Movatterモバイル変換

[0]ホーム
URL:


Internet-DraftMLS ArchitectureDecember 2022
Beurdouche, et al.Expires 19 June 2023[Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-ietf-mls-architecture-10
Published:
Intended Status:
Informational
Expires:
Authors:
B. Beurdouche
Inria & Mozilla
E. Rescorla
Mozilla
E. Omara
Google
S. Inguva
Twitter
A. Duric
Wire

The Messaging Layer Security (MLS) Architecture

Abstract

The Messaging Layer Security (MLS) protocol (I-D.ietf-mls-protocol)specification has the role of defining a Group Key Agreement protocol, includingall the cryptographic operations and serialization/deserialization functionsnecessary for scalable and secure group messaging. The MLS protocol is meant toprotect against eavesdropping, tampering, message forgery, and provide furtherproperties such as Forward Secrecy (FS) and Post-Compromise Security (PCS) inthe case of past or future device compromises.

This document describes a general secure group messaging infrastructure and itssecurity goals. It provides guidance on building a group messaging system anddiscusses security and privacy tradeoffs offered by multiple security mechanismsthat are part of the MLS protocol (e.g., frequency of public encryption keyrotation).

The document also provides guidance for parts of the infrastructure that are notstandardized by the MLS Protocol document and left to the application or theinfrastructure architects to design.

While the recommendations of this document are not mandatory to follow in orderto interoperate at the protocol level, they affect the overall securityguarantees that are achieved by a messaging application. This is especially truein case of active adversaries that are able to compromise clients, the deliveryservice, or the authentication service.

Discussion Venues

This note is to be removed before publishing as an RFC.

Discussion of this document takes place on the MLS Working Group mailing list (mls@ietf.org), which is archived athttps://mailarchive.ietf.org/arch/browse/mls/.

Source for this draft and an issue tracker can be found athttps://github.com/mlswg/mls-architecture.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is athttps://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 19 June 2023.

Copyright Notice

Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

1.Introduction

RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH

The source for this draft is maintained in GitHub. Suggested changes shouldbe submitted as pull requests at https://github.com/mlswg/mls-architecture.Instructions are on that page as well. Editorial changes can bemanaged in GitHub, but any substantive change should be discussed onthe MLS mailing list.

End-to-end security is a requirement for instant messaging systems and iscommonly deployed in many such systems. In this context, "end-to-end" capturesthe notion that users of the system enjoy some level of security -- with theprecise level depending on the system design -- even in the face of maliciousactions by the operator of the messaging system.

Messaging Layer Security (MLS) specifies an architecture (this document) and aprotocol[I-D.ietf-mls-protocol] for providing end-to-end security in thissetting. MLS is not intended as a full instant messaging protocol but rather isintended to be embedded in concrete protocols, such as XMPP[RFC6120].Implementations of the MLS protocol will interoperate at the cryptographiclevel, though they may have incompatibilities in terms of how protected messagesare delivered, contents of protected messages, and identity/authenticationinfrastructures.The MLS protocol has been designed to provide the same security guarantees toall users, for all group sizes, even when it reduces to only two users.

2.General Setting

MLS provides a way forclients to formgroups within which they cancommunicate securely. For example, a set of users might use clients on theirphones or laptops to join a group and communicate with each other. A group maybe as small as two clients (e.g., for simple person to person messaging) or aslarge as thousands. A client that is part of a group is amember of thatgroup.

In order to communicate securely, users initially interact with services attheir disposal to establish the necessary values and credentials required forencryption and authentication.

The Service Provider presents two abstract functionalities that allow clients toprepare for sending and receiving messages securely:

  • An Authentication Service (AS) functionality which is responsible forattesting to bindings between application-meaningful identifiers and thepublic key material used for authentication in the MLS protocol. Thisfunctionality must also be able to generate credentials that encode thesebindings and validate credentials provided by MLS clients.
  • A Delivery Service (DS) functionality which can receive and distributemessages between group members. In the case of group messaging, the deliveryservice may also be responsible for acting as a "broadcaster" where the sendersends a single message which is then forwarded to each recipient in the groupby the DS. The DS is also responsible for storing and delivering initialpublic key material required by MLS clients in order to proceed with the groupsecret key establishment that is part of the MLS protocol.

For convenience, this document adopts the representation of these services beingstandalone servers, however the MLS protocol design is made so that this is notnecessarily the case. These services may reside on the same server or differentservers, they may be distributed between server and client components, and theymay even involve some action by users. For example:

  • Several secure messaging services today provide a centralized DS, and rely onmanual comparison of clients' public keys as the AS.
  • MLS clients connected to a peer-to-peer network could instantiate adecentralized DS by transmitting MLS messages over that network.
  • In an MLS group using a PKI for authentication, the AS would comprise thecertificate issuance and validation processes, both of which involve logicinside MLS clients as well as various servers.

It is important to note that the Authentication Service functionality can becompletely abstract in the case of a Service Provider which allows MLS clientsto generate, distribute, and validate credentials themselves. As with the AS,the Delivery Service can be completely abstract if users are able to distributecredentials and messages without relying on a central Delivery Service. Note,though, that in such scenarios, clients will need to implement logic thatassures the delivery properties required of the DS (seeSection 4.2).

AuthenticationDeliveryService(AS)Service(DS)Group....................................Client1.Client2Client3....Member1Member2.....................................

According to this architecture design, a typical group messaging scenario mightlook like this:

  1. Alice, Bob and Charlie create accounts with a service provider and obtaincredentials from the AS.
  2. Alice, Bob and Charlie authenticate to the DS and store some initial keyingmaterial which can be used to send encrypted messages to them for the firsttime. This keying material is authenticated with their long-term credentials.
  3. When Alice wants to send a message to Bob and Charlie, she contacts the DSand looks up their initial keying material. She uses these keys to establisha new set of keys which she can use to send encrypted messages to Bob andCharlie. She then sends the encrypted message(s) to the DS, which forwardsthem to the recipients.
  4. Bob and/or Charlie respond to Alice's message. In addition, they might chooseto update their key material which provides post-compromise security (seeSection 7.2.2). As a consequence of that change, the group secrets areupdated.

MLS allows clients to perform several actions in this setting:

  • create a group by inviting a set of other clients;
  • add one or more clients to an existing group;
  • remove one or more members from an existing group;
  • update their own key material
  • join an existing group;
  • leave a group (by asking to be removed);
  • send a message to everyone in the group;
  • receive a message from someone in the group.

At the cryptographic level, clients (and by extension members in groups) haveequal permissions. For instance, any member can add or remove another member ina group. This is in contrast to some designs in which there is a single groupcontroller who can modify the group. MLS is compatible with having groupadministration restricted to certain users, but we assume that thoserestrictions are enforced by the application layer.

2.1.Group Members and Clients

While informally, a group can be considered to be a set of users possibly usingmultiple endpoint devices to interact with the Service Provider, this definitionis too simplistic.

Formally, a client is a set of cryptographic objects composed of public valuessuch as a name (an identity), a public encryption key, and a public signaturekey. Ownership of a client by a user is determined by the fact that the user hasknowledge of the associated secret values. When a client is part of a Group, itis called a Member.In some messaging systems, clients belonging to the same user must all share thesame signature key pair, but MLS does not assume this.

Users will often use multiple devices, e.g., a phone as well as a laptop.Different devices may be represented as different clients, with independentcryptographic state.The formal definition of a Group in MLS is the set of clients that haveknowledge of the shared group secret established in the group key establishmentphase of the protocol and have contributed to it.Until a Member has been added to the group and contributed to the group secretin a manner verifiable by other members of the group, other members cannotassume that the Member is a member of the group.Different devices are represented as different clients with independentcryptographic state.

3.Authentication Service

The Authentication Service (AS) has to provide three functionalities:

  1. Issue credentials to clients that attest to bindings between identities andsignature key pairs
  2. Enable a client to verify that a credential presented by another client isvalid with respect to a reference identifier
  3. Enable a group member to verify that a credential represents the same clientas another credential

A member with a valid credential authenticates its MLS messages by signing themwith the private key corresponding to the public key bound by its credential.

The AS is considered an abstract layer by the MLS specification and part of thisservice could be, for instance, running on the members' devices, while anotherpart is a separate entity entirely. The following examples illustrate thebreadth of this concept:

  • A PKI could be used as an AS[RFC5280]. The issuance function would beprovided by the certificate authorities in the PKI, and the verificationfunction would correspond to certificate verification by clients.
  • Several current messaging applications rely on users verifying each others'key fingerprints for authentication. In this scenario, the issuance functionis simply the generation of a key pair (i.e., a credential is just anidentifier and public key, with no information to assist in verification).The verification function is the application functionality that enables usersto verify keys.
  • In a system based on Key Transparency (KT)[KeyTransparency], the issuancefunction would correspond to the insertion of a key in a KT log under a user'sidentity. The verification function would correspond to verifying a key'sinclusion in the log for a claimed identity, together with the KT log'smechanisms for a user to monitor and control which keys are associated withtheir identity.

