The app uses the password to decrypt the escrow bundle and finishes setting up the account on the local device. This is basically a ciphertext encrypted using the account’s password containing all the secret key material, contacts, and other data belonging to the users’ account. Assuming this step succeeds, in the second step, the server sends over the account’s escrow bundle. Once a user has provided the Wickr app with a username and password, the app first executes the authentication protocol with the Wickr server. Behind the scenes, the login process actually consists of two steps. How Are Passwords Used?įrom the user’s point of view, passwords serve a single purpose: to log in to user accounts from a fresh device. This paper goes over exactly how passwords are used by Wickr and explains how we help minimize these risks. However, if not designed and implemented correctly, it also may create potential new vulnerabilities. It also means that the security of these accounts does rely on the security of an external system - think an email provider or a phone network. On the positive side, this means that users can create completely anonymous accounts not tied to any external identifying information (especially when using Wickr via an anonymizing service like Tor). To this end, presently, access to Wickr accounts is protected using passwords. However, when departing from a model where accounts are bound to verifiable external identities - such as, say, a phone number, email address, Facebook account we must address the question of how access to Wickr accounts can be restricted to their owners. This is even more critical when Wickr’s goal is to allow users to access their accounts from multiple devices. This plays a particularly important role in providing users with a platform for both end-to-end secure and anonymous communication (Wickr Me). Why Passwords?Ī central privacy feature of Wickr is its ability to support accounts identified by arbitrary usernames. Finally, I’ll address the potential threats password use exposes us to and what Wickr does to mitigate those threats. Next, I’ll describe how exactly how they are used. ![]() First, I’ll explain why Wickr has opted to use passwords. The Wickr platform is built around two types of secrets: cryptographic keys and passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |