Abstract
The Messaging Layer Security (MLS) protocol is an open standard for end-to-end (E2E) secure group messaging being developed by the IETF, poised for deployment to consumers, industry, and government. It is designed to provide E2E privacy and authenticity for messages in long-lived sessions whenever possible, despite the participation (at times) of malicious insiders that can adaptively interact with the PKI at will, actively deviate from the protocol, leak honest parties’ states, and fully control the network. The core of the MLS protocol (from which it inherits essentially all of its efficiency and security properties) is a Continuous Group Key Agreement (CGKA) protocol. It provides asynchronous E2E group management by allowing group members to agree on a fresh independent symmetric key after every change to the group’s state (e.g. when someone joins/leaves the group).
In this work, we make progress towards a precise understanding of the insider security of MLS (Draft 12). On the theory side, we overcome several subtleties to formulate the first notion of insider security for CGKA (or group messaging). Next, we isolate the core components of MLS to obtain a CGKA protocol we dub Insider Secure TreeKEM (ITK). Finally, we give a rigorous security proof for ITK. In particular, this work also initiates the study of insider secure CGKA and group messaging protocols. Along the way we give three new (very practical) attacks on MLS and corresponding fixes. (Those fixes have now been included into the standard.) We also describe a second attack against MLS-like CGKA protocols proven secure under all previously considered security notions (including those designed specifically to analyze MLS). These attacks highlight the pitfalls in simplifying security notions even in the name of tractability.
D. Jost—Research supported by the Swiss National Science Foundation via Fellowship no. P2EZP2_195410. Work partially done while at ETH Zurich, Switzerland.
M. Mularczyk—Research supported by the Zurich Information Security and Privacy Center (ZISC). Work partially done while at ETH Zurich, Switzerland.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Concretely, the servers distributing keys are normally not trusted per se. Instead trust is established by, say, further equipping participants with tools to perform out-of-band audits of the responses they receive from the server.
- 2.
In the newest draft of MLS the term “application secret” has been changed to “encryption secret”.
- 3.
We stress that adversarially chosen coins can lead to real-world attacks, see e.g. [22].
- 4.
E.g. a malformed (commit) packet can be constructed by an insider such that part of the group accepts it but the rest do not.
- 5.
Passive corruptions and full network control allow to emulate active corruptions.
- 6.
In particular, we do not assume so-called key-registration with knowledge. This is a significantly stronger assumption, typically not achieved by the heuristic checks deployed in reality, and it is not needed for security of ITK.
- 7.
The secret key must be fetched separately, because the key is registered by the environment before the secret key is fetched by the protocol.
- 8.
For simplicity, we require that the higher-level protocol that buffers proposals also finds the list \(p\) matching \(c\). This is without loss of generality, since ITK uses MLSPlaintext for sending proposals, and \(c\) includes hashes of proposals in \(\vec {p}\).
- 9.
For instance, say the environment computes a long chain of commits in its head and injects the last one. It is not clear how to construct a protocol for which it is possible to identify all ancestors, without including all their hashes in \(w\).
- 10.
In game based definitions, such corruptions are usually disallowed, as they allow to trivially distinguish. Our notion achieves the same level of adaptivity.
- 11.
Observe that at the time a ciphertext is created we do not know if the key it contains will be used to create a safe epoch, or if some receiver will be corrupted.
- 12.
- 13.
The GSD game in the full proof is inherently more complex. For example, recall that joiner secret is a hash of init and commit secrets. Accordingly, the adversary is allowed to create nodes whose seeds are hashes of two other seeds.
- 14.
It also seems to contradict the (informal) notion of the “tree-invariant” often cited on the MLS mailing list.
- 15.
With adds and removes, the subtree of v can grow or shrink since the last commit, changing the tree hash. It is not clear how to revert these changes.
- 16.
With the leaf hash, members sign each other’s credentials, thus attesting to being in a group together. The resolution hash gets rid of this side effect.
- 17.
\({\textsf{PKE}} ^*\) can be easily obtained as a straightforward adaptation of the artificial symmetric encryption scheme by Krawczyk [31] (used to show that the authenticate-then-encrypt paradigm is not secure in general) to the public key setting.
