Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers.
One account works on up to 8 devices. Messages are encrypted for each device.
Verifies each conversation partner’s device fingerprints for maximum security.
Forward and backward secrecy
New encryption keys are used for each message, so a compromised key has minimal impact.
All communication through Wire is secured with end-to-end encryption — messages, conference calls, files. The decryption keys are only stored on user devices, not on our servers. It also gives companies the option to deploy their own instances of Wire in their own data centers.
Wire is 100% open source with its source code available on GitHub, independently audited, and ISO, CCPA, GDPR, SOX-compliant.
Wire offers the most comprehensive collaboration suite featuring messenger, voice, video, conference calls, file-sharing, and external collaboration – all protected by the secure end-to-end-encryption.
Secured with end‑to‑end encryption.
Protected by European privacy laws
Registration on Wire involves up to three steps, whereby only the first is strictly required in order to start using the service:
- User registration.
- Client registration.
- Push token registration.
End-of-life of a client
• The user logs out permanently of a client: All local state (on a device) of
a client is deleted, including all secrets. The backend retains an entry for
that client, including its public identity key.
• A user deletes a client(device ¨ ¨) from their account on another client: This causes the backend to drop the corresponding entry in the user’s devices list. The backend also drops all cookies associated with that client. Additionally, the to-be-deleted client is notified by the backend and erases all local state on the device. The user is prompted for their password for this operation.
• A user account is terminated: All server-side data associated with that
account is deleted, including the client list. Like in 2., clients are notified
and proceed to erasing all their local data.
• A user uninstalls the Wire app on Android or iOS: In this instance the
operating system deletes all data associated with the app, but the event is
not communicated to the backend (due to technical infeasibility on mobile
platforms). The backend retains an orphaned entry of that client in the
user’s devices list.
End-to-end encryption (E2EE) –
End-to-end encryption (E2EE) takes place between two clients (cf. 2.2). Proteus is the main cryptographic protocol. It is an independent implementation of the Axolotl/Double Ratchet protocol, which is in turn derived from the Offthe-Record protocol, using a different ratchet.
Furthermore Wire uses the concept of prekeys to use the protocol in an asynchronous environment. It is not necessary for two parties to be online at the same time to initiate an encrypted conversation.
Wire is actively leading the work on extending its security standards to become the norm for protecting organizations’ digital assets.
Messaging Layer Security (MLS) is a new protocol designed to firm up the security of enterprise messaging platforms by employing end-to-end encryption within group communication.
Proteus uses the following cryptographic primitives (provided by libsodium):
• ChaCha20 stream cipher
• HMAC-SHA256 as MAC
• Elliptic curve Diffie-Hellman key exchange (Curve2551) Key derivation is done using HKDF.
Every client initially generates some key material which is stored locally:
• Identity keypair: (a, ga) ∈R Zp × Curve25519 where g ∈ Curve25519
• A set of prekeys : (k(a,i), gk(a,i) ) ∈R Zp × Curve25519 where
0 ≤ i ≤ 65535.
During client registration (section 2.2) a client uploads prekeys (g
k(a,0) , …, gk(a,j) ) bundled with its public identity key ga. These are eventually used by other clients to asynchronously initiate an end-to-end encrypted conversation, i.e. given a recipient’s prekey gk(a,i) and identity key ga the sender can derive n initial encryption key even if the recipient is offline.
The prekey with ID 65535 is the so-called “last resort” prekey. Every prekey
is intended to be used only once, which means that the server removes every requested prekey immediately. In order to not run out of prekeys the last resort prekey is never removed and clients should regularly upload fresh prekeys.