Wickr Security

[Germaine Greenweig]

Inthe Security Groups section of the AWS Management Console for Wickr, you can manage security groups and their settings, such as password complexity policies, messaging preferences, calling features, security features and network federation.

Special thanks to Whitfield Diffie, Paul Kocher, Dan Kaminsky, Adam Shostack, Scott Stender & Jesse Burns for reviewing this paper and/or code and providing their insightful comments and invaluable advice.

The Wickr Secure Messaging Protocol provides a platform for secure communications. It is a method for sending messages with a set of security properties that we will explore in what follows.

Opposition to this objective may come from a variety of directions. The most common application of the concept of opponent will be to other Wickr users. A user wants to share some information with some users, other information with other users, and perhaps some with nobody. Other users may reasonably or unreasonably be interested in acquiring information whether its owner wanted to share it with them or not. Generally, other Wickr users are the most common form of opponent but the least powerful. By definition their actions are taken through Wickr systems and thus subject to some degree of control by Wickr.

The next most numerous class of opponents are probably system penetrators, people who attack Wickr servers, or perhaps even the users themselves, by communications that do not pass primarily through Wickr systems. Attacks of this kind have been common for a decade and are likely to continue. Wickr counters these attacks with operating system security, firewalls, and other measures, but is ultimately aware that such techniques have failed in the past and may at some point fail again. Therefore Wickr also attempts to avoid knowing anything it does not need to carry out its operations.

At the highest level of the protocol view, nodes encrypt messages with a strong symmetric cipher using randomly generated keys. Nodes pass the random symmetric keys in the message to recipient nodes using strong asymmetric cryptography. To decrypt messages, receiving nodes reverse the process, using asymmetric cryptography to extract the random keys and the random keys to decrypt the ciphertext. Group messaging is supported in the same manner by encrypting a message, encrypting the key to that message multiple times (for multiple nodes), bundling and sending a single message to multiple nodes.

Pools of public asymmetric key components, or ephemeral keys, are maintained for messaging operations, ensuring that strong forward secrecy is maintained in both synchronous and asynchronous messaging environments. These keys are signed and validated up through the root of trust on every use. Private key components never leave the device on which they are generated, ensuring that none other than sender-designated recipient node(s) can decrypt messages.

This design makes the protocol resistant to message authenticity and confidentiality threats posed by various actors along the entire path of delivery from device to device, including those posed by a rogue server.

PKr and IDr are stored on Wickr servers and provided to communication peers along with profile data. Kr, Krs, and Knsr provide critical identity and data protection services and are shared between devices. Current practices for protecting Krbk from a malicious server are described in Wickr Recovery Bundle, later in this document.

The message payload is stored in local storage encrypted with the Local Storage Device Key, Klds. All short-lived keys are deleted shortly after. The Wickr app will carry out actions in accordance with the message metadata, including deleting the message after its Time to Live has expired.

The Wickr Secure Messaging Protocol provides a platform for secure communications. In the simple case, a message payload contains only a text message. However, message metadata can indicate that other materials are to be exchanged, in which case the message payload includes one or more shared secrets used to protect those materials. This general design permits the Wickr Secure Messaging Protocol to support end-to-end encryption for file transfer, audio/video communications, or future use cases.

The Wickr Secure Messaging Protocol is the foundation for Wickr security, which is provided through the implementation of many security controls and practices in our products, the full breadth and description of which are beyond the scope of this document. The following items are noted as a sampling of security practices supporting the current implementation.

Ephemeral keys are managed in pools to provide strong forward secrecy, even in cases where devices go offline for periods of time. The primary key pool is maintained on the Wickr server. Sending nodes deplete the pool by using keys; recipient nodes replenish it by publishing them. Online devices replenish the pool immediately. Offline devices replenish the pool as soon as they come online.

A corner case exists in that if the key pool is exhausted, the last key will need to be re-used until the pool is replenished, thus expanding the amount of material protected by a particular ephemeral key. What makes this a corner case is that in our implementation, pool size is dynamic depending on the needs of the device and sufficiently high to handle devices being offline for reasonable periods of time.

Three important keys, Kr, Krs, and Knsr are created during User Enrollment and must be shared securely between devices. This is accomplished by encrypting and storing them on Wickr servers.

The protocol also supports hardened key scenarios. One is to require the user to maintain Krbk in their own records and provide it to a device during enrollment. In this case, the encrypted recovery bundle would be maintained on Wickr servers but not the passphrase-encrypted Krbk. Similarly, Kr, Krs, and Knsr can be maintained offline and used only during scenarios that require access to those keys.

The Wickr app creates an encrypted storage container on each device to store sensitive data such as identity keys, messages, and account data. This container is decrypted during active logon sessions and its contents used for normal operation. When the user logs off, the container is encrypted with Klds, and this key is removed from local and persistent memory.

The Wickr Secure Messaging Protocol is designed to protect message content even if the data described above were transmitted in cleartext over an unprotected network. However, traffic analysis would reveal modestly sensitive information, such as identifiers for sending and receiving nodes and general traffic patterns.

Wickr protects the protocol with two additional layers of security. First, app-server requests and responses are encrypted with a rotating shared secret key using AES 256 in CFB mode. Second, the Wickr app tunnels this AES encrypted data inside of TLS. These protections provide redundant defense-in-depth measures that protect message metadata as well as content.

The Wickr Secure Messaging Protocol is designed to provide end-to-end encrypted communications. It accomplishes this through the use of standard cryptographic primitives which ensure the confidentiality and integrity of messages while in transit and while stored on Wickr servers. Wickr believes this protocol achieves our goal of keeping our customers in control of their content, and we welcome your feedback to strengthen it further. The source code for the Wickr Messaging protocol is available here.

Authenticity: Another set of security properties MLSaims for revolves around authenticity. Naturally, MLS must ensure that both thecontent and the source messages can be reliably determined by all intendedrecipients. But MLS also aims to provide guarantees to members joining anexisting group, allowing them to authenticate the existing group state withouthaving to trust whoever invites them.

For very large groups involving very resource-poor devices,it will be helpful (in some deployments) to offload some public group states toa central delivery server. In line with the guiding principle of E2E security,the server is untrusted, so this state must be authenticated. What makes thisnon-trivial is that the state may be rather large and constantly changing, yetwe have strict engineering constraints, so finding efficiency is particularlyimportant.

Meta-Data Hiding: Along with content privacy, MLSalso aims to minimize the amount and type of data exposed to the network andservers. On the one hand, this means minimizing the data required by,say, the delivery service to fulfill its role. This allows privacy-consciousMLS providers to implement their servers so that they store as little data aspossible about their MLS network. On the other hand, MLS is also trying tominimize the data available to the network and servers. This means thateven malicious servers will not be able to collect this type of data. The exactmeta-data hiding properties and mechanisms of MLS remain very much a work inprogress and a great topic for more R&D.

Deniability: Another great topic for more R&Drevolves around the deniability goals for MLS. Intuitively, deniability meansthat honest users can deny things about their past interactions, much likehaving an (un-recorded) real-life conversation with someone is deniable afterthe fact.

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.

This documentation helps you understand how to apply the shared responsibility model when using Wickr. The following topics show you how to configure Wickr to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Wickr resources.

3a8082e126