References
Messagying layer security (MLS) WG - meeting minutes for interim 2020-1, January 2020. https://datatracker.ietf.org/doc/minutes-interim-2020-mls-01-202001110900/
Alwen, J., et al.: Grafting key trees: efficient key management for overlapping groups. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 222–253. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_8
Alwen, J., Auerbach, B., Noval, M.C., Klein, K., Pascual-Perez, G., Pietrzak, K.: DeCAF: decentralizable continuous group key agreement with fast healing. Cryptology ePrint Archive, Report 2022/559 (2022). https://eprint.iacr.org/2022/559
Alwen, J., et al.: CoCoA: concurrent continuous group key agreement. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 815–844. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_28
Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B., Riepel, D.: Analysing the HPKE standard. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 87–116. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_4
Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9
Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1463–1483. ACM Press, November 2021. https://doi.org/10.1145/3460120.3484820
Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10
Alwen, J., Hartmann, D., Kiltz, E., Mularczyk, M.: Server-aided continuous group key agreement. Cryptology ePrint Archive, Report 2021/1456 (2021). https://eprint.iacr.org/2021/1456
Alwen, J., et al.: Keep the dirt: tainted treekem, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy, S &P, pp. 268–284 (2021). https://doi.org/10.1109/SP40001.2021.00035. Full version: https://eprint.iacr.org/2019/1489
Alwen, J., Jost, D., Mularczyk, M.: On the insider security of MLS. Cryptology ePrint Archive, Paper 2020/1327 (2020). https://eprint.iacr.org/2020/1327. Full version of this paper
Backes, M., Dürmuth, M., Hofheinz, D., Küsters, R.: Conditional reactive simulatability. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 424–443. Springer, Heidelberg (2006). https://doi.org/10.1007/11863908_26
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The messaging layer security (MLS) protocol (draft-ietf-mls-protocol-12). Technical report, IETF, March 2020. https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/12/
Barnes, R.: Subject: [MLS] Remove without double-join (in TreeKEM). MLS Mailing List, 06 August 2018. https://mailarchive.ietf.org/arch/msg/mls/Zzw2tqZC1FCbVZA9LKERsMIQXik
Barnes, R.: MLS Protocol Pull Requests #396: Authenticate group membership in MLSPlaintext, 18 August 2020. https://github.com/mlswg/mls-protocol/pull/396
Barnes, R.: MLS Protocol Pull Requests #416: Inlclude the signature in the confirmation tag, 18 August 2020. https://github.com/mlswg/mls-protocol/pull/416
Barnes, R.: Subject: [MLS] Proposal: Proposals (was: Laziness). MLS Mailing List, 22 August 2019. https://mailarchive.ietf.org/arch/msg/mls/5dmrkULQeyvNu5k3MV_sXreybj0/
Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups, May 2018. https://prosecco.inria.fr/personal/karthik/pubs/treekem.pdf. Published at https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8
Bhargavan, K., Beurdouche, B., Naldurg, P.: Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS. Research report, Inria Paris, December 2019. https://hal.inria.fr/hal-02425229
Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 198–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_8
Brzuska, C., Cornelissen, E., Kohbrok, K.: Security analysis of the MLS key derivation. In: 2022 IEEE Symposium on Security and Privacy, S &P, pp. 595–613. IEEE Computer Society, Los Alamitos, May 2022. https://doi.org/10.1109/SP46214.2022.00035. https://doi.ieeecomputersociety.org/10.1109/SP46214.2022.00035
Bushing, Marcan, Segher, Sven: Console hacking 2010 – PS3 epic fail. In: 27th Chaos Communication Congress – 27C3 (2010). https://fahrplan.events.ccc.de/congress/2010/Fahrplan/events/4087.en.html
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959888
Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802–1819. ACM Press, October 2018. https://doi.org/10.1145/3243734.3243747
Cremers, C., Hale, B., Kohbrok, K.: The complexities of healing in secure group messaging: why cross-group effects matter. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 1847–1864. USENIX Association, August 2021
Devigne, J., Duguey, C., Fouque, P.-A.: MLS group messaging: how zero-knowledge can secure updates. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021, Part II. LNCS, vol. 12973, pp. 587–607. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88428-4_29
Emura, K., Kajita, K., Nojima, R., Ogawa, K., Ohtake, G.: Membership privacy for asynchronous group messaging. Cryptology ePrint Archive, Report 2022/046 (2022). https://eprint.iacr.org/2022/046
Hashimoto, K., Katsumata, S., Postlethwaite, E., Prest, T., Westerbaan, B.: A concrete treatment of efficient continuous group key agreement via multi-recipient PKEs. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 1441–1462 (2021)
Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6
Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_19
Miller, M.A.: Messaging layer security (MLS) WG - meeting minutes for IETF105, August 2019. https://datatracker.ietf.org/doc/minutes-105-mls/
Panjwani, S.: Tackling adaptive corruptions in multicast encryption protocols. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 21–40. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_2
Rescorla, E.: Subject: [MLS] TreeKEM: An alternative to ART. MLS Mailing List, 03 May 2018. https://mailarchive.ietf.org/arch/msg/mls/WRdXVr8iUwibaQu0tH6sDnqU1no
Sullivan, N.: Subject: [MLS] Virtual interim minutes. MLS Mailing List, 29 January 2020. https://mailarchive.ietf.org/arch/msg/mls/ZZAz6tXj-jQ8nccf7SyIwSnhivQ/
Weidner, M.: Group messaging for secure asynchronous collaboration. MPhil dissertation, 2019. Advisors: A. Beresford and M. Kleppmann (2019). https://mattweidner.com/acs-dissertation.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Alwen, J., Jost, D., Mularczyk, M. (2022). On the Insider Security of MLS. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13508. Springer, Cham. https://doi.org/10.1007/978-3-031-15979-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-15979-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15978-7
Online ISBN: 978-3-031-15979-4
eBook Packages: Computer ScienceComputer Science (R0)
