Extensible Messaging and Presence Protocol (XMPP)

1. Extensible Messaging and
Presence Protocol (XMPP)
2016.3.1
1
Sean

2. Extensible Messaging and Presence
Protocol (XMPP)
• A communication protocol based on XML.
• Designed to be extensible.
• Jeremie Miller began working on the Jabber technology in 1998.
(Originally named Jabber)
2
1999~2000
RFC 3920
RFC 3921
2011
RFC 6120
RFC 6121
RFC 6122
2015
RFC 7622

3. XMPP的優點
• 因為使用xml，所以不限制訊息內容
• 支援的程式很多
• 很多 open source 可以使用
• 分散式
• 安全
3

4. XMPP的缺點
• IP 一換，整個連線需重連(驗證重做)
▫ 以手機而言，Wi-Fi/3G 轉換就會換 IP
• 不能傳二進位資訊 (但可透過base64編碼傳送)
4

5. XMPP RFCs
• RFC 3920 → RFC 6120
Extensible Messaging and Presence Protocol (XMPP): Core
• RFC 3921 → RFC 6121
Extensible Messaging and Presence Protocol (XMPP): Instant
Messaging and Presence
• RFC 6122 → RFC 7622
Extensible Messaging and Presence Protocol (XMPP): Address
Format
5

6. XMPP Architecture
• Distributed client-server architecture
6
cyberlink.co
m
google.co
m
sean@cyberlink.com bob@google.com
TC
P
TC
P
TC
P
TC
P

7. Jabber ID (JID)
• XMPP address
• Bare JID
▫ <localpart@domainpart>
▫ EX: sean@cyberlink.com
• Full JID
▫ <localpart@domainpart/resourcepart>
▫ EX: sean@cyberlink.com/123456789
7

8. XML Stanzas
• iq
▫ Info/query
• message
▫ Send a Message to a JID (a user or a group)
• presence
▫ Broadcast message
8

9. Open a Stream – Initial Stream
9
<?xml version=‘1.0’?>
<stream:stream
to='u.cyberlink.com'
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client‘
xml:lang='en'
version='1.0'>
TC
P
sean@cyberlink.com cyberlink.co
m
Port:5222

10. 10
<?xml version >
<stream:stream
version="1.0"
from="u.cyberlink.com"
id="3053277074"
xml:lang="en“
xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client‘
>
TC
P
sean@cyberlink.com cyberlink.co
m
Open a Stream – Response Stream

11. Stream Negotiation - Presence
11
<presence ….>
<show/>
</presence>
TC
P
sean@cyberlink.com cyberlink.co
m

12. Stream Negotiation - iq
12
<iq id=“1” type=“get”>
…
</iq>
TC
P
sean@cyberlink.com cyberlink.co
m
<iq id=“1” type=“result”>
…
</iq>
type: get, set, result, error

13. Stream Negotiation - message
13
<message….>
Hello
</message>
TC
P
sean@cyberlink.com cyberlink.co
m

14. Stream Negotiation – Close Stream
14
</stream>
TC
P
sean@cyberlink.com cyberlink.co
m
</stream>

15. Client Server Communication Overview
15
<?xml version='1.0'?>
<stream
from=“samo@cyberlink.com”
to=“cyberlink.com”>
<presence
…>Online</presence>
<iq …>…</iq>
<message
…>Hello</message>
</stream>

16. Authentication for XMPP
• Transport Layer Security (TLS)
▫ Secure the stream from tampering and eavesdropping.
▫ MUST send a new initial stream header after finish.
• Simple Authentication and Security Layer (SASL)
▫ Authenticate a stream. (U: base64(id+token))
▫ MUST send a new initial stream header after finish.
16

17. Cryptography
• Symmetric
▫ Use the same key for encrypt/decrypt.
▫ Security: Poor
▫ Performance: Good
• Asymmetric
▫ Use public key for encryption and use private for decryption.
▫ Security: Good
▫ Performance: Poor
17

