Semi-Private Messages in the Messaging Layer Security (MLS) Protocol

Semi-Private Messages in the Messaging Layer Security (MLS) Protocol Rohan Mahy Consulting Services

rohan.ietf@gmail.com

Security Messaging Layer Security SemiPrivateMessage This document defines a SemiPrivateMessage for the Messaging Layer Security (MLS) protocol. It allows members to share otherwise private commits and proposals with a designated list of external receivers rather than send these handshakes in a PublicMessage. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Messaging Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This document defines two extensions of MLS . The first is the SemiPrivateMessage wire format Safe Extension (see , which allows an otherwise PrivateMessage to be shared with a predefined list of external receivers. It is restricted for use only with commits or proposals. The second is the external_receivers GroupContext extension that contains the list of external receivers and allows members to agree on that list. SemiPrivateMessages are expected to be useful in federated environments where messages routinely cross multiple administrative domains, but the MLS Distribution Service needs to see the content of commits and proposals where group members would otherwise send handshakes using PublicMessage.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses terminology extensively from MLS and the Safe Extensions framework, defined in .

Syntax and Usage The external_receivers GroupContext extension is used for all members to agree on the list of external receivers in the current epoch. Its construction mirrors the syntax of the external_senders extension in . The SemiPrivateMessage wire format Safe Extension also has an extension type which is carried in the GroupContext to indicate use of the wire format in a group (and in the Capabilities of LeafNodes). SemiPrivateMessage substantially reuses the construction of PrivateMessage, but like a Welcome message also contains information (keys_and_nonces) necessary to decrypt the SemiPrivateMessage struct's ciphertext and encrypted_sender_data, encrypted once for each external receiver in the external_receivers extension. The snippet below shows the syntax and encryption and decryption construction of keys_and_nonces into encrypted_keys_and_nonces ; opaque sender_data_nonce; opaque key; opaque nonce; } PerMessageKeysAndNonces; PerMessageKeysAndNonces keys_and_nonces; encrypted_keys_and_nonces = EncryptWithLabel( external_receiver_public_key, "SemiPrivateMessageReceiver", SemiPrivateMessage.ciphertext, /* context */ keys_and_nonces) keys_and_nonces = DecryptWithLabel( external_receiver_private_key, "SemiPrivateMessageReceiver", SemiPrivateMessage.ciphertext, /* context */ encrypted_keys_and_nonces.kem_output, encrypted_keys_and_nonces.ciphertext) ]]> The KeyForExternalReceiver structure contains a hash of the ExternalReceiver as a reference and the encrypted_keys_and_nonces. The SemiPrivateMessage struct mirrors the PrivateMessage struct and adds the keys_for_external_receivers list. The SemiPrivateContentAAD struct mirrors the PrivateContentAAD struct. It likewise adds the keys_for_external_receivers list, and also adds a hash of the FramedContentTBS struct to insure that the content encrypted to an external receiver is that same as that provided to members. The SemiPrivateMessageContent struct is the same as PrivateMessageContent except for the addition of keys_for_external_receivers, and that application messages are not included. Encryption of the ciphertext and encrypted_sender_data proceed in the same way for SemiPrivateMessage as for PrivateMessage. Finally, as a safe wire format extension, the SemiPrivateMessage is wrapped in an ExtensionContent struct. ; uint64 epoch; ContentType content_type; opaque authenticated_data; KeyForExternalReceiver keys_for_external_receivers; opaque encrypted_sender_data; opaque ciphertext; } SemiPrivateMessage; struct { select (PrivateMessage.content_type) { case proposal: Proposal proposal; case commit: Commit commit; }; KeyForExternalReceiver keys_for_external_receivers; FramedContentAuthData auth; opaque padding[length_of_padding]; } SemiPrivateMessageContent; struct { opaque group_id; uint64 epoch; ContentType content_type; opaque authenticated_data; KeyForExternalReceiver keys_for_external_receivers; opaque framed_content_tbs_hash; } SemiPrivateContentAAD; /* IANA-registered value for semi_private_message */ extension_type = TBD2 SemiPrivateMessage extension_data; ]]>

Security Considerations These two extensions provide a privacy improvement over sending handshake messages using PublicMessage. The handshake is shared with a specific list of receivers, and that list is visible as part of the GroupContext. TODO More Security.

IANA Considerations

SemiPrivateMessage Wire Format The semi_private_message MLS Extension Type is used to signal support for the SemiPrivateMessage Wire Format (a Safe Extension).

Value: TBD1 (to be assigned by IANA)
Name: semi_private_message
Recommended: Y
Reference: RFC XXXX

External Receivers Extension Type The external_receivers extension contains a list of external receivers targeted in a SemiPrivateMessage.

Value: TBD2 (to be assigned by IANA)
Name: external_receivers
Message(s): GC. This extension may appear in GroupContext objects.
Recommended: Y
Reference: RFC XXXX

Normative References The Messaging Layer Security (MLS) Protocol Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. The Messaging Layer Security (MLS) Extensions Phoenix R&D This document describes extensions to the Messaging Layer Security (MLS) protocol. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/mlswg/mls-extensions. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Acknowledgments TODO acknowledge.