By the nature of its roles in MLS authentication, the AS is invested with alarge amount of trust and the compromise of one of its functionalities couldallow an adversary to, among other things, impersonate group members. We discusssecurity considerations regarding the compromise of the different ASfunctionalities in detail inSection 7.4.3.

The association between members' identities and signature keys is fairlyflexible in MLS. As noted above, there is no requirement that all clientsbelonging to a given user use the same key pair (in fact, such key reuse isforbidden to ensure clients have independent cryptographic state). A member canalso rotate the signature key they use within a group. These mechanisms allowclients to use different signature keys in different contexts and at differentpoints in time, providing unlinkability and post-compromise security benefits.Some security trade-offs related to this flexibility are discussed in thesecurity considerations.

In many applications, there are multiple MLS clients that represent a singleentity, for example a human user with a mobile and desktop version of anapplication. Often the same set of clients is represented in exactly the samelist of groups. In applications where this is the intended situation, otherclients can check that a user is consistently represented by the same set ofclients. This would make it more difficult for a malicious AS to issue fakecredentials for a particular user because clients would expect the credential toappear in all groups of which the user is a member. If a client credential doesnot appear in all groups after some relatively short period of time, clientshave an indication that the credential might have been created without theuser's knowledge. Due to the asynchronous nature of MLS, however, there may betransient inconsistencies in a user's client set, so correlating users' clientsacross groups is more of a detection mechanism than a prevention mechanism.

4.Delivery Service

The Delivery Service (DS) is expected to play multiple roles in the ServiceProvider architecture:

  • Acting as a directory service providing the initial keying material forclients to use. This allows a client to establish a shared key and sendencrypted messages to other clients even if they're offline.
  • Routing MLS messages among clients.

Depending on the level of trust given by the group to the Delivery Service, thefunctional and privacy guarantees provided by MLS may differ but theauthentication and confidentiality guarantees remain the same.

Unlike the Authentication Service which is trusted for authentication andsecrecy, the Delivery Service is completely untrusted regarding thisproperty. While privacy of group membership might be a problem in the case of aDelivery Service server fanout, the Delivery Service can be considered as anactive, adaptive network attacker for the purpose of security analysis.

4.1.Key Storage and Retrieval

Upon joining the system, each client stores its initial cryptographic keymaterial with the Delivery Service. Clients then continue adding and removingkeying material on a regular basis. This key material, called a KeyPackage,advertises the functional abilities of the client such as supported protocolversions, supported extensions, and the following cryptographic information:

  • A credential from the Authentication Service attesting to the binding betweenthe identity and the client's signature key.
  • The client's asymmetric encryption public key.

All the parameters in the KeyPackage are signed with the signature private keycorresponding to the credential.

The Delivery Service is responsible for ensuring that each KeyPackage is onlyused to add its client to a single group, with the possible exception of a "lastresort" KeyPackage that's specially designated by the client to be used multipletimes. As noted in the previous section, users may own multiple clients, eachwith their own keying material. Each KeyPackage is specific to an MLS versionand ciphersuite, but a client may want to offer support for multiple protocolversions and ciphersuites. As such, there may be multiple KeyPackages stored byeach user for a mix of protocol versions, ciphersuites, and end-user devices --in addition to the multiplicity required to support single-use.

When a client wishes to establish a group or add clients to a group, it firstcontacts the Delivery Service to request KeyPackages for each other client,authenticates the KeyPackages using the signature keys, and then uses those toadd the other clients to the group.

When a client requests a KeyPackage in order to add a user to a group, theDelivery Service should provide the minimum number of KeyPackages necessary tosatisfy the request. For example, if the request specifies the MLS version, theDS might provide one KeyPackage per supported ciphersuite, even if it hasmultiple such KeyPackages to enable the corresponding client to be added tomultiple groups before needing to upload more fresh KeyPackages.

4.2.Delivery of Messages

The main responsibility of the Delivery Service is to ensure delivery ofmessages. Some MLS messages need only be delivered to specific clients (e.g., aWelcome message initializing a new member's state), while others need to bedelivered to all the members of a group. The Delivery Service may enable thelatter delivery pattern via unicast channels (sometimes known as "clientfanout"), broadcast channels ("server fanout"), or a mix of both.

For the most part, MLS does not require the Delivery Service to deliver messagesin any particular order. Applications can set policies that control theirtolerance for out-of-order messages (seeSection 6), andmessages that arrive significantly out-of-order can be dropped without otherwiseaffecting the protocol. There are two exceptions to this. First, Proposalmessages should all arrive before the Commit that references them. Second,because an MLS group has a linear history of epochs, the members of the groupmust agree on the order in which changes are applied. Concretely, the groupmust agree on a single MLS Commit message that ends each epoch and begins thenext one.

In practice, there's a realistic risk of two members generating Commit messagesat the same time, based on the same counter, and both attempting to send them tothe group at the same time. The extent to which this is a problem, and theappropriate solution, depends on the design of the Delivery Service. Per the CAPtheorem[CAPBR], there are two general classes of distributed system that theDelivery Service might fall into:

  • Consistent and Partition-tolerant, or Strongly Consistent, systems can providea globally consistent view of data but may stop working if there are networkissues;
  • Available and Partition-tolerant, or Eventually Consistent, systems continueworking despite network issues but may return different views of data todifferent users.

Strategies for sequencing messages in strongly and eventually consistent systemsare described in the next two subsections.

However, note that a malicious Delivery Service could also reorder messages orprovide an inconsistent view to different users. The "generation" counter inMLS messages provides per-sender loss detection and ordering that cannot bemanipulated by the DS. A mechanism for more robust protections is discussed in[I-D.ietf-mls-extensions]. A DS can cause a partition in the group bypartitioning key exchange messages; this can be detected only by out of bandcomparison (e.g., confirming that all clients have the sameepoch_authenticator value`).

Other forms of Delivery Service misbehavior are still possible that are not easyto detect. For instance, a Delivery Service can simply refuse to relay messagesto and from a given client. Without some sort of side information, other clientscannot generally detect this form of Denial of Service (DoS) attack.

4.2.1.Strongly Consistent

With this approach, the Delivery Service ensures that some types of incomingmessages have a linear order and all members agree on that order. The DeliveryService is trusted to break ties when two members send a Commit message at thesame time.

As an example, there could be an "ordering server" Delivery Service thatbroadcasts all messages received to all users and ensures that all clients seehandshake messages in the same order. Clients that send a Commit would then waitto apply it until it's broadcast back to them by the Delivery Service, assumingthey don't receive another Commit first.

The Delivery Service can rely on theepoch andcontent_type fields of anMLSMessage for providing an order only to handshake messages, and possibly evenfilter or reject redundant Commit messages proactively to prevent them frombeing broadcast. Alternatively, the Delivery Service could simply apply an orderto all messages and rely on clients to ignore redundant Commits.

4.2.2.Eventually Consistent

With this approach, the Delivery Service is built in a way that may besignificantly more available or performant than a strongly consistent system,but offers weaker consistency guarantees. Messages may arrive to differentclients in different orders and with varying amounts of latency, which meansclients are responsible for reconciliation.

This type of Delivery Service might arise, for example, when group members aresending each message to each other member individually, or when a distributedpeer-to-peer network is used to broadcast messages.

Upon receiving a Commit from the Delivery Service, clients can either:

  1. Pause sending new messages for a short amount of time to account for areasonable degree of network latency and see if any other Commits arereceived for the same epoch. If multiple Commits are received, the clientscan use a deterministic tie-breaking policy to decide which to accept, andthen resume sending messages as normal.
  2. Accept the Commit immediately but keep a copy of the previous group state fora short period of time. If another Commit for a past epoch is received,clients use a deterministic tie-breaking policy to decide if they shouldcontinue using the Commit they originally accepted or revert and use thelater one. Note that any copies of previous or forked group states must bedeleted within a reasonable amount of time to ensure the protocol providesforward-secrecy.

In the event of a network partition, a subset of members may be isolated fromthe rest of the group long enough that the mechanisms above no longer work. Thiscan only be solved by sending a ReInit proposal to both groups, possibly with anexternal sender type, and recreating the group to contain all members again.

If the Commit references an unknown proposal, group members may need to solicitthe Delivery Service or other group members individually for the contents of theproposal.

