Messaging Layer Security: Towards a New Era of Secure Group Messaging

Presented at Black Hat USA 2019, Aug. 7, 2019, 4 p.m. (50 minutes).

The world is moving towards end-to-end encryption (E2EE) for person-to-person messaging, as more services now wish to reduce the amount of sensitive data that they must store. However, the protocols used for encryption are still being developed and only a few of them, such as the Signal protocol, have seen serious security analysis. Signal is the first E2EE protocol to achieve global deployment, via WhatsApp's billion+ users, and achieves strong security guarantees, such as forward-secrecy and post-compromise-security (recovery from key-compromise).

This talk will provide an introduction to message encryption protocols and describe the current ecosystem, including why it's still not a solved problem in the corporate setting. While personal messaging systems have been adopting Signal, corporate messaging has not massively moved in that direction due to significant technical challenges such as scalability.

To support groups, WhatsApp uses a protocol called Sender-Keys. However, this protocol does not provide post-compromise-security, meaning that in a simple deployment an employee losing a device or leaving the company might retain the ability to read messages. To prevent this, all employees' cryptographic keys must be rotated whenever a device is removed; this is just about feasible for small groups but is entirely impractical for whole-company groups.

To remedy these issues, the IETF is building the "Messaging Layer Security'' (MLS) group messaging protocol. MLS goals significantly differ from pairwise protocols: it aims to cover multiple industry use-cases including federation and web-browser support, to have sub-linear complexities allowing practical groups up to 50000 clients, and to provide formal security guarantees.

What kinds of security, privacy and implementation bugs have been exploited by adversaries in the past? What guarantees can MLS provide in the context of powerful attackers and how does it differ from current solutions? What is the cutting edge research used? These are the questions that we will try to answer throughout the presentation.


Presenters:

  • Benjamin Beurdouche - M., INRIA Paris
    Benjamin Beurdouche is a last year PhD candidate in the Prosecco team at INRIA and ENS Paris. He is working on formal verification of security protocols and cryptographic primitives such as the HACL* cryptographic library used in Mozilla Firefox and Microsoft Windows. Benjamin is one of the co-authors of IETF's Messaging Layer Security (MLS) protocol and one among many contributors to the TLS 1.3 protocol.
  • Raphael Robert - M., Wire
    Raphael Robert is the head of security at Wire.
  • Katriel Cohn-Gordon - Research Scientist , Independent
    Katriel Cohn-Gordon is a research scientist, with a PhD from the University of Oxford in information security and applied cryptography. His research aims to formalise and prove the security of some of the protocols underlying today's Internet; recent work includes working on the Messaging Layer Security IETF standard for encrypted group messaging and a formal analysis of the Signal messaging protocol used by WhatsApp and many others. He's also been seen writing fuzzers for WebRTC at Google's Stockholm office, holds a master's degree in mathematics and computer science, and has reviewed papers for various top academic conferences.

Links:

Similar Presentations: