Planet Jabber News

March 10, 2019

Paul Schaub

A look at Matrix.org’s OLM | MEGOLM encryption protocol

Everyone who knows and uses XMPP is probably aware of a new player in the game. Matrix.org is often recommended as a young, arising alternative to the aging protocol behind the Jabber ecosystem. However the founders do not see their product as a direct competitor to XMPP as their approach to the problem of message exchanging is quite different.

An open network for secure, decentralized communication.

matrix.org

During his talk at the FOSDEM in Brussels, matrix.org founder Matthew Hodgson roughly compared the concept of matrix to how git works. Instead of passing single messages between devices and servers, matrix is all about synchronization of a shared state. A chat room can be seen as a repository, which is shared between all servers of the participants. As a consequence communication in a chat room can go on, even when the server on which the room was created goes down, as the room simultaneously exists on all the other servers. Once the failed server comes back online, it synchronizes its state with the others and retrieves missed messages.

Matrix in the French State

Olm, Megolm – What’s the deal?

Matrix introduced two different crypto protocols for end-to-end encryption. One is named Olm, which is used in one-to-one chats between two chat partners (this is not quite correct, see Updates for clarifying remarks). It can very well be compared to OMEMO, as it too is an adoption of the Signal Protocol by OpenWhisperSystems. However, due to some differences in the implementation Olm is not compatible with OMEMO although it shares the same cryptographic properties.

The other protocol goes by the name of Megolm and is used in group chats. Conceptually it deviates quite a bit from Olm and OMEMO, as it contains some modifications that make it more suitable for the multi-device use-case. However, those modifications alter its cryptographic properties.

Comparing Cryptographic Building Blocks

ProtocolOlmOMEMO (Signal)
IdentityKeyCurve25519X25519
FingerprintKey⁽¹⁾Ed25519none
PreKeysCurve25519X25519
SignedPreKeys⁽²⁾noneX25519
Key Exchange
Algorithm⁽³⁾
Triple Diffie-Hellman
(3DH)
Extended Triple
Diffie-Hellman (X3DH)
Ratcheting AlgoritmDouble RatchetDouble Ratchet
  1. Signal uses a Curve X25519 IdentityKey, which is capable of both encrypting, as well as creating signatures using the XEdDSA signature scheme. Therefore no separate FingerprintKey is needed. Instead the fingerprint is derived from the IdentityKey. This is mostly a cosmetic difference, as one less key pair is required.
  2. Olm does not distinguish between the concepts of signed and unsigned PreKeys like the Signal protocol does. Instead it only uses one type of PreKey. However, those may be signed with the FingerprintKey upon upload to the server.
  3. OMEMO includes the SignedPreKey, as well as an unsigned PreKey in the handshake, while Olm only uses one PreKey. As a consequence, if the senders Olm IdentityKey gets compromised at some point, the very first few messages that are sent could possibly be decrypted.

In the end Olm and OMEMO are pretty comparable, apart from some simplifications made in the Olm protocol. Those do only marginally affect its security though (as far as I can tell as a layman).

Megolm

The similarities between OMEMO and Matrix’ encryption solution end when it comes to group chat encryption.

OMEMO does not treat chats with more than two parties any other than one-to-one chats. The sender simply has to manage a lot more keys and the amount of required trust decisions grows by a factor roughly equal to the number of chat participants.

Yep, this is a mess but luckily XMPP isn’t a very popular chat protocol so there are no large encrypted group chats ;P

So how does Matrix solve the issue?

When a user joins a group chat, they generate a session for that chat. This session consists of an Ed25519 SigningKey and a single ratchet which gets initialized randomly.

The public part of the signing key and the state of the ratchet are then shared with each participant of the group chat. This is done via an encrypted channel (using Olm encryption). Note, that this session is also shared between the devices of the user. Contrary to Olm, where every device has its own Olm session, there is only one Megolm session per user per group chat.

Whenever the user sends a message, the encryption key is generated by forwarding the ratchet and deriving a symmetric encryption key for the message from the ratchets output. Signing is done using the SigningKey.

Recipients of the message can decrypt it by forwarding their copy of the senders ratchet the same way the sender did, in order to retrieve the same encryption key. The signature is verified using the public SigningKey of the sender.

There are some pros and cons to this approach, which I briefly want to address.

First of all, you may find that this protocol is way less elegant compared to Olm/Omemo/Signal. It poses some obvious limitations and security issues. Most importantly, if an attacker gets access to the ratchet state of a user, they could decrypt any message that is sent from that point in time on. As there is no new randomness introduced, as is the case in the other protocols, the attacker can gain access by simply forwarding the ratchet thereby generating any decryption keys they need. The protocol defends against this by requiring the user to generate a new random session whenever a new user joins/leaves the room and/or a certain number of messages has been sent, whereby the window of possibly compromised messages gets limited to a smaller number. Still, this is equivalent to having a single key that decrypts multiple messages at once.

The Megolm specification lists a number of other caveats.

On the pro side of things, trust management has been simplified as the user basically just has to decide whether or not to trust each group member instead of each participating device – reducing the complexity from a multiple of n down to just n. Also, since there is no new randomness being introduced during ratchet forwarding, messages can be decrypted multiple times. As an effect devices do not need to store the decrypted messages. Knowledge of the session state(s) is sufficient to retrieve the message contents over and over again.

By sharing older session states with own devices it is also possible to read older messages on new devices. This is a feature that many users are missing badly from OMEMO.

On the other hand, if you really need true future secrecy on a message-by-message base and you cannot risk that an attacker may get access to more than one message at a time, you are probably better off taking the bitter pill going through the fingerprint mess and stick to normal Olm/OMEMO (see Updates for remarks on this statement).

Note: End-to-end encryption does not really make sense in big, especially public chat rooms, since an attacker could just simply join the room in order to get access to ongoing communication. Thanks to Florian Schmaus for pointing that out.

I hope I could give a good overview of the different encryption mechanisms in XMPP and Matrix. Hopefully I did not make any errors, but if you find mistakes, please let me know, so I can correct them asap 🙂

Happy Hacking!

Sources

Updates:

Thanks for Matthew Hodgson for pointing out, that Olm/OMEMO is also effectively using a symmetric ratchet when multiple consecutive messages are sent without the receiving device sending an answer. This can lead to loss of future secrecy as discussed in the OMEMO protocol audit.

Also thanks to Hubert Chathi for noting, that Megolm is also used in one-to-one chats, as matrix doesn’t have the same distinction between group and single chats. He also pointed out, that the security level of Megolm (the criteria for regenerating the session) can be configured on a per-chat basis.

by vanitasvitae at March 10, 2019 03:31

February 05, 2019

Ignite Realtime Blog

Dele's FOSDEM presentation on Pàdé!

@guus wrote:

Last weekend, a number of Ignite Realtime community members attended FOSDEM (in Brussels, Belgium) the yearly free event for software developers to meet, share ideas and collaborate.

@Dele_Olajide prepared a presentation for the Real Time Communications devroom, in which he elaborated on Pade, and focused on how the plugin architecture of the Chromium web browser, ConverseJs and Openfire made it possible to quickly integrate HTTP and SIP with XMPP and create a feature-rich and very extensible unified communications solution for small and medium businesses.

For your convenience, a recording of his rather entertaining presentation:

Posts: 2

Participants: 2

Read full topic

by @guus Guus der Kinderen at February 05, 2019 09:06

December 09, 2015

Daniel Pocock

Is WebRTC one of your goals for 2016?

WebRTC continues to gather momentum around the world. Over the next week, Paris will host a TADHack event on WebRTC (12-13 December) followed by Europe's most well known meeting of the WebRTC community, the annual WebRTC Conference and Expo, 16-18 December.

2015 has been a busy year for WebRTC developers, in the browser, on the server-side and even in documentation, with the online publication of The RTC Quick Start Guide. These efforts have all come together to create a stable foundation for many implementations in 2016.

Demo

The JSCommunicator demo video shows just how convenient WebRTC can be, looking at the first customer-facing WebRTC deployment on Wall Street, a project I put together back in 2014:

This solution was implemented entirely with free, open source software integrated with a traditional corporate PBX. The project involved significant innovation to bring together a new technology like WebRTC with a very established corporate telephony infrastructure. For example, the solution makes use of the reSIProcate Python scripting to add the Avaya UUI headers to the SIP signaling, so it can integrate seamlessly with all existing Avaya customizations and desktop CRM software.