18. TLS
• TLS 1.0
• TLS 1.1
• TLS 1.2
• TLS 1.3 (draft)
• Employ a handshake using asymmetric cipher.
18

19. Stream Header
19
<?xml version='1.0'?>
<stream
from=“sean@cyberlink.com”
to=“cyberlink.com”>
<?xml version='1.0'?>
<stream
id=“++TR84Sm6A3hnt3Q065SnAbbk3Y=”
to=“sean@cyberlink.com”
from=“cyberlink.com”>
TC
P
sean@cyberlink.com cyberlink.co
m

20. TLS Negotiation
20
<stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
TC
P
sean@cyberlink.com cyberlink.co
m

21. 21
<stream:features xmlns="http://etherx.jabber.org/streams">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
</mechanisms>
</stream:features>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<failure xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
</stream:stream>
or
I
R
TLS Handshake Protocol

22. TLS Handshake Protocol
22
Client_hello(client_version, session_id, cipher_
suites, compression_methods, )
TC
P
sean@cyberlink.com cyberlink.co
m
PKc PrKc
RNc
RNc
RNc

23. TLS Handshake Protocol
TC
P
sean@cyberlink.com cyberlink.co
m
Server_hello(client_version, session_id, cipher_ suites,
compression_methods, )
PKc PrKc PKs PrKs
RNsRNc
RNs
RNc RNs

24. TLS Handshake Protocol
24
TC
P
sean@cyberlink.com cyberlink.co
m
Server_Certificate(CA, )
PKc PrKc PKs PrKs
PKs
RNsRNc RNsRNc

25. TLS Handshake Protocol
25
TC
P
sean@cyberlink.com cyberlink.co
m
PKc PrKc PKs PrKsPKs
Check server certificate
RNsRNcRNsRNc

26. TLS Handshake Protocol
26
TC
P
sean@cyberlink.com cyberlink.co
m
PKc PrKc PKs PrKsPKs
Client_Certificate(CA, )
PKc
RNsRNcRNsRNc

27. TLS Handshake Protocol
27
TC
P
sean@cyberlink.com cyberlink.co
m
PKc PrKc PKs PrKsPKs PKc
RNsRNc RNsRNcPMS
Generate random
pre-master-secretPMS

28. TLS Handshake Protocol
28
TC
P
sean@cyberlink.com cyberlink.co
m
PKc PrKc PKs PrKsPKs
Encrypted with
PKs
PKc
RNsRNc RNsRNc
PMS
PMS PMS

29. TLS Handshake Protocol
29
TC
P
sean@cyberlink.com cyberlink.co
m
PKs PrKsPKc
Calculae Master-Secret fromMS RNsRNc
RNsRNc
PMS
PMS
MS

30. TLS Handshake Protocol
30
TC
P
sean@cyberlink.com cyberlink.co
m
MS MS
Calculae Master-Secret fromMS RNsRNc PMS

31. TLS Handshake Protocol
31
TC
P
sean@cyberlink.com cyberlink.co
m
1. Change cipher spec
2. Client finish
MS MS

32. TLS Handshake Protocol
32
TC
P
sean@cyberlink.com cyberlink.co
m
1. Change cipher spec
2. Server finish
MS MS

33. 33
<stream:features xmlns="http://etherx.jabber.org/streams">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
</mechanisms>
</stream:features>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<failure xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
</stream:stream>
or
I
R
TLS Handshake Protocol

34. Restarts stream
34
<stream
from=“samo@cyberlink.com”
to=“cyberlink.com”>
<stream
id=“++TR84Sm6A3hnt3Q065SnAbbk2Y=”
to=“samo@cyberlink.com”
from=“cyberlink.com”>
TC
P
sean@cyberlink.com cyberlink.co
m

35. Restarts
• On successful negotiation of a feature that necessitates a stream
restart, both parties MUST consider the previous stream to be
replaced but MUST NOT send a closing </stream> tag and MUST
NOT terminate the underlying TCP connection.
• The initiating entity then MUST send a new initial stream header.
35

