Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OMEMO encrypt and decrypt HTTP-Upload #1182

Open
genofire opened this issue Sep 8, 2018 · 5 comments

Comments

@genofire
Copy link
Contributor

commented Sep 8, 2018

screenshot from 2018-09-08 13-18-16

@jcbrand

This comment has been minimized.

Copy link
Member

commented Sep 10, 2018

It's not clear to me what the problem is here... is this due to an OOB URL not being encrypted?

https://xmpp.org/extensions/xep-0066.html#x-oob

@jcbrand jcbrand added the question label Sep 10, 2018

@genofire

This comment has been minimized.

Copy link
Contributor Author

commented Sep 10, 2018

I do not know, if the url is encrypted also - the file/image is encrypted with omemo/aes:

You have to download the files by just replace aesgcm:// with https://.
Afterwards you have to decrypt the file.

Here is the implementation in gajim/python:
get crypto attribues (key, iv from urlpart after #): https://dev.gajim.org/gajim/gajim-plugins/blob/master/omemo/file_crypto.py#L124-139
decrypt with it: https://dev.gajim.org/gajim/gajim-plugins/blob/master/omemo/file_crypto.py#L243-252

Hope it helps a little bit.
Maybe u should just try it with a nother client like PixArt, Conversations or gajim itself.

@jcbrand

This comment has been minimized.

Copy link
Member

commented Sep 10, 2018

Thanks for the info, I'll look into it.

@jcbrand jcbrand added bug and removed question labels Sep 10, 2018

@jcbrand jcbrand added Feature and removed bug labels Oct 6, 2018

@knoy

This comment has been minimized.

Copy link

commented Feb 7, 2019

Without this OMEMO is really crippled to just text messages.

The OMEMO HTTP-upload is covered in https://xmpp.org/extensions/inbox/omemo-media-sharing.html :

An entity wishing to share an end-to-end encrypted file first generates a 32 byte random key and a 12 byte random IV. After successfully requesting a slot for HTTP upload the file can be encrypted with AES-256 in Galois/Counter Mode (GCM) on the fly while uploading it via HTTP. The authentication tag MUST be appended to the end of the file.

To share the file the entity converts the HTTPS URL, the key and the IV to an aesgcm:// URL. Both IV and key are converted to their hex representation of 24 characters and 64 characters respectively and concatenated for a total of 88 characters (44 bytes). The IV comes first followed by the key. The resulting string is put in the anchor part of the aesgcm URL.

@knoy

This comment has been minimized.

Copy link

commented Feb 22, 2019

I think this may be a security issue... if the lock icon is set to "locked" and OMEMO encryption is enabled, then user goes to attach a file, the file is sent unencrypted.

Perhaps file attachments should be disabled during an OMEMO-encrypted chat (or at least heavily warned) until this is fixed ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.