5.Functional Requirements

MLS is designed as a large-scale group messaging protocol and hence aims toprovide both performance and safety to its users. Messaging systems thatimplement MLS provide support for conversations involving two or more members,and aim to scale to groups with tens of thousands of members, typicallyincluding many users using multiple devices.

5.1.Membership Changes

MLS aims to provide agreement on group membership, meaning that all groupmembers have agreed on the list of current group members.

Some applications may wish to enforce ACLs to limit addition or removal of groupmembers, to privileged clients or users. Others may wish to requireauthorization from the current group members or a subset thereof. Such policiescan be implemented at the application layer, on top of MLS. Regardless, MLS doesnot allow for or support addition or removal of group members without informingall other members.

Membership of an MLS group is managed at the level of individual clients. Inmost cases, a client corresponds to a specific device used by a user. If a userhas multiple devices, the user will be represented in a group by multipleclients. If an application wishes to implement operations at the level ofusers, it is up to the application to track which clients belong to a given userand ensure that they are added / removed consistently.

MLS provides two mechanisms for changing the membership of a group. The primarymechanism is for an authorized member of the group to send a Commit that adds orremoves other members. The second mechanism is an "external join": A member ofthe group publishes certain information about the group, which a new member canuse to construct an "external" Commit message that adds the new member to thegroup. (There is no similarly unilateral way for a member to leave the group;they must be removed by a remaining member.)

With both mechanisms, changes to the membership are initiated from inside thegroup. When members perform changes directly, this is clearly the case.External joins are authorized indirectly, in the sense that a member publishinga GroupInfo object authorizes anyone to join who has access to the GroupInfoobject. Both types of joins are done via a Commit message, which could beblocked by the DS or rejected by clients if the join is not authorized. Theformer approach requires that Commits be visible to the DS; the latter approachrequires that clients all share a consistent policy. In the unfortunate eventthat an unauthorized member is able to join, MLS enables any member to removethem.

Application setup may also determine other criteria for membership validity. Forexample, per-device signature keys can be signed by an identity key recognizedby other participants. If a certificate chain is used to sign off on devicesignature keys, then revocation by the owner adds an alternative flag to promptmembership removal.

An MLS group's secrets change on every change of membership, so each client onlyhas access to the secrets used by the group while they are a member. Messagessent before a client joins or after they are removed are protected with keysthat are not accessible to the client. Compromise of a member removed from agroup does not affect the security of messages sent after their removal.Messages sent during the client's membership are also secure as long as theclient has properly implemented the MLS deletion schedule, which calls for thesecrets used to encrypt or decrypt a message to be deleted after use, along withany secrets that could be used to derive them.

5.2.Parallel Groups

Any user or client may have membership in several groups simultaneously. Theset of members of any group may or may not form a subset of the members ofanother group. MLS guarantees that the FS and PCS goals within a given group aremaintained and not weakened by user membership in multiple groups. However,actions in other groups likewise do not strengthen the FS and PCS guaranteeswithin a given group, e.g. key updates within a given group following a devicecompromise does not provide PCS healing in other groups; each group must beupdated separately to achieve internal goals. This also applies to futuregroups that a member has yet to join, that are likewise unaffected by updatesperformed in current groups.

Applications may strengthen connectivity among parallel groups by requiringperiodic key updates from a user across all groups in which they havemembership.

Applications may use the PSK mechanism to link healing properties among parallelgroups. For example, suppose a common member M of two groups A and B hasperformed a key update in group A but not in group B. The key update providesPCS with regard to M in group A. If a PSK is exported from group A and injectedinto group B, then some of these PCS properties carry over to group B, since thePSK and secrets derived from it are only known to the new, updated version of M,not to the old, possibly compromised version of M.

5.3.Asynchronous Usage

No operation in MLS requires two distinct clients or members to be onlinesimultaneously. In particular, members participating in conversations protectedusing MLS can update the group's keys, add or remove new members, and sendmessages without waiting for another user's reply.

Messaging systems that implement MLS have to provide a transport layer fordelivering messages asynchronously and reliably.

5.4.Access Control

The MLS protocol allows each member of the messaging group to perform operationsequally. This is because all clients within a group (members) have access to theshared cryptographic material. However every service/infrastructure has controlover policies applied to its own clients. Applications managing MLS clients canbe configured to allow for specific group operations. On the one hand, anapplication could decide that a group administrator will be the only member toperform add and remove operations. On the other hand, in many settings such asopen discussion forums, joining can be allowed for anyone.

The MLS protocol can, in certain modes, exchange unencrypted group operationmessages. This flexibility is to allow services to perform access control taskson behalf of the group.

While the Application messages will always be encrypted, having the handshakemessages in plaintext has inconveniences in terms of privacy as someone couldcollect the signatures on the handshake messages and use them for tracking.

  • RECOMMENDATION: Prefer using encrypted group operation messages to avoidprivacy issues related to non-encrypted signatures.

Note that in the default case of encrypted handshake messages, any accesscontrol policies will be applied at the client, so the application must ensurethat the access control policies are consistent across all clients to make surethat they remain in sync. If two different policies were applied, the clientsmight not accept or reject a group operation and end-up in differentcryptographic states, breaking their ability to communicate.

  • RECOMMENDATION: Avoid using inconsistent access control policies in thecase of encrypted group operations.

MLS allows actors outside the group to influence the group in two ways: Externalsigners can submit proposals for changes to the group, and new joiners can usean external join to add themselves to the group. Theexternal_sendersextension ensures that all members agree on which signers are allowed to sendproposals, but any other policies must be assured to be consistent as above.

  • RECOMMENDATION: Have an explicit group policy setting the conditions underwhich external joins are allowed.

5.5.Handling Authentication Failures

Within an MLS group, every member is authenticated to other member by means ofcredentials issued and verified by the Authentication Service. MLS does notprescribe what actions, if any, an application should take in the event that agroup member presents an invalid credential. For example, an application mayrequire such a member to be immediately evicted, or may allow some grace periodfor the problem to be remediated. To avoid operational problems, it is importantfor all clients in a group to have a consistent view of which credentials in agroup are valid, and how to respond to invalid credentials.

  • RECOMMENDATION: Have a uniform credential validation process to ensurethat all group members evaluate other members' credentials in the same way.

  • RECOMMENDATION: Have a uniform policy for how invalid credentials arehandled.

In some authentication systems, it is possible for a previously-valid credentialto become invalid over time. For example, in a system based on X.509certificates, credentials can expire or be revoked. The MLS update mechanismsallow a client to replace an old credential with a new one. This is best donebefore the old credential becomes invalid.

  • RECOMMENDATION: Proactively rotate credentials, especially if a credentialis about to become invalid.

5.6.Recovery After State Loss

Group members whose local MLS state is lost or corrupted can reinitialize theirstate by re-joining the group as a new member and removing the memberrepresenting their earlier state. An application can require that a clientperforming such a reinitialization prove its prior membership with a PSK.

There are a few practical challenges to this approach. For example, theapplication will need to ensure that all members have the required PSK,including any new members that have joined the group since the epoch in whichthe PSK was issued. And of course, if the PSK is lost or corrupted along withthe member's other state, then it cannot be used to recover.

Reinitializing in this way does not provide the member with access to groupmessages from during the state loss window, but enables proof of priormembership in the group. Applications may choose various configurations forproviding lost messages to valid group members that are able to prove priormembership.

5.7.Support for Multiple Devices

It is typically expected for users within a group to own various devices. A newdevice can be added to a group and be considered as a new client by theprotocol. This client will not gain access to the history even if it is owned bysomeone who owns another member of the group.Restoring history is typically not allowed at the protocol level butapplications can elect to provide such a mechanism outside of MLS. Suchmechanisms, if used, may reduce the FS and PCS guarantees provided by MLS.

5.8.Extensibility

The MLS protocol provides several extension points where additional informationcan be provided. Extensions to KeyPackages allow clients to disclose additionalinformation about their capabilities. Groups can also have extension dataassociated with them, and the group agreement properties of MLS will confirmthat all members of the group agree on the content of these extensions.

5.9.Application Data Framing and Type Advertisements

Application messages carried by MLS are opaque to the protocol; they can containarbitrary data. Each application which uses MLS needs to define the format ofitsapplication_data and any mechanism necessary to determine the format ofthat content over the lifetime of an MLS group. In many applications this meansmanaging format migrations for groups with multiple members who may each beoffline at unpredictable times.

  • RECOMMENDATION: Use the default content mechanism defined in[I-D.mahy-mls-content-adv], unless the specific application defines anothermechanism which more appropriately addresses the same requirements for thatapplication of MLS.

The MLS framing for application messages also provides a field where clients cansend information that is authenticated but not encrypted. Such information canbe used by servers that handle the message, but group members are assured thatit has not been tampered with.

5.10.Federation

The protocol aims to be compatible with federated environments. While thisdocument does not specify all necessary mechanisms required for federation,multiple MLS implementations can interoperate to form federated systems if theyuse compatible authentication mechanisms, ciphersuites, application content, andinfrastructure functionalities. Federation is described in more detail in[I-D.ietf-mls-federation].

5.11.Compatibility with Future Versions of MLS

It is important that multiple versions of MLS be able to coexist in thefuture. Thus, MLS offers a version negotiation mechanism; this mechanismprevents version downgrade attacks where an attacker would actively rewritemessages with a lower protocol version than the ones originally offered by theendpoints. When multiple versions of MLS are available, the negotiation protocolguarantees that the version agreed upon will be the highest version supported incommon by the group.

In MLS 1.0, the creator of the group is responsible for selecting the bestciphersuite supported across clients. Each client is able to verify availabilityof protocol version, ciphersuites and extensions at all times once he has atleast received the first group operation message.

Each member of an MLS group advertises the protocol functionality they support.These capability advertisements can be updated over time, e.g., if clientsoftware is updated while the client is a member of a group. Thus, in additionto preventing downgrade attacks, the members of a group can also observe when itis safe to upgrade to a new ciphersuite or protocol version.

6.Operational Requirements

MLS is a security layer that needs to be integrated with an application. Afully-functional deployment of MLS will have to make a number of decisions abouthow MLS is configured and operated. Deployments that wish to interoperate willneed to make compatible decisions. This section lists all of the dependencies ofan MLS deployment that are external to the protocol specification, but wouldstill need to be aligned within a given MLS deployment, or for two deploymentsto potentially interoperate.

The protocol has a built-in ability to negotiate protocol versions,ciphersuites, extensions, credential types, and additional proposal types. Fortwo deployments to interoperate, they must have overlapping support in each ofthese categories. Arequired_capabilities extension can help maintaininteroperability with a wider set of clients by ensuring that certainfunctionality continues to be supported by a group, even if the clients in thegroup aren't currently relying on it.

MLS relies on the following network services. These network services would needto be compatible in order for two different deployments based on them tointeroperate.

  • AnAuthentication Service, described fully inSection 3,defines the types of credentials which may be used in a deployment andprovides methods for:

    1. Issuing new credentials with a relevant credential lifetime,
    2. Validating a credential against a reference identifier,
    3. Validating whether or not two credentials represent the same client, and
    4. Optionally revoking credentials which are no longer authorized.

  • ADelivery Service, described fully inSection 4, providesmethods for:

    1. Delivering messages sent to a group to all members in the group.
    2. Delivering Welcome messages to new members of a group.
    3. Uploading new KeyPackages for a user's own clients.
    4. Downloading KeyPackages for specific clients. Typically, KeyPackages areused once and consumed.

  • Additional services may or may not be required depending on the applicationdesign:

    • If assisted joining is desired (meaning that the ratchet tree is notprovided in Welcome messages), there must be a method to download theratchet tree corresponding to a group.
    • If assisted joining is desired and the Delivery Service is not able tocompute the ratchet tree itself (because some proposals or commits are sentencrypted), there must be a method for group members to publish the updatedratchet tree after each commit.
    • If external joiners are allowed, there must be a method to publish aserializedGroupInfo object (with anexternal_pub extension) thatcorresponds to a specific group and epoch, and keep that object in sync withthe state of the group.
    • If an application chooses not to allow assisted or external joining, it mayinstead provide a method for external users to solicit group members (or adesignated service) to add them to a group.
    • If the application uses external PSKs, or uses resumption PSKs that allmembers of a group may not have access to, there must be a method fordistributing these PSKs to group members.
    • If an application wishes to detect and possibly discipline members that sendmalformed commits with the intention of corrupting a group's state, theremust be a method for reporting and validating malformed commits.

MLS requires the following parameters to be defined, which must be the same fortwo implementations to interoperate:

  • The maximum total lifetime that is acceptable for a KeyPackage.
  • How long to store the resumption secret for past epochs of a group.

  • The degree of tolerance that's allowed for out-of-order message delivery:

    • How long to keep unused nonce and key pairs for a sender
    • A maximum number of unused key pairs to keep.
    • A maximum number of steps that clients will move a secret tree ratchetforward in response to a single message before rejecting it.
    • Whether to buffer messages that aren't able to be understood yet due toother messages not arriving first, and if so, how many and for how long. Forexample, Commit messages that arrive before a proposal they reference, orapplication messages that arrive before the Commit starting an epoch.

MLS provides the following locations where an application may store arbitrarydata. The format and intention of any data in these locations must align for twodeployments to interoperate:

  • Application data, sent as the payload of an encrypted message.
  • Additional authenticated data, sent unencrypted in an otherwise encryptedmessage.
  • Group IDs, as decided by group creators and used to uniquely identify a group.
  • Theapplication_id extension of a LeafNode.

MLS requires the following policies to be defined, which restrict the set ofacceptable behavior in a group. These policies must be consistent betweendeployments for them to interoperate:

  • A policy on which ciphersuites are acceptable.
  • A policy on any mandatory or forbidden MLS extensions.
  • A policy on when to send proposals and commits in plaintext instead ofencrypted.

  • A policy for which proposals are valid to have in a commit, including but notlimited to:

    • When a member is allowed to add or remove other members of the group.
    • When, and under what circumstances, a reinitialization proposal is allowed.
    • When proposals from external senders are allowed and how to authorizethose proposals.
    • When external joiners are allowed and how to authorize those externalcommits.
    • Which other proposal types are allowed.
  • A policy of when members should commit pending proposals in a group.
  • A policy of how to protect and share the GroupInfo objects needed forexternal joins.
  • A policy for when two credentials represent the same client. Note that manycredentials may be issued authenticating the same identity but for differentsignature keys, because each credential corresponds to a different device(client) owned by the same application user. However, one device may controlmany signature keys but should still only be considered a single client.
  • A policy on how long to allow a member to stay in a group without updating itsleaf keys before removing them.

Finally, there are some additional application-defined behaviors that arepartially an individual application's decision but may overlap withinteroperability:

  • If there's any policy on how or when to pad messages.
  • If there is any policy for when to send a reinitialization proposal.
  • How often clients should update their leaf keys.
  • Whether to prefer sending full commits or partial/empty commits.
  • Whether there should be arequired_capabilities extension in groups.

7.Security and Privacy Considerations

MLS adopts the Internet threat model[RFC3552] and therefore assumes that theattacker has complete control of the network. It is intended to provide thesecurity services described in the face of such attackers.

  • The attacker can monitor the entire network.
  • The attacker can read unprotected messages.
  • The attacker can generate, inject and delete any message in the unprotectedtransport layer.

In addition, these guarantees are intended to degrade gracefully in the presenceof compromise of the transport security links as well as of both clients andelements of the messaging system, as described in the remainder of this section.

Generally, MLS is designed under the assumption that the transport layer ispresent to protect metadata and privacy in general, while the MLS protocol isproviding stronger guarantees such as confidentiality, integrity andauthentication guarantees. Stronger properties such as deniability can also beachieved in specific architecture designs.

7.1.Assumptions on Transport Security Links

As discussed above, MLS provides the highest level of security when its messagesare delivered over a secure transport. Any secure channel can be used as atransport layer to protect MLS messages, such as QUIC[RFC9000], TLS[RFC8446], IPsec[RFC6071], WireGuard[WireGuard], or TOR[TOR]. However, the MLS protocol is designed to consider the followingthreat-model:

  • The attacker can read, write, and delete arbitrary messages inside the securetransport channel.

This departs from most threat models where we consider that the secure channelused for transport always provides secrecy. The reason for this consideration isthat in the group setting, active malicious insiders or adversarial services areto be considered.

The main use of the secure transport layer for MLS is to protect the alreadylimited amount of metadata. Very little information is contained in theunencrypted header of the MLS protocol message format for group operationmessages, and application messages are always encrypted in MLS.

MLS avoids needing to send the full list of recipients to the server fordispatching messages because that list is potentially extremely large inMLS. Header metadata in MLS messages typically consists of an opaquegroup_id,a numerical value to determine the epoch of the group (the number of changesthat have been made to the group), and whether the message is an applicationmessage, a proposal, or a commit.

Even though some of this metadata information does not consist of secretpayloads, in correlation with other data a network observer might be able toreconstruct sensitive information. Using a secure channel to transfer thisinformation will prevent a network attacker from accessing this MLS protocolmetadata if it cannot compromise the secure channel.