Is this something you can imagine on your organization's web site or as part of your web-based product or service?

DruCall module for Drupal - WebRTC without coding

If you run a Drupal CMS or if you would like to, the DruCall module provides a very quick way to get started with WebRTC.

On a Debian or Ubuntu server, you can automatically deploy the entire Drupal stack, Apache, MySQL and all module dependencies with

$ sudo apt-get install -t jessie-backports drupal7-mod-drucall

JSCommunicator, the generic SIP phone for web pages

If you don't want to do any JavaScript development, JSCommunicator may be the way to go.

JSCommunicator is a completely generic solution that can be completely re-branded just by tweaking the HTML and CSS. All phone features can be enabled and disabled using the configuration file.

WebRTC plugins for CRM solutions

As part of Google Summer of Code 2014, Juliana Louback created a WebRTC plugin for the xTuple enterprise CRM and ERP suite.

The source code of the DruCall and xTuple plugins provide an excellent point of reference for developing similar plugins for other web applications. Both of them are based on JSCommunicator which is designed to embed easily into any existing HTML page or templating system.

Get involved

To find out more and discuss RTC using free software and open standards, please join us on the Free-RTC mailing list.

by Daniel.Pocock at December 09, 2015 22:19

December 17, 2014

ejabberd

ejabberd 14.12

We're pleased to announce the last release of ejabberd for 2014! Thanks to contributors, this release includes great improvements and opens road to 2015.

ejabberd Community 14.12 includes many bugfixes, and a few new features:

  • New module mod_client_state implements XEP-0352: Client State Indication
  • New module mod_fail2ban to ban IPs that show malicious signs
  • New option store_empty_body in mod_offline

read more

by mfoss at December 17, 2014 14:36

May 13, 2014

ejabberd

ejabberd 14.05

Full announcement: ejabberd Community 14.05: the culmination of a year of change

ejabberd Community 14.05 has great new features, several improvements and many bugfixes over the previous 13.12 release:

ejabberd now includes support for:
- XEP-0198: Stream Management (EJAB-532)

read more

by mfoss at May 13, 2014 14:36

April 08, 2014

Jabber.org Notices

OpenSSL Upgrade

In response to the Heartbleed bug, upgraded the version of OpenSSL used at jabber.org to help prevent information leakage.

April 08, 2014 00:00

March 19, 2014

Jabber.org Notices

February 06, 2014

Jabber.org Notices

January 03, 2014

Jabber.org Notices

December 18, 2013

Jabber.org Notices

December 16, 2013

ejabberd

ejabberd 13.12

We are pleased to announce a new stable release of ejabberd, ejabberd Community 13.12.

It has several bugfixes over the previous 13.10 release, and a few new features:

  • New OpenSSL ciphers option in c2s, s2s and s2s_out
  • mod_roster: new access rule to restrict roster modificartion
  • mod_pubsub: support for data migration from mnesia to odbc
  • ejabberd_xmlrpc included

As usual, the release is tagged in the Git source code repository on github

read more

by mfoss at December 16, 2013 16:32

October 09, 2013

ejabberd

ejabberd 13.10

We are pleased to announce a new stable release of ejabberd, ejabberd Community 13.10.

It has some changes, several improvements and many bugfixes over the previous (not officially announced) 13.06. It is also the first official stable release of ejabberd Community after ejabberd 2.1.13. You are now pleased to use ejabberd community as reference for stable releases of ejabberd, from the master branch. ejabberd 2.1.x support is discontinued.

