Google has announced that it is adding support for Message Layer Security (MLS) to its messaging service for Android and plans to add an open source implementation of this specification.
“Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but today’s users are limited to communicating with contacts who use the same platform,” said Giles Hogben, director of privacy engineering at Google. “This is why Google strongly supports regulatory efforts that require interoperability of end-to-end messaging platforms at scale.”
This development follows the Internet Engineering Task Force (IETF) releasing its Core Specification for Messaging Layer Security (MLS) Protocol as a Request for Comments (RFC 9420).
Other major companies committed to this protocol include Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Of particular note is Apple, which offers iMessage.
MLS, as the name suggests, is a security layer of end-to-end encryption that facilitates interoperability between messaging services and platforms. It has been approved for publication as a standard by the IETF in March 2023.
“MLS builds on the best lessons of the current generation of security protocols,” the IETF noted at the time. “Like the widely used Double Ratchet protocol, MLS enables asynchronous operation and provides advanced security features such as post-compromise security. Also, like TLS 1.3, MLS offers robust authentication.”
Central to MLS is an approach known as Continuing Group Key Agreement (CGKA). This allows multiple messaging her clients to agree on a shared key that accommodates groups ranging from two to thousands of people in a manner that ensures forward secrecy regardless of who joins or leaves the group conversation.
“The core feature of MLS is persistent group authenticated key exchange (AKE),” states the standards document. “Similar to other authenticated key exchange protocols (such as TLS), the participants in the protocol agree on a common secret value, allowing each participant to verify the identity of the other participant.”
“That secret can be used to protect messages sent from one participant to another in the group using the MLS framing layer. It can also be exported for use in other protocols. MLS offers group AKE in the sense that there can be more than two participants in the protocol, and continuous group AKE in the sense that the set of participants in the protocol can change over time.”
This evolving membership is achieved through a data structure called an asynchronous ratchet tree that is used to derive a shared secret between groups of clients. The goal is to effectively remove members and achieve post-compromise security by ensuring that the group’s messages are not intercepted even if one member of her has been compromised at some point in the past.
Forward secrecy, on the other hand, allows messages sent at a given point in time to be protected against later compromise of group members, and is provided by removing private keys from past versions of the ratchet tree, thereby preventing old group secrets from being re-derived.
Mozilla wants to standardize a web API that makes the protocol available directly through a web browser, but said MLS is designed so that “any new member joining the group is checked for legitimacy by everyone. There is nowhere to hide.”
