Paper 2020/1327
On The Insider Security of MLS
Joël Alwen and Daniel Jost and Marta Mularczyk
Abstract
The Messaging Layer Security (MLS) protocol is a new complex open standard for end-to-end (E2E) secure group messaging being developed by the IETF. Its primary security goal is to provide E2E privacy and authenticity for messages in long lived sessions whenever possible. This, despite the participation (at times) of malicious insiders that can interact with the PKI at will, actively deviate from the protocol, leak honest parties' states, and fully control the network. The cryptographic core of the MLS protocol (from which it inherits essentially all of its efficiency and security properties) is a Continuous Group Key Agreement (CGKA) protocol. CGKA protocols provide asynchronous E2E secure group management by allowing group members to agree on a fresh independent symmetric key after every change to the group's state (e.g. when someone joins/leaves the group). In this work, we make progress towards a precise understanding of the insider security of MLS in the form of 3 contributions. On the theory side, we overcome several subtelties to formulate the first notion of insider security for a CGKA (or group messaging) protocol. Next, we isolate the core components of MLS to obtain a CGKA protocol we dubbed Insider Secure TreeKEM (ITK). Finally, we give a rigorous proof that ITK provides (adaptive) insider security. In particular, this work also initiates the study of insider secure CGKA protocols, a primitive of interest in its own right.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint. MINOR revision.
- Keywords
- Message Layer SecurityMLSTreeKEMSecure Messaging
- Contact author(s)
-
jalwen @ wickr com
daniel jost @ cs nyu edu
mumarta @ inf ethz ch - History
- 2022-08-11: last of 2 revisions
- 2020-10-23: received
- See all versions
- Short URL
- https://ia.cr/2020/1327
- License
-
CC BY