7.1.1.Integrity and Authentication of Custom Metadata

The MLS protocol provides an authenticated "Additional Authenticated Data" fieldfor applications to make data available outside the MLSCiphertext.

  • RECOMMENDATION: Use the "Additional Authenticated Data" field of theMLSCiphertext message instead of using other unauthenticated means of sendingmetadata throughout the infrastructure. If the data is private, theinfrastructure should use encrypted Application messages instead.

7.1.2.Metadata Protection for Unencrypted Group Operations

Having no secure channel to exchange MLS messages can have a serious impact onprivacy when transmitting unencrypted group operation messages. Observing thecontents and signatures of the group operation messages may lead an adversary toextract information about the group membership.

  • RECOMMENDATION: Never use the unencrypted mode for group operationswithout using a secure channel for the transport layer.

7.1.3.DoS protection

In general we do not consider Denial of Service (DoS) resistance to be theresponsibility of the protocol. However, it should not be possible for anyoneaside from the Delivery Service to perform a trivial DoS attack from which it ishard to recover. This can be achieved through the secure transport layer.

In the centralized setting, DoS protection can typically be performed by usingtickets or cookies which identify users to a service for a certain number ofconnections. Such a system helps in preventing anonymous clients from sendingarbitrary numbers of group operation messages to the Delivery Service or the MLSclients.

  • RECOMMENDATION: Anonymous credentials can be used in order to help DoSattacks prevention, in a privacy preserving manner. Note that the privacy ofthese mechanisms has to be adjusted in accordance with the privacy expectedfrom the secure transport links. (See more discussion further down.)

7.1.4.Message Suppression and Error Correction

As noted above, MLS is designed to provide some robustness in the face oftampering within the secure transport, i.e., tampering by the Delivery Service.The confidentiality and authenticity properties of MLS prevent the DS reading orwriting messages. MLS also provides a few tools for detecting messagesuppression, with the caveat that message suppression cannot always bedistinguished from transport failure.

Each encrypted MLS message carries a "generation" number which is a per-senderincrementing counter. If a group member observes a gap in the generationsequence for a sender, then they know that they have missed a message from thatsender. MLS also provides a facility for group members to send authenticatedacknowledgments of application messages received within a group.

As discussed inSection 4, the Delivery Service is trusted to selectthe single Commit message that is applied in each epoch from among the ones sentby group members. Since only one Commit per epoch is meaningful, it's notuseful for the DS to transmit multiple Commits to clients. The risk remainsthat the DS will use the ability maliciously.

While it is difficult or impossible to prevent a network adversary fromsuppressing payloads in transit, in certain infrastructures such as banks orgovernments settings, unidirectional transports can be used and be enforced viaelectronic or physical devices such as diodes. This can lead to payloadcorruption which does not affect the security or privacy properties of the MLSprotocol but does affect the reliability of the service. In that case specificmeasures can be taken to ensure the appropriate level of redundancy and qualityof service for MLS.

  • RECOMMENDATION: If unidirectional transport is used for the securetransport channel, prefer using a transport protocol which provides ForwardError Correction.

7.2.Intended Security Guarantees

MLS aims to provide a number of security guarantees, covering authentication, aswell as confidentiality guarantees to different degrees in different scenarios.

7.2.1.Message Secrecy and Authentication

MLS enforces the encryption of application messages and thus generallyguarantees authentication and confidentiality of application messages sent in agroup.

In particular, this means that only other members of a given group can decryptthe payload of a given application message, which includes information about thesender of the message.

Similarly, group members receiving a message from another group member canauthenticate that group member as the sender of the message and verify themessage's integrity.

Message content can be deniable if the signature keys are exchanged over adeniable channel prior to signing messages.

Depending on the group settings, handshake messages can be encrypted as well. Ifthat is the case, the same security guarantees apply.

MLS optionally allows the addition of padding to messages, mitigating the amountof information leaked about the length of the plaintext to an observer on thenetwork.

7.2.2.Forward and Post-Compromise Security

MLS provides additional protection regarding secrecy of past messages and futuremessages. These cryptographic security properties are Forward Secrecy (FS) andPost-Compromise Security (PCS).

FS means that access to all encrypted traffic history combined with an access toall current keying material on clients will not defeat the secrecy properties ofmessages older than the oldest key of the compromised client. Note that thismeans that clients have the extremely important role of deleting appropriatekeys as soon as they have been used with the expected message, otherwise thesecrecy of the messages and the security for MLS is considerably weakened.

PCS means that if a group member's state is compromised at some time t1 but thegroup member subsequently performs an update at some time t2, then all MLSguarantees apply to messages sent by the member after time t2, and by othermembers after they have processed the update. For example, if an attacker learnsall secrets known to Alice at time t1, including both Alice's long-term secretkeys and all shared group keys, but Alice performs a key update at time t2, thenthe attacker is unable to violate any of the MLS security properties after theupdates have been processed.

Both of these properties are satisfied even against compromised DSs and ASs.

Confidentiality is mainly ensured on the client side. Because Forward Secrecy(FS) and Post-Compromise Security (PCS) rely on the active deletion andreplacement of keying material, any client which is persistently offline maystill be holding old keying material and thus be a threat to both FS and PCS ifit is later compromised.

MLS partially defends against this problem by active members includingfreshness, however not much can be done on the inactive side especially in thecase where the client has not processed messages.

  • RECOMMENDATION: Mandate key updates from clients that are not otherwisesending messages and evict clients which are idle for too long.

These recommendations will reduce the ability of idle compromised clients todecrypt a potentially long set of messages that might have followed the point ofthe compromise.

The precise details of such mechanisms are a matter of local policy and beyondthe scope of this document.

7.2.3.Non-Repudiation vs Deniability

MLS provides strong authentication within a group, such that a group membercannot send a message that appears to be from another group member.Additionally, some services require that a recipient be able to prove to theservice provider that a message was sent by a given client, in order to reportabuse. MLS supports both of these use cases. In some deployments, these servicesare provided by mechanisms which allow the receiver to prove a message's originto a third party. This is often called "non-repudiation".

Roughly speaking, "deniability" is the opposite of "non-repudiation", i.e., theproperty that it is impossible to prove to a third party that a message was sentby a given sender. MLS does not make any claims with regard to deniability. Itmay be possible to operate MLS in ways that provide certain deniabilityproperties, but defining the specific requirements and resulting notions ofdeniability requires further analysis.

7.2.4.Associating a User's Clients

When the same user uses multiple clients, it may be possible for other membersof a group to recognize all of those clients as belonging to the same user. Forexample, all of a user's clients might present credentials authenticating theuser's identity. This association among devices might be considered a leak ofprivate information. The remainder of this section describes several approachesfor addressing this.

This risk only arises when the leaf nodes for the clients in question providedata that can be used to correlate the clients. So one way to mitigate thisrisk is by only doing client-level authentication within MLS. If user-levelauthentication is still desirable, the application would have to be provide itthrough some other mechanism.

It is also possible to maintain user-level authentication while hidinginformation about the clients that a user owns. This can be done by having theclients share cryptographic state, so that they appear as a single client withinthe MLS group. The application would need to provide a synchronizationmechanism so that the clients' state remained consistent across changes to theMLS group.

  • RECOMMENDATION: Avoid sharing cryptographic state between clients toimprove resilience against compromises. An attacker could use one compromiseddevice to establish ownership of a state across other devices and reduce theability of the user to recover.

7.3.Endpoint Compromise

The MLS protocol adopts a threat model which includes multiple forms ofendpoint/client compromise. While adversaries are in a very strong position ifthey have compromised an MLS client, there are still situations where securityguarantees can be recovered thanks to the PCS properties achieved by the MLSprotocol.

In this section we will explore the consequences and recommendations regardingthe following compromise scenarios:

  • The attacker has access to a specific symmetric encryption key
  • The attacker has access to the group secrets for one group
  • The attacker has access to a signature oracle for any group
  • The attacker has access to the signature key for one group
  • The attacker has access to all secrets of a user for all groups (full statecompromise)

The MLS protocol provides per-sender chains of AEAD keys that are generated fromGroup Secrets. These keys are used to protect MLS Plaintext messages which canbe Group Operation or Application messages. The Group Operation messages offeran additional protection as the secret exchanged within the TreeKEM group keyagreement are public-key encrypted to subgroups with HPKE.

7.3.1.Compromise of AEAD key material

In some circumstances, adversaries may have access to specific AEAD keys andnonces which protect an Application or a Group Operation message. While this isa very weak kind of compromise, it can be realistic in cases of implementationvulnerabilities where only part of the memory leaks to the adversary.

