Prosodical Thoughts

News, announcements and thoughts from the Prosody IM team

Bringing FASTer authentication to Prosody and XMPP

by The Prosody Team

As our work continues on modernizing XMPP authentication, we have some more new milestones to share with you. Until now our work has mostly been focused on internal Prosody improvements, such as the new roles and permissions framework. Now we are starting to extend our work to the actual client-to-server protocol in XMPP.

Prosody and Snikket are both regularly used from mobile devices, which have intermittent connectivity. Even if it’s only a change between networks, or when driving through a tunnel for a few minutes, these things can temporarily break your connection - requiring a new one to be established.

We’ve had solutions and optimizations in the XMPP protocol for this situation for years (really… the first version of XEP-0198 was published in 2004!). XEP-0198 allows a client to reconnect to the server as soon as the network comes back, easily discover if anything failed to be sent/received due to the network interruption, and then resync any lost packets in either direction.

This effectively allows resuming and repairing the session as if no disconnect occurred, while skipping a bunch of traffic that would usually be exchanged when establishing a new session (instead, everything is simply cached from the old session).

However, there is one important thing we don’t allow the client to skip. To keep this resumption step secure, we require authentication. It’s a new connection, and we need to prove it’s from who it claims to be from.

Authentication in XMPP today

The most common authentication method for XMPP connections today is SCRAM. This is a neat password-based authentication mechanism that has many nice properties, such as allowing both the client and the server to store only a hash of the password. It also allows the client to determine that the server really knows the user’s password, and supports channel binding. These features allow the client to detect various kinds of attack.

Even though we have been using SCRAM in XMPP for many years now, it still offers more protective features today than the vast majority of online services you use - which generally all send your password to the server in plain text, albeit within TLS or HTTPS.

A new SCRAM alternative is currently being developed, known as OPAQUE, which adds even more nice properties. But that’s for future blog post… :)

However, there are some drawbacks of SCRAM (and similar mechanisms, including OPAQUE) that can’t realistically be solved. To adequately protect your password, it requires some back-and-forth negotiation with the server. In protocol speak, we refer to such situations as “round trips” - every time the client sends something to the server and has to wait for a response before it can proceed. On a very slow network, round trips can add a bunch of latency, and as anyone who has used audio/video calls or gaming online knows, latency can be frustrating and hard to eliminate from a connection.

Simpler authentication methods just have the client say “here are my credentials”, and the server say “your credentials look great, you’re authenticated!“. That’s how HTTP and most websites work today. Such approaches are quick and easy, but they don’t protect your credentials as well as SCRAM does.

Passwords are the problem

SCRAM’s protections are important for passwords. Passwords are (unfortunately) often chosen by users to be the same or similar across multiple services, and even if they are strong and unique they can be vulnerable to phishing. If leaked, many memorable passwords contain private information about the user.

We don’t want to drop any of our important password security features just to improve connection speed. So instead we found a better solution: drop passwords!

Our new solution allows the client to log in initially using a password (or any other method the XMPP server supports). After that, it can upgrade to a strong unique authentication token provided by the server, which it can use to quickly re-authenticate on future connections.

Tokens are the answer

Tokens have many advantages compared to passwords:

  • They are unique to the service that generated them, so cross-service attacks like credential stuffing are useless against tokens.
  • Tokens don’t need to be memorable, so they can be very long and random (both desirable properties for increasing account security!).
  • As they are not memorized by the user, they can be rotated frequently without any inconvenience.
  • Different tokens can be generated for each of a user’s devices, instead of sharing the user’s password across all of them. This also allows selectively removing a device’s access from the user’s account, e.g. if it gets lost or stolen.

With these security advantages, we suddenly unlock the ability to use simpler authentication mechanisms without risking the security of the user’s account or password.

Still, we can do a bit better than just sending the token to the server as plain text. Fortunately, just the kind of modern token authentication method we need has already been in development by Florian Schmaus: the SASL HT mechanism family.

HT mechanisms have the following properties:

  • The actual token itself is not exchanged over the connection during authentication.
  • And yet, the server receives proof that the client has the full correct token.
  • The client also receives proof that the server has the full correct token (and isn’t just impersonating the real server).
  • Finally, if channel binding is used, both sides receive proof that no MITM or relay attack being performed.

And… all this can be completed within a single round trip!

The protocol to achieve this has been submitted to the XSF as “Fast Authentication Streamlining Tokens”. It is in the acceptance queue, so doesn’t have a XEP number assigned yet.

