messaging layer security - i.blackhat.com · messaging layer security towards a new era of secure...
TRANSCRIPT
![Page 1: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/1.jpg)
Messaging Layer SecurityTowards a new era of secure messaging...
Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert
BlackHat USA 2019, Las Vegas, CA
![Page 2: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/2.jpg)
Intro
- MLS: Messaging Layer Security- MLS is a new protocol for end-to-end encrypted
messaging- MLS is now an IETF working group- Why is this important now?
- Raphael Robert: Head of Security at @wire
![Page 3: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/3.jpg)
![Page 4: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/4.jpg)
Current status
![Page 5: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/5.jpg)
Secure MessagingLots of secure messaging apps.
Some use similar protocols…
… some are quite different.
… but all have similar challenges.
Very different levels of analysis.
Everyone maintaining their own libraries.
![Page 6: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/6.jpg)
History of security properties
PGP (OpenPGP, S/MIME, …) Confidentiality and Authenticity
Off-the-record protocol Introduces Forward Secrecy and Deniability
Double Ratchet algorithm Adapts to asynchronous communication, introduces the notion of "future secrecy"
![Page 7: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/7.jpg)
What about groups?
Pairwise protocols cannot “just” be extended to accommodate for groups
The pairwise channels can be superposed to simulate a group
Tradeoff between security properties and scalability
![Page 8: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/8.jpg)
What about groups?
Creating groups on top of a pairwise protocol is hiding the complexity behind a non-standard layer.
Everybody has a different solution and everybody has different security properties.
Secure 1:1 protocol
Group management
![Page 9: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/9.jpg)
Modern security & scaling
has modern security
Client fanoutSignal, Proteus, iMessage, et al.
S/MIME, OpenPGP
Sender Keys WhatsApp, FB, OMEMO, Megolm, et al.
scales well ?
![Page 10: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/10.jpg)
Objectives
![Page 11: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/11.jpg)
What do we want?
Security Protocol with modern security properties:
Confidentiality and Authenticity
Forward Secrecy (FS)
Post-compromise Security (PCS)
Membership authentication in groups
Deniability (optional)
![Page 12: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/12.jpg)
What do we want?
Async - Support sessions where no two members are online at the same time
Group Messaging - Support large, dynamic groups with efficient scaling
Multi-device support - Users should be able to use more than one device
Federation - Members of groups should not be limited to only one server/service
Usable - Focus on a practical drop-in for existing applications
![Page 13: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/13.jpg)
What do we want?
Open standard - Complete specification usable by anyone
Code reuse - Robust implementations that can be used in different contexts
Security analysis - Involvement from the academic community
![Page 14: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/14.jpg)
MLS
![Page 15: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/15.jpg)
History
2015: ART
...
2016: Stakeholders gather
May 2018 IETF MLS WG officially formed
March 2018 IETF MLS BoF
![Page 16: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/16.jpg)
Scope of TLS
Transport(TCP / UDP)
Message Content(HTTP, SMTP, SIP, …)
Security Protocol(TLS / DTLS)
Authentication(PKI)
Certificate[Verify]
![Page 17: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/17.jpg)
Scope of MLS
Transport encryption(TLS)
Application layer(messages, etc.)
Security Protocol(MLS)
AuthenticationService
Identity[Verify]
![Page 18: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/18.jpg)
Architecture
DeliveryService
AuthenticationService
Client 1 Client 2 Client N...
User 0 User M
Group
![Page 19: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/19.jpg)
MLS vs. TLS
- Lots of people - 2 vs. 10N
- Long lived sessions - seconds vs. months
- Lots of mobile devices involved
- Designed for human-to-human communication
Significant probability that some member is compromised at some time in the life of the session
![Page 20: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/20.jpg)
EndpointCompromise
Time
Forward Security* Post-Compromise Security*
FS / PCS Interval
* … with regard to a member
FS & PCS
![Page 21: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/21.jpg)
Time
Bob updates keyAlice creates a group with Bob
Epoch 1
Alice adds Charlie
Epoch 2 Epoch 3
Alice removes Charlie
Epoch 4
Key rotation
![Page 22: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/22.jpg)
Time
Alice creates a group with Bob
Epoch 1
Key rotation
Alice: Key1, Key2, Key3, …Bob: Key1, Key2, Key3, ...
![Page 23: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/23.jpg)
Before we start
Every client/member publishes Init Keys ahead of time
Init Keys are handled by the Delivery Service
They contain credentials and a public key, so that we can encrypt data to them
![Page 24: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/24.jpg)
The core: TreeKEMThe public state of a group is composed of a left-balanced binary tree of asymmetric public keys
Each member of the group occupies a leaf and knows all secrets in its path to the root.
