XMPP server encryption

From WIKI
Revision as of 12:48, 29 June 2020 by Support (talk | contribs) (Differences)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Illustration of how encryption is used within servers Public key encryption.

XMPP server encryption - is basic encryption. Server encryption is intended so that attackers or spies cannot intercept messages with an open text without e2e. Without reliable server-side encryption, your data can be intercepted via public WI-FI or saved by the ISP. Connection to 404.city is impossible without encryption TLS.

TLS

  • TLS (RSA or ECC) - Basic encryption protects against hackers and espionage of the governments of most countries. Example:
you <=TLS c2s (medium protected)=> server 404.city <=> TLS s2s (medium protected) <=> server example.com <=TLS c2s (medium protected) => your friend
  • StartTLS is also similar to TLS and does not have strong security differences if the certificate is trusted.

ECC vs RSA keys

  • RSA (Example: ECDHE-RSA-AES256-GCM-SHA384) is outdated encryption. Uses more server resources and uses less XMPP client resources and weaker encryption. By default RSA is weak, so it is strengthened by the ECC with the algoritm ECDHE
Equivalent bits keys AES vs RSA vs ECC
Simetric (AES) RSA (ECDHE-RSA) ECC (ECDHE-ECDSA)
112 2048 224
128 3072 256
192 7680 384
256 15360 524


  • ECC (Example:ECDHE-ECDSA-AES256-GCM-SHA384) modern encryption uses less XMPP server resources and uses less XMPP client resources. In 2021, it will be adopted as a standard for all TLS certificates (Even RSA certificates will use CA ECC)
«The small key sizes make ECC very appealing for devices with limited storage or processing power, which are becoming increasingly common in the IoT. In terms of more traditional web server use cases, the smaller key sizes can offer speedier SSL handshakes (which can translate to faster page load times) and stronger security» - ECC vs RSA "GlobalSing"


Perfomance RSA vs ECC
Type bit sign sign/s
RSA 2048 0.000561s 1783.1
ECC 224 0.000100s 12410.4

Security level RSA and ECC

RSA or ECC security depends on more trust from the CA (Let'Encrypt or other). Server encryption RSA or ECC is weak protected against shadowing the users from country where the server is located or countries where the CA (Let's encrypt / USA) is located. With all the flaws, server encryption is useful and increases security. Server encryption is high protected against hackers, interception of Wi-Fi, surveillance from third countries.To protect against espionage from the CA or the country of the server's location, you must use always e2e encryption.

Dialback (no support 404.city)

Dialback - At the time of the creation of XMPP certificates were paid. Many server owners have refused to pay for certificates. To solve the problem with paid certificates was coined dialback.Certificate verification is based on ip compliance. Encryption is used, but it is not secure. Example:

you <=TLS c2s (medium protected) => server trusted.com <=> Dialback s2s (low protected) <=> server untrusted.com <= self-signet serfiticate + public wi-fi (Danger! Bad protected) => your inexperienced friend

Dialback no support server 404.city

Differences

PGP is not server encryption, but is listed for an example, becase some administrators of XMPP servers confuse self-signed certificates with e2e encryption PGP. Server-based encryption is designed to provide basic protection for inexperienced users. Self-signed certificates give a connection error in browsers and XMPP clients.

PGP RSA (e2e) PGP ECC (e2e) TLS ECC TLS RSA Dualback RSA (Self-signet sertificate) No encryption
Defence from hack hackers free Wi-Fi Yes Yes Yes Yes Only if both interlocutors are experts No
Defence from malicious proxy, VPN, exit Tor node Yes Yes Yes Yes Only if both interlocutors are experts No



Protection against mitm backbone providers or local goverements Yes Yes Yes Yes Weak No
Speed encryption Low Fast Fast Low Low No


Long sing yes no do not use to manually sign messages do not use to manually sign messages do not use to manually sign messages -


Verification Method Manual Manual Automated Automated Manual (c2s). Manual verification does not protect against certificate spoofing CA Root. Weak automated verify server interconnection (s2s) No


Hacking protection government of the country where the server is located Yes (XMPP client encryption) Yes (XMPP client encryption) Physical access to the server Physical access to the server Physical access to the server No
Hacking NSA? Unknown Unknown, but the NSA had distributed a backdoor random number generator until 2014.[1] OS Root CA dependencies OS Root CA dependencies OS Root CA dependencies No encryption


DNSSEC

DNSsec encrypts DNS requests to the server. DNSsec is enabled on 404.city.

Links