Google Messages Gets End-to-End Cross-Platform Encryption with MLS Protocol
Google has announced it will be adding support for Message Layer Security (MLS) to the Messages for Android service and its implementation of the open source specification.
“Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users are currently limited to communicating with contacts using the same platform,” Giles Hogben, director of privacy engineering at Google, said. “This is why Google is so supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms.”
Development comes as Internet Engineering Task Force (IETF) released core specification of the Messaging Layer Security (MLS) protocol as Request for Comments (RFC 9420).
Some of the other major companies that support this protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Missing from the list is Apple, which offers iMessage.
MLS, as the name suggests, is a security layer for end-to-end encryption that facilitates interoperability across messaging services and platforms. It was approved for publication as a standard by the IETF in March 2023.
“MLS builds on the best lessons from the current generation of security protocols,” IETF noted at the time. “As is widely used Double Ratchet Protocol, MLS enables asynchronous operations and provides advanced security features such as post-compromise security. And like TLS 1.3MLS provides strong authentication.”
The heart of MLS is an approach known as Continuous Group Key Agreement (CGKA) which allows multiple messaging clients to agree on a shared key serving groups ranging in size from two to thousands in a way that offers guaranteed forward confidentiality regardless of individuals joining and leaving group conversations.
“The core function of MLS is continuous group authenticated key exchange (AKE),” the standard documents read. “Like other authenticated key exchange protocols (such as TLS), the participants in the protocol agree on a shared secret value, and each participant can verify the identity of the other participants.”
“That secret can then be used to protect messages sent from one participant in the group to another using the MLS framing layer or can be exported for use with other protocols. MLS provides AKE groups in the sense that there can be more than two participants in the protocol, and AKE groups are continuous in the sense that the set of participants in the protocol can change over time.”
This growing membership is realized through a data structure called an asynchronous ratcheting tree, which is used to derive shared secrets among a group of clients. The goal is to be able to efficiently remove any member, achieving post-compromise security by preventing the snooping of group messages even if one member has been compromised in the past.
On the other hand, forward secrecy, which allows messages to be sent at a specific point in time for safekeeping in the face of later compromise of group members, is provided by removing the private key from the previous version of the ratchet tree, thus preventing the old group secret from being passed down again.
Mozilla, hoping to see a standardization of Web APIs to utilize the protocol directly through web browsers, said MLS is designed so that “the legitimacy of new members entering the group is checked by everyone: there is nowhere to hide.”