Secrecy invariant: The private key for an intermediate node is only known to members of the subtree. B C D E FA
G H I
J
K
C has private keys for H, J, K
![Page 25: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/25.jpg)
Trees of KeysThis has a couple of nice consequences:
Intermediate nodes represent subgroups you can KEM / encrypt to
Root private key is known to everyone in the group at a given time
Protocol maintains this state through group operations (Create, Add, Update, Remove)
B C D E FA
G H I
J
K
![Page 26: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/26.jpg)
UpdateF wants to do an Update
- It generates a fresh leaf key- Hashes up to the root along the direct
path- Encrypts new values to the co-path
B C D E FA
G H I
J
K
![Page 27: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/27.jpg)
Add/InitWe want to add members to a group
- We fetch init keys for every member- New members get added as new
leaves to the tree- Newly added members will do an
Update when they come online
B C D E FA
G H I
J
K
![Page 28: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/28.jpg)
RemoveA wants to remove D
- A sends a message to the group saying D should be removed
B C D E FA
G H I
J
K
![Page 29: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/29.jpg)
RemoveA wants to remove D
- A sends a message to the group saying D should be removed
- The direct path of D is blanked- Therefore D does not know any tree
secret- A can do an Update to derive a group
secret unknown to DB C E FA
G I
![Page 30: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/30.jpg)
Messages
Handshake messages
- Control messages (Create, Add, Update, Remove) with global order
Application messages
- Typically text messages, but could be any data, with per-sender order
The Delivery Service enforces ordering of handshake messages
![Page 31: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/31.jpg)
EfficiencyPairwise protocols superpose 1:1 connections in a group (full mesh)
A
B
C
D
E
F
![Page 32: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/32.jpg)
Efficiency
Pairwise sending:
- Sending messages is in O(N)
Sender keys:
- Fan-out an encryption key to everyone and use it for messages- Sending the encryption key out is still in O(N), sending a message is in O(1)- Problem: if a member leaves the group, everyone has to fan-out a new key in
O(N^2)
![Page 33: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/33.jpg)
EfficiencyMLS allows to maintain a group secret in O(log N) by using left-balanced binary trees
Example: 100k members and message size of 1kb
Pairwise: 100k operations and payload of 100k * 1kb = 100mb
MLS: 17 operations and payload of 17 * 1kb = 17kb
B C D E FA
G H I
J
K
![Page 34: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/34.jpg)
Create Add Update Remove Message
N^2 10,000,000
N 10,000
log N 14
1 1
Client Fanout Sender Keys MLS
![Page 35: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/35.jpg)
Metadata protection
Message content is secret because of end-to-end encryption
What data should we try to protect additionally?
There are two kinds of metadata:
- Observable metadata- Persisted metadata
![Page 36: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/36.jpg)
Metadata protection
- Servers will keep messages in queues, we just need to tell the server in which queue to save the message
- We can encrypt the sender of a message, the server doesn't need to have that information
- We can have arbitrary padding, so that clients can make messages indistinguishable from each other
Message
Header 1
Padding
Header 2
![Page 37: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/37.jpg)
Deniability
Messages are signed for authenticity
- Identity keys can be transferred over 1:1 deniable channels
- Authorship of text messages becomes deniable
- Participation in a group becomes deniable
- Messages are also encrypted under the group key, therefore opaque to the server
![Page 38: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/38.jpg)
Federation
Are we limited to one Delivery Service?
Ordering for handshake messages is important
If we can distribute the ordering problem across multiple delivery services, federation becomes possible.
DS 1
DS 3DS 2
![Page 39: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/39.jpg)
Federation
Federation without redundancy
Simple approach: designate which Delivery Service is responsible for the ordering
Federation with redundancy
More advanced approach: have some consensus among the Delivery Services on which one is responsible for ordering
DS 1
DS 3DS 2
![Page 40: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/40.jpg)
Business messaging
Business communication is seeing a transformation from using email towards using messaging.
This change is driven by consumer experience.
![Page 41: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/41.jpg)
Business messaging
The encryption challenge
Most solutions only use transport encryption (TLS) to protect messages and files.
End-to-end encryption is challenging at scale.
![Page 42: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/42.jpg)
Business messaging
The feature challenge
Most solutions only enable users of the same organisation to talk to each other.
Email is still popular as a legacy technology, because anyone can be reached.
Federation contributed to the popularity of email.
![Page 43: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/43.jpg)
Summary
- MLS aims to be new standard for secure messaging, especially in (large) groups
- Modern security properties- Robust, usable open specification- Usable solution for new and existing products
More information: messaginglayersecurity.rocks
![Page 44: Messaging Layer Security - i.blackhat.com · Messaging Layer Security Towards a new era of secure messaging... Benjamin Beurdouche, Katriel Cohn-Gordon, Raphael Robert BlackHat USA](https://reader034.vdocument.in/reader034/viewer/2022050718/5e17861eb82ae943643aadfe/html5/thumbnails/44.jpg)
ThanksBenjamin Beurdouche@beurdouche – inria.fr
Katriel Cohn-Gordon@katrielalex – katriel.co.uk
Raphael Robert @raphaelrobert – wire.com