The most noticeable changes since 13.03-beta and 13.06 are:

read more

by mfoss at October 09, 2013 20:44

September 24, 2013

Jabber.org Notices

August 20, 2013

Jabber.org Notices

August 18, 2013

Jabber.org Notices

July 03, 2013

ejabberd

ejabberd 2.1.13 and 13.06

We are pleased to announce the bugfix release ejabberd 2.1.13.
It includes a few bugfixes over 2.1.12:

  • Compilation: Detect correctly newer Darwin versions (EJAB-1594)
  • Guide: ejabberd_service expects a shaper_rule, not a shaper
  • MUC: Handle multiple < and > in mod_muc_log plaintext mode (EJAB-1640)
  • MUC: Handle ~ control sequence in text of mod_muc_log (EJAB-1639)
  • MUC: list_to_integer/2 only works in OTP R14 and newer
  • Pubsub: access_createnode acl also applies to auto created nodes
  • Web: Normalize HTTP path

read more

by mfoss at July 03, 2013 08:49

June 25, 2013

Movim Blog

PSES2013: Podcast of the conference

Vincent has given another conference in french this weekend, on the 22th June.

It seem that Firefox is not able to read this Webm video, tell us is it works for you.

by movim at June 25, 2013 22:40

Jabber.org Notices

June 24, 2013

Jabber.org Notices

June 09, 2013

Movim Blog

Ubuntu Party Paris 13.04: Podcast of the conference

Vincent has given a conference in french last week, on the 2nd June.

Vincent at the conference

Vincent at the conference

We are also pleased to announce that the PSES2013 (Pas Sage en Seine 2013, in Paris) has invited us to present Movim at this event!
=> You can meet us on the saturday 22th June from 6.30PM to 7.30PM

by movim at June 09, 2013 10:11

March 05, 2013

Jabber.org Notices

February 26, 2013

Jack Moffitt

Digital Audio and Sampling Explained

Xiph.org has just posted the second in its series of videos on digital media concepts and techniques. It’s packed with information and demonstrations, and you’re sure to learn a huge amount. As an added bonus, it’s hosted by Monty, the creator of Ogg Vorbis (and many other amazing things). You couldn’t ask for a more qualified teacher.

Watch below, or on Xiph.org.

There is also a detailed write up.

by Jack Moffitt (jack@metajack.im) at February 26, 2013 00:00

January 15, 2013

Jabber.org Notices

October 09, 2012

Jabber.org Notices

September 25, 2012

Jabber.org Notices

September 10, 2012

Movim Blog

LSM 2012: Podcast of the conference

Timothée Jaussoin (Edhelas) and Guillaume Pasquet (Etenil) has given a conference in french on the Tuesday, 10th July.

We want to offer a transcript in the conference for the visually impaired and its translation to English. To do this, we need volunteers to make this work incredibly long and boring, that is impossible for a single person to achieve this goal.

Here is the full transcript produced by Clement, and here is the beginning of the timing of the transcription in SRT format. I advise you to open the video in Audacity, which you can listen to the soundtrack and note the time very precisely. Each sentence should be cut to stick on the sound.

The SRT file will be translated after. You could find all the others podcasts on the Wiki.

by movim at September 10, 2012 00:00

August 22, 2012

Jabber.org Notices

August 21, 2012

Jabber.org Notices

August 20, 2012

Jabber.org Notices

August 15, 2012

Jabber.org Notices

August 12, 2012

Jabber.org Notices

December 27, 2011

ejabberd

ejabberd 2.1.10, 3.0.0-alpha-5 and exmpp 0.9.9

ejabberd 2.1.10, 3.0.0-alpha-5 and exmpp 0.9.9 have been released, after several months of development. They contain a few bugfixes.

ejabberd 2.1.10

These are the major bugfixes:

  • Erlang/OTP compatibility
    • Support Erlang/OTP R15B regexp and drivers (EJAB-1521)
    • Fix modules update in R14B04 and higher
    • Fix modules update of stripped beams (EJAB-1520)
  • XMPP Core

read more

by mfoss at December 27, 2011 19:38

October 03, 2011

ejabberd

ejabberd 2.1.9, 3.0.0-alpha-4 and exmpp 0.9.8

ejabberd 2.1.9, ejabberd 3.0.0-alpha-4, and exmpp 0.9.8 have been released, after several months of development. They contain a lot of bugfixes, improvements and some new features.

ejabberd 2.1.9

This release includes a lot of bugfixes and improvements. This is just a short list of them:

  • New SASL SCRAM-SHA-1 authentication mechanism (EJAB-1196)
  • New option: resource_conflict (EJAB-650)

read more

by mfoss at October 03, 2011 16:04

December 14, 2010

ejabberd

ejabberd 2.1.6 - CAPTCHA support, Shared Rosters LDAP

ejabberd 2.1.6 has been released, after four months of development. It contains a lot of bugfixes, improvements and some new features.

