RFC 9420: Messaging Layer Security

Originally published in?Bulletproof TLS Newsletter, a free periodic newsletter designed to keep you informed about the latest developments in SSL/TLS and Internet PKI. Written by?Ivan Risti?.

Messaging Layer Security (MLS), a new standard that supports end-to-end encryption in messaging applications, has been released as?RFC 9420. The name is an obvious riff on Transport Layer Security (TLS), but that’s not where the similarities end. MLS had been in development for about five years, which is similar to the time it took to produce TLS 1.3. Both standards were built on the protocols that came before them. Both standards engaged academia and a wider expert base to analyze the designs before they were considered complete. Is this what the new model for development of cryptographic protocols looks like?

To understand why we need MLS, we need to go back as far as 1991 and start with Pretty Good Privacy (PGP). Developed by Phil Zimmerman, PGP was the first attempt to provide end-to-end encryption for messaging—more specifically, for email. Although PGP provided some basic security, its usability was poor and cryptography weak by today’s standards. Crucially, its security relied on a master key. If that key became compromised, all communication, past and future, would be compromised as well.

Other standards followed.?Off-the-Record (OTR) protocol?focused on security of real-time (chat) messages, introducing forward secrecy and deniability. The?Signal protocol?further improved things by adding support for offline communication as well as?post-compromise security. The Signal protocol in particular went on to achieve great success, being implemented not only by Signal, but also by WhatsApp, Facebook Messenger, Skype, and others.

Although the Signal protocol is a de facto standard at the moment, MLS aims to take things further with improved group communication, proper standardization, and a reference implementation in Rust under a permissive open-source license. If multiple vendors all adopt this protocol, that would open doors to some possible federation and interoperability across messaging applications. A number of prominent organizations participated in the development effort. Google already stated that they will?implement MLS in Google Messages. And Matrix is?experimenting with it already.

Short news

Here are some things that caught our attention since the previous newsletter:

• Kevin Mitnick is?no longer with us.
• Microsoft suffered a serious security breach?stemming from the compromise of important encryption keys that controlled access to customer data.
• TETRA:BURST?is a collection of five vulnerabilities in ETSI’s TETRA standard for police radio communication. The standard was adopted in 1995 and used in more than 100 countries … but no one seems to have checked its security until now. One of the vulnerabilities appears to be the result of intentionally-weakened keys, making the encryption easy to brute-force. Read?ETSI’s official statement?and Kim Zetter’s?interview with Brian Murgatroyd, chair of the committee responsible for TETRA at ETSI.
• Martini Security?filed a notice?with the FCC in the US about?widespread noncompliance issueswith the STIR/SHAKEN certificates.
• After New Zealand’s problems last month, Venezuela?suffered a DNSSEC malfunction?for all .ve domain names. This resulted in about 16 hours of downtime.
• Mozilla?decided not to allow e-Tugra’s root certificates?into its root store.
• A group of researchers published a paper on the use of Certificate Transparency to discover vulnerable servers online:?Certifiably Vulnerable: Using Certificate Transparency Logs for Target Reconnaissance.
• New CAs are always bootstrapped off of an older, already established CA. In the case of Let’s Encrypt, that CA was IdenTrust. In 2021, Let’s Encrypt decided to continue to use a longer certificate chain (chaining to IdenTrust) in order to support older Android devices. In February 2024,?Let’s Encrypt will switch to a shorter chain?by default.
• David Wong wrote about a?zero-knowledge attack that broke Nova.
• Filippo Valsorda wants a world in which?XAES-256-GCM/11?exists.
• Chrome developers are making some changes to how HTTPS is handled. One that sounds good is that they’re planning to always upgrade main navigations to HTTPS, even when given HTTP links. One that’s maybe not so good is starting to?cache HTTPS pages (in the back/forward cache) even when a no-store option is indicated.
• If you’re struggling to keep up with post-quantum cryptography, the?Post-Quantum Signatures Zoo?may be of help. There were some recent?additions made by NIST.
• The inaugural?Workshop on Cryptography Applied to Transparency Systems?will be held in November in Denmark. They’re?calling for talks.
• Mark Cox wrote about OpenSSL developers and the fact that?87 percent of the commits?in the past twelve months came from people who are paid by their employers to work on OpenSSL.
• A recent episode of the?Screaming in the Cloud?podcast is titled “Best Practices in AWS Certificate Manager?with Jonathan Kozolchyk.” Kozolchyk is the general manager of certificate services for AWS.
• In the European Union, 458 (correct at the time of writing) academics?wrote against the EU’s proposed Child Sexual Abuse Regulation.
• In the UK, sixty-eight researchers and scientists published?an open letter opposing the UK’s proposed Online Safety Bill.
• Apple, which was already on record as opposing the Online Safety Bill, reiterated its position by pledging to?turn off FaceTime and iMessage rather than comply?with the broken law.
• The US Senate crafted a bill that requires?communication providers to report drug activity?that takes place on their platforms.
• The Bitwarden desktop application?was vulnerable to master password extraction?after the vault was locked.
• Over in Java,?work is underway?to standardize an API for key derivation functions (KDFs).
• In the European Union, the European Council and Parliament?reached a provisional agreementfor a framework for an European digital identity (eID).
• The?Security Cryptography Whatever?podcast invited Steve Weis to discuss?how we can know, or think we know, if our cryptography is secure.
• A couple of newsletters ago, we mentioned Jan Schaumann’s CAA research highlights published on Twitter, but we missed the?detailed results published on his blog.
• Paderborn University’s System Security Group researched?circumvention of censorship using TLS record fragmentation.
• Swiss Crypto Day 2023?will be held at ETH Zurich on September 8.
• Tech Policy Press?looked at popular messaging applications?to understand the total user experience alongside security and produced a detailed, eighty-six-page report.
• Eric Schorn for NCC Group published “Machine Learning 104: Breaking AES with Power Side-Channels.”
• Eli Sohl for NCC Group published “Exploiting Noisy Oracles with Bayesian Inference.”