Security Overview

  • Updated

Wire has state of the art encryption across its servers, and messaging/communication between devices. We at wire understand security & privacy natively; we have created a highly secure, private messenger for those complex situations organisations battle each day. We help protecting your business, its employees, and whoever communicates via Wire be safe and stay secure. With Secure Messenger, you & your colleagues can share messages, share files and call each other as you would with any other communication tool. Wire Secure Messenger is 100% secure, and users love the simplicity of the messenger.

Here is a brief overview of the security measures taken by wire -

Message Encryption

Messaging refers to exchanging text messages and assets . All messaging in Wire is subject to end-to-end encryption to provide users with a strong degree of privacy and security. End-to-end encryption (E2EE) takes place between two clients. Proteus is the main cryptographic protocol. It is an independent implementation of the Axolotl/Double Ratchet [8] protocol, which is in turn derived from the Off the-Record protocol, using a different ratchet. Furthermore Wire uses the concept of prekeys to use the protocol in an asynchronous environment. It is not necessary for two parties to be online at the same time to initiate an encrypted conversation.

Proteus uses the following cryptographic primitives (provided by libsodium):

  1. ChaCha20 stream cipher 

  2. HMAC-SHA256 as MAC

  3. Elliptic curve Diffie-Hellman key exchange (Curve25519) & Key derivation is done using HKDF

Calling Encryption

Call media is exchanged between endpoints in an SRTP-encrypted media session. To initiate the session the SRTP encryption algorithm, keys, and parameters are negotiated through a DTLS handshake. The authenticity of the clients is also verified during the handshake by sending the expected fingerprints over the existing authenticated Proteus session.

Wire conference calls use existing WebRTC mechanisms to establish peer connections between clients and Selective Forwarding TURN server (SFT). On those legs, all data is encrypted in the same way as on 1:1 calls. In addition, Wire clients use Insertable Streams [20] to end-to-end encrypt the content of media packets.

Transport Encryption

Wire clients interact with backend servers over HTTPS connections supporting only TLSv1.2. Only cipher suites that support forward secrecy (PFS) are used. The server indicates the order preference of cipher suites and communicates HTTP Strict Transport Security (HSTS) to all clients.

Local Data Protection

Wire apps store the content of conversations such as text messages, images and other assets locally on the device. Depending on the platform, different protection mechanisms exist:

1. iOS: Local data is stored using Core Data and in files (both protected in with NSFileProtectionCompleteUntilFirstUserAuthentication). Conversation content, cryptographic key material and other sensitive data is not synced with iCloud or iTunes backups. Local data can only be accessed from the Wire app, it is inaccessible to other apps thanks to the iOS sandboxing.

2. Android: Local data is stored using SQLite and in files. Conversation content, cryptographic key material or other sensitive data is not synced with Android Backup Service. The local data can only be accessed from the Wire app, it is inaccessible to other apps thanks to the Android permissions. The app sometimes keeps cached data (i.e. downloaded images) on the external storage (SD card). Those files are encrypted using AES128, each file uses a different random key which is stored in the private database.

3. Desktop clients: Local data is stored using IndexedDB. The data is stored in the user’s folder. It is strongly recommended to use full disk encryption like FileVault on macOS or Bitlocker on Windows.

Was this article helpful?

27 out of 35 found this helpful

Have more questions? Submit a request