Updating and integrating with SASL2

If FAST authentication was the only thing we had been working on recently, we would be happy enough. But there’s more…

In collaboration with Thilo Molitor from the Monal project, a new version of XEP-0388 (SASL 2) has been submitted. SASL 2 was originally proposed back in 2017, and it defines a new authentication protocol for XMPP (still based on SASL, so we can reuse all the existing mechanisms we already have in place).

Several features of SASL 2 are very relevant to our work. For example, it allows negotiation of session features in parallel with the authentication process. The old way required the client to authenticate, and then proceed to negotiate whatever features and parameters it wanted for the new session. With SASL2 the client can provide this information at the same time it provides its credentials. This saves yet more round trips.

As well as SASL 2, we’ve also updated a related proposal from around the same time, XEP-0386 (Bind 2). This is also a critical piece of session establishment that integrates with SASL 2.

With the work we’ve done across these three specifications - XEP-0388, XEP-0386 and FAST - we’ve essentially overhauled the entire authentication and session establishment protocol of XMPP. Even with all our additional authentication security features, it’s now possible for a client to connect, authenticate, and resume or create a session in a single request and response.

This post shouldn’t be taken as being entirely about performance improvements. It’s nice to be able to (re)connect to the server in the blink of an eye. But there are other reasons to be working on this.

As anyone who used XMPP in 2012 and 2022 knows, XMPP has been continuously evolving as both the internet and the way people use it has changed. Over time we have “bolted on” various features to the connection process to achieve this evolution.

Now, with these new changes, we are bringing all these enhancements together into a single framework that was designed for them to fit neatly into. Not only are we reducing round trips, we are also simplifying connection establishment for the next generation of XMPP developers.

When can I use all this?

Even though this is all cutting edge stuff, you’ll be able to use it much sooner than you might think!

Prosody has support for the new SASL 2, Bind 2 and FAST protocols. They are all available as community modules right now, though we intend for them to become part of the main Prosody distribution eventually.

To get started, you’ll need a Prosody trunk nightly build, and simply enable the following community modules:

To take advantage of the new features, you’ll need a compatible client. FAST is already implemented in multiple clients, and will be available from Conversations 2.11 for Android, as well as the next major versions of Monal, Siskin and Beagle for iOS and MacOS.

Gajim already has SASL 2 implemented, and other client developers have also already expressed an interest in support.

If you’re a client or library developer interested in supporting any of this, we have a test server available that you are welcome to use. Just let us know!

Do remember that all this is still very new and experimental. The relevant protocol specifications are still working their way through the XSF standards process and there may be changes to come in the future. There may also be undiscovered bugs. We encourage brave souls to help test it all in real world deployments, but if your priority is keeping a stable setup, you should probably wait a little longer before deploying any of this.

TCP Fast Open

While this post is not just about performance improvements, we’ve talked a lot about performance improvements. Therefore it’s worth noting an extra little side feature at this point.

Prosody trunk builds, when used with the new LuaSocket 3.1.0, support something known as TCP Fast Open. This is a low-level TCP extension that allows new connections to skip a round trip, by exchanging initial data packets while the connection is being established.

It’s disabled for servers by default on Linux, but you can enable it on most modern systems by creating the file /etc/sysctl.d/tcp-fastopen.conf with the contents:

net.ipv4.tcp_fastopen=3

Run systemctl restart systemd-sysctl.service to apply the changes. More information on the sysctl configuration can be found in the Linux kernel documentation.

In Prosody’s config, add the following in the global section:

network_settings = {
    tcp_fastopen = 256;
}

Restart Prosody to apply these changes. Be aware that some networks and routers have been reported to be incompatible with TCP Fast Open (support was removed from Firefox for this reason). Although Linux has built-in recovery mechanisms that should work around such issues, if you experience trouble connecting to your server from certain networks, you may want to try turning this off again.

We’re also looking at support for TLS 1.3’s 0-RTT mode, which can be combined with FAST authentication and TCP Fast Open to achieve full connection establishment within a single round-trip. Pretty impressive!

Next steps

These protocol changes are yet another step on our XMPP authentication modernization journey. With the new protocols now written and implemented, we can start looking forward to the next milestones for the project.

In the coming months, we’ll be working on the ability to sign in to your XMPP account from third-party clients and services without sharing your password with them. Subscribe to our blog or Mastodon account and keep an eye out for that future post!