MLS (Messaging Layer Security) is on Track

There is a common theme in all wolfSSL products which is that they basically involve two parties. For wolfSSL, wolfSSH, wolfMQTT and cURL libraries there is a server and a client. For wolfBoot, you have the boot loader and firmware provider. For wolfTPM you have the user and the TPM. For wolfSentry you have the system and the intruder.

Soon, things are going to be different. With the new MLS (Messaging Layer Security) there will be multiple parties (Alice, Bob, Carol, Dean, Emily, etc., etc.). We’re talking decentralized (serverless) end-to-end security that scales with forward secrecy and post-compromise security. It is widely acknowledged that wolfSSL is a leader in cryptographic protocols, so with the new RFC 9420 finally set to “Standards Track” status we’re starting to see some interest!

With our new implementation of Encrypted ClientHello (ECH), we have implemented Hybrid Public Key Encryption (HPKE) and so we are well on our way to an implementation for MLS which also requires HPKE.

MLS is a natural choice for suppliers of communications infrastructure to governments because it scales! That makes wolfCrypt’s FIPS certification a potential game changer. With our tried and tested FIPS 140-2 as well as our impending FIPS 140-3 certification, wolfCrypt FIPS can make an MLS implementation attractive to government vendors today and well into the future.

But wait, how far into the future? Until a cryptographically relevant quantum computer comes into existence. Do you have requirements to keep your communications protected for several years into the future? Then you must have been thinking about post-quantum algorithms. The NSA has. They’ve come out with their CNSA 2.0 guidance and wolfSSL is listening. We already support LMS, Dilithium, Kyber and all the symmetric ciphers and hash algorithms required by it. Would you like to see a post-quantum MLS?

Here is a short list of open source implementations that we know about:

  • MLSpp (C++) (Status: RFC)
  • OpenMLS (Rust) (Status: RFC)
  • go-mls (Go) (Status: RFC in progress)

What if wolfCrypt is the cryptographic implementation underneath these libraries? We even have a golang wrapper.

Do you have a use case for MLS? Do you need FIPS? How long do you need to keep your communications confidential? Please reach out to us here at facts@wolfssl.com, or call us at +1 425 245 8247 to help us understand your needs!

Download wolfSSL