When an AEAD key is compromised, the adversary has access to a set of AEAD keysfor the same chain and the same epoch, hence can decrypt messages sent usingkeys of this chain. An adversary cannot send a message to a group which appearsto be from any valid client since they cannot forge the signature.

The MLS protocol will ensure that an adversary cannot compute any previous AEADkeys for the same epoch, or any other epochs. Because of its Forward Secrecyguarantees, MLS will also retain secrecy of all other AEAD keys generated forother MLS clients, outside this dedicated chain of AEAD keys and nonces, evenwithin the epoch of the compromise. However the MLS protocol does not providePost Compromise Secrecy for AEAD encryption within an epoch. This means that ifthe AEAD key of a chain is compromised, the adversary can compute an arbitrarynumber of subsequent AEAD keys for that chain.

These guarantees are ensured by the structure of the MLS key schedule whichprovides Forward Secrecy for these AEAD encryptions, across the messages withinthe epoch and also across previous epochs. Those chains are completely disjointand compromising keys across the chains would mean that some Group Secrets havebeen compromised, which is not the case in this attack scenario (we explorestronger compromise scenarios as part of the following sections).

MLS provides Post-Compromise Secrecy against an active adaptive attacker acrossepochs for AEAD encryption, which means that as soon as the epoch is changed, ifthe attacker does not have access to more secret material they won't be able toaccess any protected messages from future epochs.

In the case of an Application message, an AEAD key compromise means that theencrypted application message will be leaked as well as the signature over thatmessage. This means that the compromise has both confidentiality and privacyimplications on the future AEAD encryptions of that chain. In the case of aGroup Operation message, only the privacy is affected, as the signature isrevealed, because the secrets themselves are protected by HPKE encryption.

Note that under that compromise scenario, authentication is not affected ineither of these cases. As every member of the group can compute the AEAD keysfor all the chains (they have access to the Group Secrets) in order to send andreceive messages, the authentication provided by the AEAD encryption layer ofthe common framing mechanism is very weak. Successful decryption of an AEADencrypted message only guarantees that a member of the group sent the message.

7.3.2.Compromise of the Group Secrets of a single group for one or more group epochs

The attack scenario considering an adversary gaining access to a set of Groupsecrets is significantly stronger. This can typically be the case when a memberof the group is compromised. For this scenario, we consider that the signaturekeys are not compromised. This can be the case for instance if the adversary hasaccess to part of the memory containing the group secrets but not to thesignature keys which might be stored in a secure enclave.

In this scenario, the adversary gains the ability to compute any number of AEADencryption keys for any AEAD chains and can encrypt and decrypt all messages forthe compromised epochs.

If the adversary is passive, it is expected from the PCS properties of the MLSprotocol that, as soon as the compromised party remediates the compromise andsends an honest Commit message, the next epochs will provide message secrecy.

If the adversary is active, the adversary can follow the protocol and performupdates on behalf of the compromised party with no ability for an honest groupto recover message secrecy. However, MLS provides PCS against active adaptiveattackers through its Remove group operation. This means that, as long as othermembers of the group are honest, the protocol will guarantee message secrecy forall messages exchanged in the epochs after the compromised party has beenremoved.

7.3.3.Compromise by an active adversary with the ability to sign messages

Under such a scenario, where an active adversary has compromised an MLS client,two different settings emerge. In the strongest compromise scenario, theattacker has access to the signing key and can forge authenticated messages. Ina weaker, yet realistic scenario, the attacker has compromised a client but theclient signature keys are protected with dedicated hardware features which donot allow direct access to the value of the private key and instead provide asignature API.

When considering an active adaptive attacker with access to a signature oracle,the compromise scenario implies a significant impact on both the secrecy andauthentication guarantees of the protocol, especially if the attacker also hasaccess to the group secrets. In that case both secrecy and authentication arebroken. The attacker can generate any message, for the current and futureepochs, until the compromise is remediated and the formerly compromised clientsends an honest update.

Note that under this compromise scenario, the attacker can perform alloperations which are available to a legitimate client even without access to theactual value of the signature key.

Without access to the group secrets, the adversary will not have the ability togenerate messages which look valid to other members of the group and to theinfrastructure as they need to have access to group secrets to compute theencryption keys or the membership tag.

7.3.4.Compromise of the authentication with access to a signature key

The difference between having access to the value of the signature key and onlyhaving access to a signing oracle is not about the ability of an active adaptivenetwork attacker to perform different operations during the time of thecompromise, the attacker can perform every operation available to a legitimateclient in both cases.

There is a significant difference, however in terms of recovery after acompromise.

Because of the PCS guarantees provided by the MLS protocol, when a previouslycompromised client performs an honest Commit which is not under the control ofthe adversary, both secrecy and authentication of messages can be recovered inthe case where the attacker didn't get access to the key. Because the adversarydoesn't have the key and has lost the ability to sign messages, they cannotauthenticate messages on behalf of the compromised party, even if they stillhave control over some group keys by colluding with other members of the group.

This is in contrast with the case where the signature key is leaked. In thatcase PCS of the MLS protocol will eventually allow recovery of theauthentication of messages for future epochs but only after compromised partiesrefresh their credentials securely.

Beware that in both oracle and private key access, an active adaptive attackercan follow the protocol and request to update its own credential. This in turninduces a signature key rotation which could provide the attacker with part orthe full value of the private key depending on the architecture of the serviceprovider.

  • RECOMMENDATION: Signature private keys should be compartmentalized fromother secrets and preferably protected by an HSM or dedicated hardwarefeatures to allow recovery of the authentication for future messages after acompromise.

7.3.5.Security consideration in the context of a full state compromise

In real-world compromise scenarios, it is often the case that adversaries targetspecific devices to obtain parts of the memory or even the ability to executearbitrary code in the targeted device.

Also, recall that in this setting, the application will often retain theunencrypted messages. If so, the adversary does not have to break encryption atall to access sent and received messages. Messages may also be sent by using theapplication to instruct the protocol implementation.

  • RECOMMENDATION: If messages are stored on the device, they should beprotected using encryption at rest, and the keys used should be storedsecurely using dedicated mechanisms on the device.

  • RECOMMENDATION: If the threat model of the system is against an adversarywhich can access the messages on the device without even needing to attackMLS, the application should delete plaintext messages and ciphertextsimmediately after encryption or decryption.

Even though, from the strict point of view of the security formalization, aciphertext is always public and will forever be, there is no loss in trying toerase ciphertexts as much as possible.

Note that this document makes a clear distinction between the way signature keysand other group shared secrets must be handled. In particular, a large set ofgroup secrets cannot necessarily be assumed to be protected by an HSM or secureenclave features. This is especially true because these keys are extremelyfrequently used and changed with each message received by a client.

However, the signature private keys are mostly used by clients to send amessage. They also provide strong authentication guarantees to other clients,hence we consider that their protection by additional security mechanisms shouldbe a priority.

Overall there is no way to detect or prevent these compromises, as discussed inthe previous sections, performing separation of the application secret statescan help recovery after compromise, this is the case for signature keys butsimilar concern exists for the encryption private key used in the TreeKEM GroupKey Agreement.

  • RECOMMENDATION: The secret keys used for public key encryption should bestored similarly to the way the signature keys are stored, as keys can be usedto decrypt the group operation messages and contain the secret material usedto compute all the group secrets.

Even if secure enclaves are not perfectly secure, or even completely broken,adopting additional protections for these keys can ease recovery of the secrecyand authentication guarantees after a compromise where, for instance, anattacker can sign messages without having access to the key. In certaincontexts, the rotation of credentials might only be triggered by the AS throughACLs, hence be outside of the capabilities of the attacker.

7.4.Service Node Compromise

7.4.1.General considerations

7.4.1.1.Privacy of the network connections

There are many scenarios leading to communication between the application on adevice and the Delivery Service or the Authentication Service. In particularwhen:

  • The application connects to the Authentication Service to generate or validatea new credential before distributing it.
  • The application fetches credentials at the Delivery Service prior to creatinga messaging group (one-to-one or more than two clients).
  • The application fetches service provider information or messages on theDelivery Service.
  • The application sends service provider information or messages to the DeliveryService.

In all these cases, the application will often connect to the device via asecure transport which leaks information about the origin of the request such asthe IP address and depending on the protocol the MAC address of the device.

Similar concerns exist in the peer-to-peer use cases of MLS.

  • RECOMMENDATION: In the case where privacy or anonymity is important, usingadequate protection such as TOR or a VPN can improve metadata protection.

More generally, using anonymous credentials in an MLS based architecture mightnot be enough to provide strong privacy or anonymity properties.

