.3 padding before encrypting Security Considerations In some proxy deployments, the client may connect to a proxy that sits in an operator network, but the backend email storage server sits in a separate network (e.g. enterprise). The enterprise network is assumed to be secure, but the operator network may not be trusted. If unencrypted information lies in the operator network, that information is vulnerable to attacks. Maes Expires – September 2006 [Page 4]  March 2006 If no operator specific enhancements are being added by an operator proxy, then an SSL pass-through proxy with SASL authentication is a far lower risk. If a server is implemented with additional command processing done on the proxy, there are more complex security issues. This proxy must be able to send commands to the backend email server to accomplish its tasks, as well as read information coming from the backend server. An attacker who compromises the proxy thus can send commands to the backend to change the state of the mail storage, possibly corrupting it. In addition, it can read responses from the mail server that might contain confidential email information. This proxy may also send bogus responses back to the client. Clearly, this setup is not ideal and exposes numerous risks. In addition, if an SMTP proxy is used, the SMTP proxy may, in collusion with the IMAP proxy, create a URLAUTH for any message it wishes to steal, and then use BURL+SMTP to forward messages to an outside mailbox of its choice. XENCRYPTED is not intended to solve all of these problems, it is only intended to solve the problem of information confidentiality for the message store. Untagged XENCRYPTED literals should be used in FETCH responses, which contain encrypted message information to be passed through the Lemonade proxy on the operator network. The key exchange for encryption should not occur through the proxy using any mechanism subject to man-in-the-middle attacks. If necessarily, it can be done through another channel such as manually entered by user (e.g. password), or via an out of band protocol, such as an HTTP SSL request to the enterprise server or the key exchange mechanism via outband notifications as proposed in [NOTIFICATIONS]. Any other additional server responses containing sensitive information (passwords, etc.) should be XENCRYPTED. Currently, the encrypted literals are subject to replay attacks against the client, wherein the proxy may substitute actual server returned encrypted literals with previously returned encrypted literals, allowing the proxy to mix-and-match IMAP data, such as attaching envelope parameters from one message onto body parts from another, effectively spoofing and manipulating authorship. The risk from this is deemed low, but future drafts may include protection against replay, but incorporating more of SASL’s confidentiality and integrity protection, only at the object level of literals, as opposed to the entire stream. Maes Expires – September 2006 [Page 5]  March 2006 It is beyond the scope of this document to define the implementation of transcoding services. In general, it is recommended that they reside within the same domain as the IMAP server, and are not performed by third party services, which may compromise the privacy of the data being transcoded. A proxy implementation of transcoding cannot be secured by XENCRYPTED, but it may be feasible in the future to define an extension to allow the client to selectively choose parts of the message that can be decrypted. References [BURL] Newman, C., "Message Composition", draft-ietf-lemonade-burl-xx (work in progress). [LEMONADEPROFILE] Maes, S.H. and Melnikov A., "Lemonade Profile", draft-ietf-lemonade-profile-XX.txt, (work in progress). [LITERAL+] Myers, J., "IMAP4 non-synchronizing literals", RFC 2088, January 1997. [MEMAIL] Maes, S.H., “Lemonade and Mobile e-mail", draft-maes- lemonade-mobile-email-xx.txt, (work in progress). [NOTIFICATIONS] Maes, S.H. , "Lemonade notifications and filters", draft-ietf-lemonade-notifications-0x (work in progress). [OMA-ME-RD] Open Mobile Alliance Mobile Email Requirement Document, (Work in progress). http://www.openmobilealliance.org/ [P-IMAP] Maes, S.H., Lima R., Kuang, C., Cromwell, R., Ha, V. and Chiu, E., Day, J., Ahad R., Jeong W-H., Rosell G., Sini, J., Sohn S-M., Xiaohui F. and Lijun Z., "Push Extensions to the IMAP Protocol (P-IMAP)", draft-maes-lemonade-p-imap-xx.txt, (work in progress). [RFC2119] Brader, S. "Keywords for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119 [RFC2222] Myers, J. "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. http://www.ietf.org/rfc/rfc2222 [RFC2831] Leach, P., and Newman, C. "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000. http://www.ietf.org/rfc/rfc2831 Maes Expires – September 2006 [Page 6]  March 2006 [RFC3501] Crispin, M. "IMAP4, Internet Message Access Protocol Version 4 rev1", RFC 3501, March 2003. http://www.ietf.org/rfc/rfc3501 [BINARY] Nerenberg, L. “IMAP4 Binary Content Extension”, RFC3516, April 2003. http://www.ietf.org/rfc/rfc3516 [URLAUTH] Crispin, M., "Internet Message Access Protocol (IMAP) - URLAUTH Extension", draft-ietf-lemonade-urlauth-08 (work in progress), October 2005. Future Work - Rationalize integrity and confidentiality mechanism with SASL mechanism - More rigorous enumeration and definition of out-of-band key exchange mechanisms - Mechanism to prohibit proxy from obtaining URLAUTHs except as those specifically requested by client - Client Selective reveal of data for transcoding - Allow multiple encryption schemes? (CAPABILITY XENCRYPTED=3DES,RC4,AES etc) - Allow client to select preferred algorithm - Enhanced security concerns section, dealing with proxy hiding stronger encryption schemes - MUST implements (3DES?) Version History Release 01 Add reference to block cipher padding mechanism used Add initial key management recommendations Release 00 Initial release published in February 2006 Acknowledgments The following contributed to the authoring of XENCRYPTED. The authors want to thank all who have contributed key insight and extensively reviewed and discussed the concepts of LPSEARCH and its early introduction P-IMAP [P-IMAP]. In particular, this includes the authors of the P-IMAP draft: Rafiul Ahad – Oracle Corporation, Eugene Chiu – Oracle Corporation, Ray Cromwell – Oracle Corporation, Jia-der Day – Oracle Corporation, Vi Ha – Oracle Corporation, Wook-Hyun Jeong – Samsung Electronics Co. LTF, Chang Kuang – Oracle Corporation, Rodrigo Lima – Oracle Corporation, Stephane H. Maes – Oracle Maes Expires – September 2006 [Page 7]  March 2006 Corporation, Gustaf Rosell - Sony Ericsson, Jean Sini – Symbol Technologies, Sung-Mu Son – LG Electronics, Fan Xiaohui - CHINA MOBILE COMMUNICATIONS CORPORATION (CMCC), Zhao Lijun - CHINA MOBILE COMMUNICATIONS CORPORATION (CMCC). Authors Addresses Stephane H. Maes Oracle Corporation 500 Oracle Parkway M/S 4op634 Redwood Shores, CA 94065 USA Phone: +1-650-607-6296 Email: stephane.maes@oracle.com Ray Cromwell Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065 USA Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Disclaimer of Validity Maes Expires – September 2006 [Page 8]  March 2006 This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Maes Expires – September 2006 [Page 9]