IOTA's Masked Authenticated Messaging (MAM) allows users to publish encrypted messages to the Tangle in a way that provides data integrity, privacy, and access control. MAM uses a Merkle tree signature scheme to sign encrypted messages. Messages can be published in public, private, or restricted modes which determine who can access and decrypt the messages. MAM supports features like forward secrecy, channel splitting, and digital identity use cases by controlling access to streams of encrypted data in the Tangle.
2. Recalling IOTA
● distributed ledger architecture that has no transaction fees
● built for ecosystems such as the Internet of Things or Web 3.0
● uses a gossip protocol to propagate transactions through the network
3. Masked Authenticated Messaging
Data communication protocol which adds functionality to emit and access an
encrypted data stream, like RSS, over the Tangle
Why bother?
● IOTA’s consensus protocol adds integrity to these message streams
● fulfills an important need in industries where integrity and privacy meet
4. The Concept
In IOTA, a user can publish a message at any time. They only need to conduct a
small amount of proof of work to allow the data to propagate through the
network (This is necessary to prevent spamming of the network). If nodes are
listening for the channel ID (= address) in real time, the message (gossipped
through the network) will be received by a subscriber when it reaches the
subscriber’s node.
5.
6. How it affects others on the Tangle?
Since these messages are part of the distributed ledger, they both contribute to
the security of the network by increasing total hashing power and benefit from
the data integrity properties of the network as other transactions continue to
indirectly reference them.
7. Existing application of MAM
On embedded devices
Bosch XDK IoT developer kit or the RuuviTag, an open source sensor
beacon from Ruuvi Labs. Using the XDK or RuuviTags, one can create
portable weather stations, Eddystone proximity beacons, vehicle locators
and many other nifty sensor applications that report telemetry to a limited
audience via the tangle or receive commands through a MAM stream.
8. In-depth
MAM uses a Merkle tree based signature scheme to sign the cipher digest of
an encrypted message. The root of this Merkle tree is used as the ID of the
channel. Each message contains the root of the next Merkle tree (or the future
direction of the channel). Since previous trees are not referenced, this might be
used to add an element of forward secrecy to a channel.
10. Privacy & Encryption Modes
1. Public: Masked-message is decrypted using root.
2. Private: address=hash(root). Masked message is decrypted usingroot.
3. Restricted: address=hash(root). Masked message is decrypted using
sideKey.
11. Public
Public mode uses the tree’s root as the address of the transaction that the
message is published to. A random user to stumbling across a message can
then decode it by using the address of the message.
This mode is similar to broadcasting on HAM radio. It could be used for public
announcements from a device or individual and a possible use case would be a
twitter clone, however now you have the added properties of immutability and
data integrity.
12.
13. Private
Private mode can be used for encrypted streams not meant for public
consumption. In private mode, the hash of the Merkle root is used as the
address. This stops a random user from decrypting your message if they
stumble across it due to the fact that they are unable to derive the root from the
hash. This makes a MAM stream only readable by those who are provided with
the root.
14.
15. Restricted
Restricted mode adds an authorization key to private mode. The address used
to attach to the network is the hash of the authorization key and the Merkle
root. A message publisher could stop using the auth key without changing their
Channel ID (that is, the merkle tree), so access could be in essence revoked
from subscribers if desired. When a key change event occurs the new auth key
needs to be distributed to the parties that are allowed to follow the stream.
16.
17. Forward Secrecy
Given that a current message only points to the next merkle tree, there is no
way for a user reading the MAM stream to read messages prior to the root they
have been given. It’s easiest to think of a MAM stream as a freeway: when you
first start to read a stream you are entering the freeway and you can’t go
against the flow of traffic.
18.
19. Channel Splitting
A MAM publisher can decide to split the channel at any point in time. This
means: future messages use a new Merkle tree whose root has not been
revealed before. This enables offshoot channels for specific subsets of data,
the entirety of which is not intended to be shared, thereby permissioning data
and providing fine grained access.
20.
21. Digital Identity- A use case
Record can have two main branches: Public and Private data. The Public
branch uses the Private MAM mode and lets all users who have the root read
the messages. This could include name, a list of interests,etc.
When going to a physician the user can share the a substream of daily weight
data. They can do this by sharing the root and auth key of the weight stream.
Given that there is forward secrecy, the physician will be unable to gain access
to extra data they have not been given access to.
22. Channel Splits- Another use case
A device may do a daily report on environmental data. When it detects an
anomaly it then splits the channel and starts reporting data at a smaller
interval. In addition to communicating values at the regular interval to the main
channel, it could also notify listeners of the new split channel that contains the
more frequent updates. This maintains the temporal spacing of the main
stream while allowing the flexibility to add in secondary stream for special use
cases.
23. MAM- The Conclusion
Masked Authenticated Messaging is one of IOTA’s most potent IXI Modules
and opens up a new field of use cases on top of IOTA. Being able to secure
data’s integrity and control its access management is a prerequisite for things
like Over-The-Air updates(OTA), Data Marketplaces, Fog Analytics, End-to-End
verifiable Supply Chains, Automated Insurance and so much more.
24. IOTA Data Marketplace
It’s just an application of MAM module
It’s promising because…
… it enables connected devices and "machines" to share securely information
and also allow seamless transactions between IoT devices.