7.4.2.Delivery Service Compromise

MLS is intended to provide strong guarantees in the face of compromise of theDS. Even a totally compromised DS should not be able to read messages or injectmessages that will be acceptable to legitimate clients. It should also not beable to undetectably remove, reorder or replay messages.

However, a malicious DS can mount a variety of DoS attacks on the system,including total DoS attacks (where it simply refuses to forward any messages)and partial DoS attacks (where it refuses to forward messages to and fromspecific clients). As noted inSection 4.2, these attacks are onlypartially detectable by clients without an out-of-band channel. Ultimately,failure of the DS to provide reasonable service must be dealt with as a customerservice matter, not via technology.

Because the DS is responsible for providing the initial keying material toclients, it can provide stale keys. This does not inherently lead to compromiseof the message stream, but does allow it to attack forward security to a limitedextent. This threat can be mitigated by having initial keys expire.

Initial keying material (KeyPackages) using thebasic Credential type is morevulnerable to replacement by a malicious or compromised DS, as there is nobuilt-in cryptographic binding between the identity and the public key of theclient.

  • RECOMMENDATION: Prefer a Credential type in KeyPackages which includes astrong cryptographic binding between the identity and its key (for example thex509 Credential type). When using thebasic Credential type take extracare to verify the identity (typically out-of-band).

7.4.2.1.Privacy of delivery and push notifications

An important mechanism that is often ignored from the privacy considerations arethe push-tokens. In many modern messaging architectures, applications are usingpush notification mechanisms typically provided by OS vendors. This is to makesure that when messages are available at the Delivery Service (or by othermechanisms if the DS is not a central server), the recipient application on adevice knows about it. Sometimes the push notification can contain theapplication message itself which saves a round trip with the DS.

To "push" this information to the device, the service provider and the OSinfrastructures use unique per-device, per-application identifiers calledpush-tokens. This means that the push notification provider and the serviceprovider have information on which devices receive information and at whichpoint in time. Alternatively, non-mobile applications could use a websocket orpersistent connection for notifications directly from the DS.

Even though they can't necessarily access the content, which is typicallyencrypted MLS messages, the service provider and the push notification providerhave to be trusted to avoid making correlation on which devices are recipientsof the same message.

For secure messaging systems, push notifications are often sent real-time as itis not acceptable to create artificial delays for message retrieval.

  • RECOMMENDATION: If real time notifications are not necessary, one candelay notifications randomly across recipient devices using a mixnet or othertechniques.

Note that it is quite easy for legal requests to ask the service provider forthe push-token associated to an identifier and perform a second request to thecompany operating the push-notification system to get information about thedevice, which is often linked with a real identity via a cloud account, a creditcard or other information.

  • RECOMMENDATION: If stronger privacy guarantees are needed with regard tothe push notification provider, the client can choose to periodically connectto the Delivery Service without the need of a dedicated push notificationinfrastructure.

7.4.3.Authentication Service Compromise

The Authentication Service design is left to the infrastructure designers. Inmost designs, a compromised AS is a serious matter, as the AS can serveincorrect or attacker-provided identities to clients.

  • The attacker can link an identity to a credential
  • The attacker can generate new credentials
  • The attacker can sign new credentials
  • The attacker can publish or distribute credentials

In the past, some systems have had a centralized server generate signature keypairs and distribute them to clients. In such cases, the centralized server isa point of compromise, since it stores signature private keys that can be usedto impersonate clients. A better approach is instead to generate signature keypairs in clients and have them "blessed" by the centralized service, e.g., byhaving the service issue a credential binding the key pair to the client'sidentity. In this approach, there is still a risk that the centralized servicewill authorize additional key pairs, but it will not be able to use existing,client-generated private keys.

  • RECOMMENDATION: Make clients submit signature public keys to the AS, thisis usually better than the AS generating public key pairs because the AScannot sign on behalf of the client. This is a benefit of a Public KeyInfrastructure in the style of the Internet PKI.

An attacker that can generate or sign new credentials may or may not have accessto the underlying cryptographic material necessary to perform suchoperations. In that last case, it results in windows of time for which allemitted credentials might be compromised.

  • RECOMMENDATION: Use HSMs to store the root signature keys to limit theability of an adversary with no physical access to extract the top-levelsignature private key.

7.4.3.1.Authentication compromise: Ghost users and impersonations

One important feature of MLS is that all Members know which other members are inthe group at all times. If all Members of the group and the AuthenticationService are honest, no parties other than the members of the current group canread and write messages protected by the protocol for that Group.

Details about how to verify the identity of a client depend on the MLSCredential type used. For example, cryptographic verification of credentials canbe largely performed autonomously on the clients for thex509 Credentialtype. In contrast, when MLS clients use thebasic Credential type, a largerdegree of trust must be placed in a (likely) centralized authenticationresource, or on out-of-band processes such as manual verification.

  • RECOMMENDATION: Select the strongest MLS Credential type available amongthe target members of an MLS group.

If the AS is compromised, it could validate a (or generate a new) signaturekeypair for an attacker. Because a user can have many MLS clients running theMLS protocol, it possibly has many signature keypairs for multipledevices. These attacks could be very difficult to detect.

  • RECOMMENDATION: Provide a key transparency mechanism for theAuthentication Services to allow public verification of the credentialsauthenticated by this service.

Note that when abasic Credential is used, the Authentication Service alsoneeds an out-of-band mechanism to verify the identity asserted in theCredential.

In the case where an adversarial keypair is generated for a specific identity,an infrastructure without any transparency mechanism or out-of-bandauthentication mechanism could inject a malicious client into a group byimpersonating a user. This is especially the case in large groups where the UImight not reflect all the changes back to the users.

  • RECOMMENDATION: Make sure that MLS clients reflect all the membershipchanges to the users as they happen. If a choice has to be made because thenumber of notifications is too high, a public log should be maintained of thestate of the device so that the user can examine it.

While the ways to handle MLS credentials are not defined by the protocol or thearchitecture documents, the MLS protocol has been designed with a mechanism thatcan be used to provide out-of-band authentication to users. The"authentication_secret" generated for each user at each epoch of the group is aone-time, per client, authentication secret which can be exchanged between usersto prove their identity to each other. This can be done for instance using a QRcode that can be scanned by the other parties.

Another way to improve the security for the users is to provide a transparencymechanism which allows each user to check if credentials used in groups havebeen published in the transparency log. Another benefit of this mechanism is forrevocation. The users of a group could check for revoked keys (in case ofcompromise detection) using a mechanism such as CRLite or some more advancedprivacy preserving technology.

  • RECOMMENDATION: Provide a Key Transparency and Out-of-Band authenticationmechanisms to limit the impact of an Authentication Service compromise.

We note, again, that as described prior to that section, the AuthenticationService may not be a centralized system, and could be realized by manymechanisms such as establishing prior one-to-one deniable channels, gossiping,or using trust on first use (TOFU) for credentials used by the MLS Protocol.

Another important consideration is the ease of redistributing new keys on clientcompromise, which helps recovering security faster in various cases.

7.4.3.2.Privacy of the Group Membership

Group membership is itself sensitive information and MLS is designed to limitthe amount of persistent metadata. However, large groups often require aninfrastructure which provides server fanout. In the case of client fanout, thedestination of a message is known by all clients, hence the server usually doesnot need this information. However, they may learn this information throughtraffic analysis. Unfortunately, in a server-side fanout model, the DeliveryService can learn that a given client is sending the same message to a set ofother clients. In addition, there may be applications of MLS in which the groupmembership list is stored on some server associated with the Delivery Service.

While this knowledge is not a breach of the protocol's authentication orconfidentiality guarantees, it is a serious issue for privacy.

  • RECOMMENDATION: In the case where metadata has to be persisted forfunctionality, it should be stored encrypted at rest and then decrypted duringthe execution. Applications should also consider anonymous systems for serverfanout (for example[Loopix]).

Some infrastructure keeps a mapping between keys used in the MLS protocol anduser identities. An attacker with access to this information due to compromiseor regulation can associate unencrypted group messages (e.g., Commits andProposals) with the corresponding user identity.

  • RECOMMENDATION: Always use encrypted group operation messages to limitprivacy risks.

In certain cases, the adversary can access specific bindings between public keysand identities. If the signature keys are reused across groups, the adversarycan get more information about the targeted user.

  • RECOMMENDATION: Do not use the same signature keypair acrossgroups. Update all keys for all groups on a regular basis. Do not preservekeys in different groups when suspecting a compromise.

  • RECOMMENDATION: Separate the service binding the identities and the publickeys from the service which generates or validates the credentials orcryptographic material of the Clients.

