How Messaging Layer Security Enables Scalable End-to-End Security in Webex
The Internet Engineering Task Force has just approved the standardization of the Messaging Layer Security (MLS) protocol for end-to-end encryption — and we at Cisco are delighted. That’s because we believe privacy is a fundamental human right, and end-to-end security is a critical tool for protecting privacy.
Cisco has supported the MLS effort since its inception, using an early version as the foundation for Zero Trust Meetings in Webex as well as the SFrame protocol for end-to-end media encryption. To recognize MLS’s finalization by the IETF, we wanted to share a few thoughts about how MLS works in practice — especially when it comes to security and scalability — and how MLS is going to enable new possibilities in the future.
The Highest Level of E2E Security
A major reason we chose MLS as the end-to-end encryption system for Webex is that it provides the absolute highest level of security available, exceeding the approaches used by other vendors in this space.
MLS enforces strong forward security and post-compromise security guarantees so that a meeting participant can only decrypt media sent while they’re in the meeting.
The protocol also supports certificate-based authentication, so that Webex customers can prevent Webex from impersonating their devices. If you see a blue checkmark next to a device in a Zero Trust meeting, that device has proven its identity with a credential from a third-party source, independent of Webex.
Even MLS’s security code is industry-leading: While other security codes only verify point-to-point information, the MLS “epoch authenticator” security code that Webex uses verifies the whole state of the end-to-end security for the meeting.
E2E Security that Works at Scale
You might think providing a stronger level of security would make it difficult to use MLS at scale. But we’ve found that while MLS does present some challenges, they were straightforward to overcome.
One way that MLS is especially strict is that it requires protocol messages to be processed in a consistent order. This is only a problem when multiple clients send MLS messages at once, so we make sure there’s never any confusion: Whenever an MLS operation needs to be done, Webex chooses which of the clients in the meeting will perform that operation. Conveniently, MLS ensures that any client in the meeting can do any operation, so Webex can select any client that works well, like a client with lots of processing power or a reliable network connection.
In order to provide forward security and post-compromise security, MLS rotates keys frequently, and effectively whenever anyone joins or leaves the meeting. In a real-time setting like Webex, this creates the risk of media drop-outs due to mismatched keys. Fortunately, MLS also allows these changes to be batched, so that a rotation only needs to happen once for a batch of several joins/leaves. Combining this batching with explicit signaling of key roll-over and the key ID in the SFrame, we can avoid media drop-outs, even in meetings with hundreds of people joining and leaving.
The hardest thing about scaling MLS is simply managing the data that supports MLS’s strong authentication. When a client joins, they need to download the “ratchet tree” for the meeting (including certificates for everyone who’s already in the meeting), so that they can verify everyone’s identity. And in a naïve implementation of MLS, this ratchet tree also must be uploaded by the meeting participant who adds the new member to the MLS group.
In Webex, we were able to optimize the upload half of this process by having our orchestration server keep a copy of the ratchet tree and update it based on the much smaller MLS Commit messages. New joiners still have to download the whole ratchet tree, but even in a thousand-person meeting, this takes only a few seconds.
A Future with Strong E2E Security for Everyone
Now that version 1.0 of MLS is being released as a final standard, we’re looking forward to using MLS to enable stronger end-to-end security in more places and integrating MLS with other security technologies to create types of security that aren’t possible today.
We’re already looking at ways we can bring the benefits of MLS to other parts of Webex. We’re also driving new standards for “UserInfo Verifiable Credentials” that can integrate with MLS to provide strong and frictionless user authentication. As the ecosystem of MLS implementations matures, it should make it easier for our ecosystem of Webex partners to start to take advantage of MLS-based end-to-end security in Webex.
We send our congratulations and thanks to the IETF, the MLS Working Group, and all our MLS collaborators. MLS is going to enable more and better end-to-end security for the whole Internet — another step towards a world with strong and ubiquitous protections for users’ privacy and security.
To get a glimpse of this new world, you can enable MLS-based end-to-end encryption in your Webex meetings today. If you’d like to learn more, please get in touch.
May 15, 2023 — Kevin Adamson