Amazon Web Services Wickr – A Secure, End-to-End Encrypted Communication Service For Enterprises With Auditing And Regulatory Requirements

{"value":"I am excited to announce the availability of [Amazon Web Services Wickr](https://aws.amazon.com/wickr/), an enterprise communications service with end-to-end encryption, that allows businesses and public sector organizations to communicate more securely, enabling customers to meet auditing and regulatory requirements like e-discovery, legal hold, and [FOIA requests](https://www.foia.gov/). Unlike many enterprise communication tools, Wickr uses end-to-end encryption mechanisms to ensure your messages, files, voice, or video calls are solely accessible to their intended recipients.\n\nThe flexible administrative controls make it easy for your Wickr administrator to manage the communication channels and retain information to meet regulatory requirements when required. The information retained is stored on the servers you choose and stays entirely under your control.\n\n### **++End-to-End Encryption++**\nWickr provides secure communication between two or more correspondents. It means that the system provides authenticity and confidentiality: no unauthorized party can inject a message into the system, and no unintended party can access or understand the communications without being given them by one of the correspondents.\n\nEach message gets a unique AES encryption key and a unique ECDH public key to negotiate the key exchange with other recipients. The message content (text, files, audio, or video) is encrypted on the sending device (your iPhone, for example) using the message-specific AES key. The message-specific AES key is exchanged with recipients via a [Diffie-Hellman](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) elliptic curve key exchange (EDCH521) mechanism. This ensures that only intended recipients have the message-specific AES key to decrypt the message.\n\nMessage-specific keys are passed through a key derivation function that binds the key exchange to a recipient device. When the recipient adds devices to their account later on (for example, I add a macOS client to my Wickr account, in addition to my iPhone), the new device will not see the message history by default. There is a way to migrate history from your old device to your new device if you have the two devices at hand and single sign-on (SSO) configured.\n\nI drew the below diagram to show how the key exchange works at a high level.\n\n\n\nThe [Wickr secure messaging protocol](https://wickr.com/wickrs-messaging-protocol/) is open and documented, allowing the community to inspect it. The source code we use in Wickr clients to implement the secure messaging protocol [is available to audit and review](https://github.com/WickrInc/wickr-crypto-c).\n\n### **++Wickr Client Application++**\nThe Wickr client application is very familiar to end users and easy to get started with. It is available for Windows, macOS, Linux, Android, and iOS devices. Once downloaded from a preferred app store and registered, users can create chat rooms or send messages to individual recipients. They may use emoticons to react to messages, exchange files, and make audio and video calls.\n\nHere I am on macOS connected with me on iOS in my kitchen.\n\n\n\n### **++Wickr for the Administrator++**\nWickr administration is now integrated and available in the [Amazon Web Services Management Console](https://console.aws.amazon.com/). You can control access to Wickr administration using familiar [Amazon Web Services Identity and Access Management (IAM)](https://aws.amazon.com/iam/) access control and policies. It is integrated with [Amazon Web Services Cloud Development Kit (Amazon Web Services CDK)](https://aws.amazon.com/cdk/) and [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) for monitoring.\n\nA Wickr administrator manages networks. A network is a group of users and its related configuration, similar to Slack workspaces. Users might be added manually or imported. Most organizations will federate users through an existing identity system. Wickr will federate users with any [OpenID Connect](https://openid.net/connect/)-compliant system.\n\nA Wickr network is also the place where Wickr administrators configure security groups to manage messaging, calling, security, and federation settings. It also allows Wickr administrators to configure logging, data retention, and bots.\n\nTo get started, I select Wickr in the Amazon Web Services Management Console. Then, I select **Create a network**. I enter a **Network name**, and I select **Continue**.\n\n\n\nThe Wickr page of the Management Console lets you configure the Wickr network, the user federation with other Wickr networks, and more.\n\n\n\nIn this demo, I don’t use single sign-on. I manually add two users by selecting **Create new user**. Once added, the user receives an invitation email with links to the client app. The client app asks the user to define a password at first use.