Crypto-curious? Wickr's opened its kimono for code review
Look, don't copy: 'this is not an open source license'
Ephemeral messaging application Wickr has opened up the core crypto software of its Wickr Professional app so others can review it.
The repository is at GitHub.
At this stage, the company is not offering the code for re-use. It's published under a purpose-written “review license” only, although the company says an open-source release under the GNU licence is on the cards.
So what's in the box, so to speak?
To avoid single-library dependencies, the company says it's organised Wickr Professional to expose its security primitives in an “organised and generic” way.
In other words, while the app uses OpenSSL 1.0.2, other libraries could be supported. Supported OpenSSL primitives include AES 256 (GCM and CTR); SHA from 256 to 512; various elliptic curve Diffie-Hellman flavours; SCRYPT and BCRYPT; HMAC (keyed-Hash Message Authentication Code) and HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
As described in this white paper, the protocol provides:
- End to End Encryption – Messages and encryption keys are available only within Wickr applications and are not disclosed to network attackers or Wickr server operators;
- Perfect Forward Secrecy – Old message content is not compromised if the long-term key of a user or device is compromised. Backward secrecy is also provided against passive adversaries; and
- Protection of Metadata - Node identity information stored in message headers is hidden from attackers who lack message context and source information.
As well as the crypto module, the other key pieces of the application's architecture are the protocol itself (the low-level implementation that encodes and decodes encrypted messages); and “Context”.
Context provides, as Wickr explains, a “high level interface for managing an endpoint that can send and receive encrypted message packets” – which is how client front-ends integrate with the crypto library.
The protocol is also extensible, so in the future it could support non-text file content like file transfers, audio, and video.
Announcing the publication of the software, CEO Joel Wallenstrom adds that Wickr has added Austrian crypto-boffin Joël Alwen (of that country's Institute of Science and Technology) to its team. Alwen first came to El Reg's attention more than a decade ago, when worked with an Electronic Frontiers Foundation team to decode the dot-patterns that identified laser printers for spooks.
Wallenstrom says both the crypto source code and the white paper have already had an independent review: “I want to thank Whitfield Diffie, Paul Kocher, Dan Kaminsky, Adam Shostack, Scott Stender, and Jesse Burns for their insightful feedback and invaluable advice.”
Wickr's not the first secure messaging app to allow this kind of review: rival Signal released its code in November 2016. ®