At Wickr, we build world-class communications products that must scale and be hardened against a wide range of sophisticated attacks. In doing so, it is critical that our crypto design and code are easy to review and are vetted by our peers.
Wickr has actively engaged the security and crypto communities to test and scrutinize our software and design decisions. No Wickr product goes to market without extensive scrutiny by our Advisors and best in the industry 3rd party security teams.
Today, we are excited to open Wickr’s core crypto protocol on GitHub for public review. We also published a short technical white paper to serve as an aid to those who wish to audit the source code.
Why Now?
We have worked hard to find the right balance between sharing our IP and building a strong business. The Electronic Frontier Foundation has been one of the key voices to inspire Wickr and many others in the industry to find a balance in engineering the privacy technology.
To date, Wickr has built a strong portfolio of secure communications tools – from a free consumer messenger to the new enterprise products designed to secure the world’s most important communications within security-conscious companies and organizations. It is now time to begin opening the source code so our customers and partners can easily review the crypto codebase and validate the promises we make to Wickr’s users. We hope this first release will inspire constructive critical feedback, further advancement of Wickr’s security, and adoption of secure communications tools.
For me personally, this is an important milestone in Wickr’s growth. I strongly believe in the open source community and am beyond excited to start Wickr on the path of sharing its expertise to help advance information security and empower private communications.
Ephemerality Is Key to Security
While the technology industry has evolved, those of us working on the security side know that there are no winners as long as we continue to grow sensitive data and retain valuable communications beyond their useful life. In light of recent political and security events that have dramatically changed the course of governments and businesses, we need a seismic shift in the security culture to empower companies and organizations to use the right tools for the right conversations. It is no longer responsible to store everything at all times and expect sensitive information to remain secure.
“You can’t leak what you don’t have. For years, Wickr has been at the forefront of ephemeral communication. With AWS Wickrfessional, they are allowing teams to be confident that what is discussed is not distributed. And by opening their code, they are giving the engineering community strong reasons to trust their platform.”
– Dan Kaminsky, a Renowned Security Expert & Wickr Advisor
Crypto Expertise
Today, Wickr is doubling down on its commitment to not only build the best security team and most reliable ephemeral communications tools, but to also engage a wider audience in rethinking how we all treat sensitive data – government, personal, or business.
It is critical that we continue to increase our engagement with the research community. To that end, I am proud to announce an exciting addition to our core research and engineering team – Joël Alwen. Joël is a widely published cryptographer; he will focus on applied crypto at Wickr while continuing his postdoc research at the Institute of Science and Technology in Austria.
Core Crypto Released for Public Review
The core crypto source code published today is an implementation of the Wickr Secure Messaging Protocol, which provides a platform for secure communications on AWS Wickrfessional.
Wickr-crypto-c is an enhanced protocol built into AWS Wickrfessional – a new generation of private communications tools built for the enterprise. The upgrade significantly improves the efficiency in key management for large group conversations in secure rooms. A notably lighter, entirely client-based protocol, wickr-crypto-c enables scalable, strong perfect forward secrecy and ephemeral collaboration.
As Tom Leavy, Wickr’s co-founder and the primary author of wickr-crypto-c, pointed out: “Although to our users on AWS Wickrfessional, it is a seamless experience to communicate in secure rooms, as much as it is to send messages 1:1, computationally, it is a challenge to allow for each participant in a 30-person collaboration space to reliably exchange a unique key for every message sent or file transferred while still providing a high level of performance. The team is proud to have been able to take perfect forward and backward secrecy to a new level in addition to making the protocol significantly lighter and faster.”
Both the white paper and the crypto source code have undergone a 3rd party security audit and have been reviewed by Wickr’s expert advisors and independent researchers. I want to thank Whitfield Diffie, Paul Kocher, Dan Kaminsky, Adam Shostack, Scott Stender, and Jesse Burns for their insightful feedback and invaluable advice.
The code and the paper are now available here and here.