This is a small list of changes:

  • BOSH: Fix rare loop, support vhosts, allow module restart
  • Config: Default configuration allows registrations only from localhost
  • Config: Support to change loglevel per module at runtime
  • Erlang/OTP: Fix compatibility from R10B-9 to R14B01
  • ODBC: Compatibility with PostgreSQL 9.0
  • Privacy lists: Fix to allow block by group and subscription again

read more

by mfoss at December 14, 2010 11:56

November 16, 2010

ejabberd

Happy 8th birthday, ejabberd!

ejabberd gets 8 years old. But no party yet, Yozhik is bugfixing 2.1.6 and testing 3.0.0-alpha-2.

The source and more photographs of hedgehogs pets.

read more

by mfoss at November 16, 2010 16:34

July 13, 2010

Tobias Markmann

GSoC '10: Mid-term approaching

Here comes another short update on my Google Summer of Code project.

Stanza acknowledgement is finally done, including representation in the GUI. You can see a short demonstration of the feature in the video below where I'm chatting with Matthew Wild, one of Prosody's main developers. He developed a module for Prosody that implements parts of Stream Management. This made my client side implementation much more easier to test.

The idea is simple: the status icon in the top left corner is replaced with a throbber animation, known to users from recent OSes and browsers, as long as there are messages that haven't been acked by the server.
Psi will at least request an ack after half a minute. However only if there's something to acknowledge for the server.

This week is mid-term evaluation of the Google Summer of Code projects. SCRAM support and stanza acknowledgement, which is the most important part of the Stream Management XEP, are both finished including GUI.

by Tobias Markmann at July 13, 2010 11:10

Tobias Markmann

GSoC '10: Mid-term approaching

Here comes another short update on my Google Summer of Code project.

Stanza acknowledgement is finally done, including representation in the GUI. You can see a short demonstration of the feature in the video below where I'm chatting with Matthew Wild, one of Prosody's main developers. He developed a module for Prosody that implements parts of Stream Management. This made my client side implementation much more easier to test.

The idea is simple: the status icon in the top left corner is replaced with a throbber animation, known to users from recent OSes and browsers, as long as there are messages that haven't been acked by the server.
Psi will at least request an ack after half a minute. However only if there's something to acknowledge for the server.

This week is mid-term evaluation of the Google Summer of Code projects. SCRAM support and stanza acknowledgement, which is the most important part of the Stream Management XEP, are both finished including GUI.

by Tobias Markmann at July 13, 2010 11:10

February 09, 2010

ejabberd

ejabberd and exmpp source code are moved from SVN to Git

After many months of planning, ejabberd and exmpp have been fully migrated to Git.

During the last 7 years, ejabberd source code was hosted at:

  • CVS at Jabber.Ru
  • CVS at JabberStudio.org
  • SVN at ProcessOne
  • Git preliminarly built with git-svn, at Github

Starting now, ejabberd source code is natively in Git, and hosted at:

The minimal instructions to start using it are mentioned in:
http://www.process-one.net/en/ejabberd/downloads

read more

by mfoss at February 09, 2010 16:15

November 16, 2009

ejabberd

Happy 7th birthday, ejabberd!

Yes, ejabberd is already 7 years old.

Let's celebrate with a timeline of ejabberd, Erlang/OTP, XMPP/Jabber protocol, and Tkabber:

If you find any mistake, please comment. I built the graph using EasyTimeLine.pl, if you want the datafile, please comment.

read more

by mfoss at November 16, 2009 20:32

November 16, 2008

ejabberd

Video: 6 years of ejabberd code in 3 minutes

To celebrate that ejabberd turns 6 years old, I've prepared a video that shows the history or ejabberd trunk SVN during those years: authors, acknowledgments, type of files, dates and releases. The video was built with code_swarm.

Download ejabberd-6-years-code.avi (12.5 MB) from: Notes:

read more

by mfoss at November 16, 2008 12:10