Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The Internet Engineering Task Force (IETF) has officially adopted the Messaging Layer Security (MLS) standard, a new end-to-end encrypted messaging protocol on top of TLS. It is an additional layer of cryptography that can cover all existing applications and ensure interoperability between them. That is, it will ideally become a universal protocol for all messengers.
MLS provides end-to-end encryption between different applications and devices in such a way that cloud services and the infrastructure through which traffic passes have no way to decrypt these messages.
Before MLS, there was no open, interoperable specification for this additional layer of cryptography. The new protocol fills this gap. It provides a system that is fully specified, formally verified, and easy to use for developers.
The idea of creating such a universal encryption protocol was discussed in 2016 at an informal IETF 96 meeting in Berlin with representatives of Wire, Mozilla and Cisco. Looking ahead, we will say that in 2023, the Wire messenger became one of the first to officially implement MLS support.
In 2017, a scientific article On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees was published, which formulated the main ideas for creating more efficient encryption and key management schemes than the double ratchet algorithm:
Comparison of the efficiency of the double ratchet algorithm (DH ratcheting) and a new key management scheme proposed in a scientific paper
The double ratchet algorithm has already been discussed on Habr more than once. This is a self-healing algorithm for updating and servicing short sessions of the life of keys that are constantly updated for each user. Accordingly, they need to be constantly re-exchanged in real time. The key generation scheme based on this algorithm is reliable and proven, it is used in several cryptographic instant messaging apps with end-to-end encryption, including Signal.
MLS relies on the current generation of security protocols — and takes the best from them. In particular, the mechanism for generating ephemeral keys is taken from the aforementioned Double Ratchet (the double ratchet algorithm). Thanks to this, MLS allows for asynchronous operation and provides advanced security features, such as protection after compromise.
The principle of key generation using the double ratchet algorithm
Like TLS 1.3, MLS provides strong authentication, and its security characteristics have been confirmed by formal analysis (an independent protocol evaluation).
Overall, the new protocol combines the best features of its predecessors and adds efficient scaling for group conversations from thousands of devices without compromising security.
The IETF reports that draft versions of MLS have been tested in production for encrypting real-time conversations in Webex and RingCentral communications products. These tests confirmed the ability of MLS to work well in real-world scenarios at large scale with thousands and millions of users.
Components of an MLS test setup, source
Other apps like Wickr and Matrix are planning to migrate to MLS soon, and the IETF MIMI working group has selected MLS as the end-to-end encryption standard for its system for interoperable messaging.
MLS encryption. Web client with an ongoing video call and chat message, source
MLS Architecture Requirements
In addition to the protocol specifications, the IETF has also published the MLS Architecture Requirements, a description of a secure multicast messaging infrastructure.
It provides guidance on how to build the infrastructure and describes some of the security/privacy tradeoffs that must be taken into account in the many MLS security mechanisms (e.g., how often the public encryption key is rotated).
The document also provides recommendations for parts of the infrastructure that are not standardized in the MLS protocol and are left to the discretion of applications and infrastructure architects.
Although the recommendations in this document are not mandatory at the protocol level, they affect the overall security guarantees of messaging applications. This is especially important for applications where there is a real threat of attacks that can compromise the client module, the delivery service, or authentication.
This is just the beginning of a long journey for MLS. Several MLS implementations have been created to date, including two open source implementations:
The more implementations there are, the more widespread MLS will be in more applications and services. Likewise, more implementations will give developers valuable lessons on how to improve future versions of the protocol and libraries. And while MLS is an important part of the end-to-end security story, other important pieces still need to be written. For example, creating a strong identity system that can integrate with MLS’s authentication system and secrets management systems, according to the IETF.
Source
