Google has announced that it intends to add support for Message Layer Security (MLS) to its Messages service for Android and open source implementation of the specification.
“Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform,” Giles Hogben, privacy engineering director at Google, said. “This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms.”
Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing from the list is Apple, which offers iMessage.
MLS, as the name implies, is a security layer for end-to-end encryption that facilitates interoperability across messaging services and platforms. It was approved for publication as a standard by IETF in March 2023.
“MLS builds on the best lessons of the current generation of security protocols,” IETF noted at the time. “Like the widely used Double Ratchet protocol, MLS allows for asynchronous operation and provides advanced security features such as post-compromise security. And, like TLS 1.3, MLS provides robust authentication.”
Central to MLS is an approach known as Continuous Group Key Agreement (CGKA) that allows multiple messaging clients to agree on a shared key that caters to groups in size ranging from two to thousands in a manner that offers forward secrecy guarantees regardless of the individuals who join and leave the group conversation.
“The core functionality of MLS is continuous group authenticated key exchange (AKE),” the standard document reads. “As with other authenticated key exchange protocols (such as TLS), the participants in the protocol agree on a common secret value, and each participant can verify the identity of the other participants.”
“That secret can then be used to protect messages sent from one participant in the group to the other participants using the MLS framing layer or can be exported for use with other protocols. MLS provides group AKE in the sense that there can be more than two participants in the protocol, and continuous group AKE in the sense that the set of participants in the protocol can change over time.”
This evolving membership is realized by means of a data structure called an asynchronous ratcheting tree, which is used to derive shared secrets among a group of clients. The goal is to be able to efficiently remove any member, achieving post-compromise security by preventing group messages from being intercepted even if one member was breached at some point in the past.
On the other hand, forward secrecy, which enables messages sent at a certain point in time to be secured in the face of later compromise of a group member, is provided by deleting private keys from past versions of the ratchet tree, thereby averting old group secrets from being re-derived.
Mozilla, which is hoping to see a standardization of a Web API to leverage the protocol directly via web browsers, said MLS is designed such that “the legitimacy of new members entering a group is checked by everyone: there is nowhere to hide.”