Standardising an end-to-end encrypted messaging protocol at the IETF

2020-12-11 Blog

Last month, an Austrian media report kicked up a storm by suggesting that the Council of the European Union was drafting a resolution to prohibit the use of end-to-end encrypted communication. This was quickly corrected: the draft resolution, in fact, affirms the previous position of previous EU policy documents that recognise the importance of end-to-end encryption (E2EE) in providing secure and private communication.

While the European Commission has been considering questions around E2EE and information access to law enforcement agencies since 2016, there have emerged no serious and binding proposals that threaten popular use of E2EE communication. A couple of developments, however, portend some uncertainty about how strongly this position will be held in the future.

Earlier this year, Politico leaked documents that revealed deliberations of a working group of the European Commission on ‘technical solutions’ for detecting child sexual abuse material in private E2EE communications, such as those provided by Signal and WhatsApp. Civil society organisations fear that these proposals, which include client-side scanning of content and “exceptional access” to encrypted data, undermine the security and privacy guarantees that E2EE messaging provides.

The second threat to E2EE communication comes from counter-terrorism efforts in the EU. While the latest draft of the proposal on regulation of the dissemination of terrorist content online does not apply to private messaging services, the EU Counter-Terrorism Coordinator has been advancing a different position. In May 2020, they wrote to EU Member States advocating for an encryption “front-door” and increased state intervention in regulating encryption. In October, when the Five Eyes (the US, UK, Australia, Canada and New Zealand), India and Japan issued a joint statement calling for cleartext contents of communication to be available to law enforcement agencies on demand, the EU Counter-Terrorism Coordinator welcomed the proposal.

The policy position of E2EE at the EU-level is thus becoming somewhat polyvocal and/or stuck at a question that has no real answer: when device access is not possible, how can law enforcement agencies access end-to-end encrypted messages without ‘breaking’ said forms of encryption? Unfortunately, such policy aspirations may as well be in “a laundry list of tortuous ways to achieve the impossible.

Pertinently, one of the ways the EU Counter-Terrorism Coordinator has recommended monitor standards development. In their (translated) words:

“Member states and EU Institutions should be encouraged to collectively challenge changes to the encryption landscape in the international standards bodies, particularly the Internet Engineering Task Force (IETF), to ensure they are involved in the development of international standards and technological norms, impacting encryption and wider cyber security for the years to come.”

So, what is happening at the IETF?

The Messaging Layer Security (MLS) working group is unperturbed by these policy debates on end-to-end encryption. Set up in 2018, the working group has a clear objective to standardise an architecture and protocol that can facilitate end-to-end encrypted messaging. MLS will have several key security properties, including:

  • Message confidentiality: messages cannot be read by anyone except the sender and recipient(s)
  • Message integrity: messages cannot be tampered with
  • Message authenticity: recipients have an assurance of the sender’s identity
  • Forward secrecy: compromise of a key at an endpoint does not cause all previous communications to be immediately decryptable
  • Post-compromise security: compromise of a key at an endpoint does not cause all future messages to be revealed, i.e. there a way to recover security properties even after a compromise

All the properties listed here are already guaranteed by some existing solutions, such as the Signal protocol, a version of which WhatsApp also uses. What is new about MLS is its design philosophy: it starts with group messaging as a default, whereas older protocols are designed for one-to-one communication. The intention is for MLS to be much more scalable than current solutions (like Signal, iMessage, WhatsApp, etc.). This performance edge and the open nature of the standard is likely to be incentive enough for lots of platforms and services to adopt MLS as their message encryption protocol of choice. That is why, besides academicians, the working group has active participation from companies, including Google, Mozilla, Facebook, Twitter and Wire.

Will it federate?

Since traditional E2EE protocols were designed keeping one-to-one conversations in mind, the logic of how chat ‘groups’ operate has been left to individual services and platforms. Coupled with the fact that some organisations may deliberately not want to federate their service (for commercial or non-commercial reasons), true interoperability on a public scale has arguably never been achieved with E2EE messaging.

MLS has the potential to change that. While the working group has not set complete federation/interoperability as an explicit goal, an Internet Draft by authors from Google and Wire clearly lays out that it is technically possible with the existing architecture of MLS. If successfully demonstrated, it is likely that details on how to achieve federation with MLS are incorporated into the proposal in early 2021.

The ecosystem is still moving

Fortunately, the MLS working group is concerned with usability as much as it is with security and privacy. With working group participants actively having accommodated support for multiple devices per user in addition to business use-cases, MLS offers the promise of a protocol that can be widely deployed across all applications that need a messaging feature.

As the charter for MLS notes, the working group “hope[s] to have several interoperable implementations as well as a thorough security analysis” before standardisation. This was confirmed at IETF109, where the plan for the protocol specification was discussed. The Internet Draft will go on a freeze until developers can get deployment experience with the current version, and academicians can formally analyse the cryptographic properties.

With broad industry buy-in and the likelihood of open source implementations cropping up in the near future, the MLS open standard may just become the backbone of private communication online.


This article was written for CENTR by Gurshabad Grover, a technologist and legal researcher based in Bangalore, India, where he is Senior Researcher at the Centre for Internet and Society. Gurshabad's writing focuses on network security, privacy and censorship.