How It Works

Canium uses MLS (Message Layer Security, RFC 9420) — the IETF standard for next-generation secure group messaging — as the single encryption stack across all communications: channels and direct messages.


Your Password Never Leaves Your Device

Canium uses OPAQUE (RFC 9807), a password authentication protocol in which the server never receives your password — not even in hashed form. The server holds a cryptographic record that is useless without the password, and a blob of encrypted key material that is useless without the OPAQUE session key your password produces. The two halves are worthless in isolation.

A breach of the server database reveals nothing about any user's password or derived keys.

Encryption Keys Derived on Your Device

When you log in, your device derives a root secret entirely locally. Every encryption key in the system descends from this secret. The server never sees this secret.

Because derivation is deterministic and user-scoped, every device you log in on produces the same keys from the same root secret. There is no per-device key registration, no synchronization ceremony.

MLS Group Encryption

Every Canium channel — including direct messages — is an MLS group. MLS is a cryptographic protocol for secure group messaging at scale, standardized by the IETF in 2023. It provides:

Direct Messages — Same Stack, No Exceptions

Direct messages in Canium are 2-person MLS groups. They use the identical cryptographic machinery as channels — same key derivation, same encryption scheme, same recovery paths, same server blindness. There is no separate DM cryptosystem with its own threat model. One encryption stack, consistently applied.

What the Server Never Sees

ItemServer access
User passwordsNever — OPAQUE protocol
Root secret (master key)Never — derived client-side only
OPAQUE session keyNever — ephemeral, client-only
MLS channel keysNever — derived client-side via MLS export
MLS private key materialNever — server holds public portions only

Multi-Device — Zero Friction

Because all keys derive deterministically from the root secret, adding a new device is simply logging in. No cryptographic re-enrollment of existing channels, no epoch churn. Your encryption state is fully portable via your credentials alone.


Security standards and threat model →