Messaging Layer Security: Towards a New Era of Secure Group Messaging

Conference:  BlackHat USA 2019



The presentation discusses the design of a secure group messaging protocol called MLS, which focuses on forward secrecy and post-compromise security.
  • MLS is a secure group messaging protocol that focuses on forward secrecy and post-compromise security
  • MLS uses key rotations to achieve forward secrecy and new keys for post-compromise security
  • MLS utilizes binary trees to efficiently manage group membership and key distribution
  • MLS does not address resyncing clients and retrying, but the current approach is to remove and add clients as new devices or members
The speaker explains that MLS assumes that some entrants in a group messaging session will be compromised, even infants. MLS aims to ensure that past messages remain secure even if an attacker has collected all encrypted messages on the network. MLS also aims to recover from situations where a group member loses their phone or is briefly compromised. The speaker emphasizes the importance of forward secrecy and post-compromise security in MLS, achieved through key rotations and new keys. The speaker also mentions the concept of init keys, which are used to initiate end-to-end encryption with group members. Finally, the speaker notes that MLS is still in the process of being stabilized and expects it to be finalized in 2020.


The world is moving towards end-to-end encryption (E2EE) for person-to-person messaging, as more services now wish to reduce the amount of sensitive data that they must store. However, the protocols used for encryption are still being developed and only a few of them, such as the Signal protocol, have seen serious security analysis. Signal is the first E2EE protocol to achieve global deployment, via WhatsApp's billion+ users, and achieves strong security guarantees, such as forward-secrecy and post-compromise-security (recovery from key-compromise).This talk will provide an introduction to message encryption protocols and describe the current ecosystem, including why it's still not a solved problem in the corporate setting. While personal messaging systems have been adopting Signal, corporate messaging has not massively moved in that direction due to significant technical challenges such as scalability.To support groups, WhatsApp uses a protocol called Sender-Keys. However, this protocol does not provide post-compromise-security, meaning that in a simple deployment an employee losing a device or leaving the company might retain the ability to read messages. To prevent this, all employees' cryptographic keys must be rotated whenever a device is removed; this is just about feasible for small groups but is entirely impractical for whole-company groups.To remedy these issues, the IETF is building the "Messaging Layer Security'' (MLS) group messaging protocol. MLS goals significantly differ from pairwise protocols: it aims to cover multiple industry use-cases including federation and web-browser support, to have sub-linear complexities allowing practical groups up to 50000 clients, and to provide formal security guarantees.What kinds of security, privacy and implementation bugs have been exploited by adversaries in the past? What guarantees can MLS provide in the context of powerful attackers and how does it differ from current solutions? What is the cutting edge research used? These are the questions that we will try to answer throughout the presentation.