7.5.Considerations for attacks outside of the threat model

Physical attacks on devices storing and executing MLS principals are notconsidered in depth in the threat model of the MLS protocol. Whilenon-permanent, non-invasive attacks can sometimes be equivalent to softwareattacks, physical attacks are considered outside of the MLS threat model.

Compromise scenarios typically consist of a software adversary, which canmaintain active adaptive compromise and arbitrarily change the behavior of theclient or service.

On the other hand, security goals consider that honest clients will always runthe protocol according to its specification. This relies on implementations ofthe protocol to securely implement the specification, which remains non-trivial.

  • RECOMMENDATION: Additional steps should be taken to protect the device andthe MLS clients from physical compromise. In such settings, HSMs and secureenclaves can be used to protect signature keys.

7.6.Cryptographic Analysis of the MLS Protocol

Various academic works have analyzed MLS and the different security guaranteesit aims to provide. The security of large parts of the protocol has beenanalyzed by[BBN19] (draft 7),[ACDT21] (draft 11) and[AJM20] (draft 12).

Individual components of various drafts of the MLS protocol have been analyzedin isolation and with differing adversarial models, for example,[BBR18],[ACDT19],[ACCKKMPPWY19],[AJM20],[ACJM20], and[AHKM21] analyze theratcheting tree as the sub-protocol of MLS that facilitates key agreement, while[BCK21] analyzes the key derivation paths in the ratchet tree and keyschedule. Finally,[CHK21] analyzes the authentication and cross-group healingguarantees provided by MLS.

8.IANA Considerations

This document makes no requests of IANA.

9.References

9.1.Normative References

[I-D.ietf-mls-protocol]
Barnes, R.,Beurdouche, B.,Robert, R.,Millican, J.,Omara, E., andK. Cohn-Gordon,"The Messaging Layer Security (MLS) Protocol",Work in Progress,Internet-Draft, draft-ietf-mls-protocol-16,,<https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-16>.

9.2.Informative References

[ACCKKMPPWY19]
Alwen, J.,Capretto, M.,Cueto, M.,Kamath, C.,Klein, K.,Markov, I.,Pascual-Perez, G.,Pietrzak, K.,Walter, M., andM. Yeo,"Security Analysis and Improvements for the IETF MLS Standard for Group Messaging",,<https://eprint.iacr.org/2019/1489>.
[ACDT19]
Alwen, J.,Coretti, S.,Dodis, Y., andY. Tselekounis,"Security Analysis and Improvements for the IETF MLS Standard for Group Messaging",,<https://eprint.iacr.org/2019/1189.pdf>.
[ACDT21]
Alwen, J.,Coretti, S.,Dodis, Y., andY. Tselekounis,"Modular Design of Secure Group Messaging Protocols and the Security of MLS",,<https://eprint.iacr.org/2021/1083.pdf>.
[ACJM20]
Alwen, J.,Coretti, S.,Jost, D., andM. Mularczyk,"Continuous Group Key Agreement with Active Security",,<https://eprint.iacr.org/2020/752.pdf>.
[AHKM21]
Alwen, J.,Hartmann, D.,Kiltz, E., andM. Mularczyk,"Server-Aided Continuous Group Key Agreement",,<https://eprint.iacr.org/2021/1456.pdf>.
[AJM20]
Alwen, J.,Jost, D., andM. Mularczyk,"On The Insider Security of MLS",,<https://eprint.iacr.org/2020/1327.pdf>.
[BBN19]
Bhargavan, K.,Beurdouche, B., andP. Naldurg,"Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS",,<https://hal.laas.fr/INRIA/hal-02425229/document>.
[BBR18]
Bhargavan, K.,Barnes, R., andE. Rescorla,"TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups A protocol proposal for Messaging Layer Security (MLS)",,<https://hal.inria.fr/hal-02425247/file/treekem+%281%29.pdf>.
[BCK21]
Brzuska, C.,Cornelissen, E., andK. Kohbrok,"Cryptographic Security of the MLS RFC, Draft 11",,<https://eprint.iacr.org/2021/137.pdf>.
[CAPBR]
Brewer, E.,"Towards robust distributed systems (abstract)",Proceedings of the nineteenth annual ACM symposium on Principles of distributed computing - PODC '00,DOI 10.1145/343477.343502,,<https://doi.org/10.1145/343477.343502>.
[CHK21]
Cremers, C.,Hale, B., andK. Kohbrok,"The Complexities of Healing in Secure Group Messaging: Why Cross-Group Effects Matter",,<https://www.usenix.org/system/files/sec21-cremers.pdf>.
[I-D.ietf-mls-extensions]
Robert, R.,"The Messaging Layer Security (MLS) Extensions",Work in Progress,Internet-Draft, draft-ietf-mls-extensions-00,,<https://datatracker.ietf.org/doc/html/draft-ietf-mls-extensions-00>.
[I-D.ietf-mls-federation]
Omara, E. andR. Robert,"The Messaging Layer Security (MLS) Federation",Work in Progress,Internet-Draft, draft-ietf-mls-federation-01,,<https://datatracker.ietf.org/doc/html/draft-ietf-mls-federation-01>.
[I-D.mahy-mls-content-adv]
Mahy, R.,"Content Type Advertisement for Message Layer Security (MLS)",Work in Progress,Internet-Draft, draft-mahy-mls-content-adv-00,,<https://datatracker.ietf.org/doc/html/draft-mahy-mls-content-adv-00>.
[KeyTransparency]
Google,"Key Transparency",,<https://KeyTransparency.org>.
[Loopix]
Piotrowska, A. M.,Hayes, J.,Elahi, T.,Meiser, S., andG. Danezis,"The Loopix Anonymity System",.
[RFC3552]
Rescorla, E. andB. Korver,"Guidelines for Writing RFC Text on Security Considerations",BCP 72,RFC 3552,DOI 10.17487/RFC3552,,<https://www.rfc-editor.org/rfc/rfc3552>.
[RFC5280]
Cooper, D.,Santesson, S.,Farrell, S.,Boeyen, S.,Housley, R., andW. Polk,"Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile",RFC 5280,DOI 10.17487/RFC5280,,<https://www.rfc-editor.org/rfc/rfc5280>.
[RFC6071]
Frankel, S. andS. Krishnan,"IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap",RFC 6071,DOI 10.17487/RFC6071,,<https://www.rfc-editor.org/rfc/rfc6071>.
[RFC6120]
Saint-Andre, P.,"Extensible Messaging and Presence Protocol (XMPP): Core",RFC 6120,DOI 10.17487/RFC6120,,<https://www.rfc-editor.org/rfc/rfc6120>.
[RFC8446]
Rescorla, E.,"The Transport Layer Security (TLS) Protocol Version 1.3",RFC 8446,DOI 10.17487/RFC8446,,<https://www.rfc-editor.org/rfc/rfc8446>.
[RFC9000]
Iyengar, J., Ed. andM. Thomson, Ed.,"QUIC: A UDP-Based Multiplexed and Secure Transport",RFC 9000,DOI 10.17487/RFC9000,,<https://www.rfc-editor.org/rfc/rfc9000>.
[TOR]
Dingledine, R.,Mathewson, N., andP. Syverson,"Tor: The Second-Generation Onion Router",,<https://svn.torproject.org/svn/projects/design-paper/tor-design.html>.
[WireGuard]
Donenfeld, J.,"WireGuard: Next Generation Kernel Network Tunnel",,<https://www.wireguard.com/papers/wireguard.pdf>.

Contributors

Richard Barnes
Cisco
Katriel Cohn-Gordon
Meta Platforms
Cas Cremers
CISPA Helmholtz Center for Information Security
Britta Hale
Naval Postgraduate School
Albert Kwon
Badge Inc.
Konrad Kohbrok
Phoenix R&D
Rohan Mahy
Wire
Brendan McMillion
Thyla van der Merwe
Jon Millican
Meta Platforms
Raphael Robert
Phoenix R&D

Authors' Addresses

Benjamin Beurdouche
Inria & Mozilla
Eric Rescorla
Mozilla
Emad Omara
Google
Srinivas Inguva
Twitter
Alan Duric
Wire
Datatracker

draft-ietf-mls-architecture-10

This is an older version of an Internet-Draft that was ultimately published asRFC 9750.

DocumentDocument type
This is an older version of an Internet-Draft that was ultimately published asRFC 9750.
Select version
Compare versions
AuthorsBenjamin Beurdouche,Eric Rescorla,Emad Omara,Srinivas Inguva,Alan Duric
Replacesdraft-omara-mls-architecture
RFC streamIETF LogoIETF Logo
Other formats
Additional resources Mailing list discussion
Report a datatracker bug
[8]ページ先頭
©2009-2026 Movatter.jp