36. 36

37. SASL Negotiation
37
<stream:features
xmlns:stream="http://etherx.jabber.org/streams">
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>SCRAM-SHA-1-PLUS</mechanism>
<mechanism>SCRAM-SHA-1</mechanism>
<mechanism>PLAIN</mechanism>
</mechanisms>
</stream:features>
TC
P
sean@cyberlink.com cyberlink.co
m

38. SASL Negotiation
38
<stream:features xmlns="http://etherx.jabber.org/streams">
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
</mechanisms>
</stream:features>
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl“
mechanism="PLAIN">
ADc2ODAwMQBkMGY2ZjllMi00YmRlLTQ2ZjItOGI2Yi1lNDM0OTk
2ZjczZGQ=
</auth>
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />
R
R
I

39. SASL Negotiation
39
• Restart

40. Resource Binding
40
<stream:features xmlns:stream="http://etherx.jabber.org/streams">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
</stream:features>
TC
P
sean@cyberlink.com cyberlink.co
m

41. Resource Binding
41
<stream:features xmlns="http://etherx.jabber.org/streams">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind" />
<session xmlns="urn:ietf:params:xml:ns:xmpp-session" />
</stream:features>
<iq type="set" id="97fe2b99-dfa6-4fa0-a963-f27e840b1adb-1">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind">
<resource>mobile</resource>
</bind>
</iq>
<iq type="result" id="97fe2b99-dfa6-4fa0-a963-f27e840b1adb-1">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind">
<jid>juliet@im.example.com/mobile</jid>
</bind>
</iq>
R
R
I

42. Currently Design for U
• Remove the mechanism of RESTART.
• Add <CLResumed/> for doing SASL and binding again after reconnecting.
42

43. CLResume: server give info
43
<clresumed xmlns="urn:xmpp:custom:resume"
status="success"
sessionid="g2gEbQAAAAYzMTgwMDFtAAAAD3UuY3liZXJsa
W5rLmNvbW0AAAAkRjg5MjlFMzctRTAwMi00QzdGLTlEOTgt
RjkxNTFGNUQ3NEI5aANiAAAFkmIACeRcYgAM3cE="
expiration="2592000"/>
TC
P
sean@cyberlink.com cyberlink.co
m

44. Begin Resume
44
<clresumed xmlns="urn:xmpp:custom:resume"
sessionid="g2gEbQAAAAYzMTgwMDFtAAAAD3UuY3liZX
JsaW5rLmNvbW0AAAAkRjg5MjlFMzctRTAwMi00QzdGL
TlEOTgtRjkxNTFGNUQ3NEI5aANiAAAFkmIACeRcYgAM3
cE=" />
TC
P
sean@cyberlink.com cyberlink.co
m

45. Resume success
45
<clresumed xmlns="urn:xmpp:custom:resume"
status="success"
sessionid="g2gEbQAAAAYzMTgwMDFtAAAAD3UuY3liZXJsa
W5rLmNvbW0AAAAkRjg5MjlFMzctRTAwMi00QzdGLTlEOTgt
RjkxNTFGNUQ3NEI5aANiAAAFkmIACeRcYgAM3cE="
expiration="2592000"/>
TC
P
sean@cyberlink.com cyberlink.co
m

46. XMPP Connection Steps w/o clresume
C -> S stream
C <- S stream / feature:starttls
C -> S starttls
C <- S proceed
C <> S tls handshake
C -> S stream
C <- S stream / feature:sasl
C -> S auth
C <- S auth
C -> S stream
C <- S stream / feature:bind
C -> S bind
C <- S bind

47. XMPP Connection Steps w/ clresume
(not resume case)
C -> S stream
C <- S stream / feature:starttls
C -> S starttls
C <- S proceed
C <> S tls handshake
C -> S stream
C <- S stream / feature:sasl
C -> S auth
C <- S auth
C -> S stream
C <- S stream / feature:bind
C -> S bind
C <- S bind
C <- S clresume

48. XMPP Connection Steps w/ CLResume
(resume case)
C -> S stream
C <- S stream / feature:starttls
C -> S starttls
C <- S proceed
C <> S tls handshake
C -> S stream
C <- S stream / feature:sasl
C -> S clresume
C <- S clresume

49. Q&A
49