\n\n### **++Customer-Controlled Data Retention and Bots++**\nWickr allows administrators to selectively retain information that must be maintained for regulatory needs into a secure, controlled data store that they manage. No one other than the recipient—including Amazon Web Services—has access to keys to decrypt conversations or documents, giving organizations full control over their data. It helps organizations in the public sector to use Wickr for their secure collaboration needs.\n\nData retention is implemented as a process added to conversations, like a participant. The data retention process participates in the key exchange, just like any recipient, allowing it to decrypt the messages. The data retention process can run anywhere: on-premises, on an [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) virtual machine, or at any location of your choice. Once data retention is configured in the console, Wickr administrators may start the data retention process and register it with their Wickr network.\n\n\n\nThe data retention process is available as a [Docker container](https://hub.docker.com/r/wickr/bot-compliance-cloud) for ease of deployment. The process stores clear text messages on the storage of your choice: a local or remote file system or [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/).\n\nTo try this process, I [follow the documentation](https://docs.aws.amazon.com/wickr/latest/adminguide/configure-data-retention.html). I open the Wickr administration page and selected **Data Retention** under **Network Setting**s.\n\n\n\nI copy the \n```docker``` command, the **Username**, and the **Password** (not shown in the previous screenshot). Then, I connect to a Linux EC2 instance I created beforehand. I create a local directory for data retention, and I start the container.\n\n\n```\ndocker run -v \n /home/ec2-user/retention_34908291_bot:/tmp/retention_34908291_bot\n --restart on-failure:5 \n --name=\"retention_34908291_bot\"\n -it \n -e WICKRIO_BOT_NAME='retention_34908291_bot'\n wickr/bot-retention-cloud:5.109.08.03\n```\n\nThe application prompts for the username and password collected in the console. When the process starts, I return to the console and activate the **Data Retention** switch at the bottom of the screen.\n\nNote that for this demo, I choose to store data on the local file system. In reality, you might want to use S3 to securely store all your organization communications, encrypt the data at rest, and use the mechanisms you already have in place to control access to this data. The data retention process natively supports integration with [Amazon Web Services Secrets Manager](https://aws.amazon.com/secrets-manager/) and S3.\n\nAs a user, I exchange a few messages in a Wickr room. Then, as an administrator, I look at the data captured. I can observe that the data retention process captured the message and its metadata in JSON format.\n\n\n\nWhen configuring the data retention capability, compliance and security officers can audit and review communications in a secure and controlled data store.\n\nThe retention bot is not the only bot available for Wickr. The Wickr Broadcast Bot allows you to broadcast messages to all of the members of your network or specific security groups. Developers can create workflows using [Wickr Bots](https://wickrinc.github.io/wickrio-docs/#wickr-io) to automate chat-based workflows and integrate them with other systems. Similarly, a bot is a process integrated into conversation or chat rooms that can receive and act upon messages. Developers write bots with [NodeJS](https://nodejs.org/en/). Bot processes securely integrate with a Wickr network, as defined by the network administrator. They are typically packaged as Docker containers for ease of deployment at the location of your choice. If you are a developer, have a look at the [Wickr bot developer documentation](https://wickrinc.github.io/wickrio-docs/#wickr-io) to learn all the details.\n\n### **++Pricing and availability++**\nWickr is available in the US East (N. Virginia) Amazon Web Services Region.\n\nWickr is free for individuals and teams of up to 30 users looking for a more secure workspace for the first 3 months. For organizations with more than 30 users, there is a standard plan available starting at $5 per user per month and a premium plan for $15 per user per month. The premium plan adds features and retention capabilities like granular administrative controls, client-side data expiration timer of up to 1 year, data retention, and e-discovery. As usual, there are no upfront fees or long-term engagement. You pay per user and per month (annual billing is available, [contact us](https://pages.awscloud.com/wickr-contact-us)). Have a look at the [pricing page](https://aws.amazon.com/wickr/pricing/) for details.\n\n### **[Create your first Wickr network today!](https://aws.amazon.com/wickr/)**\n\n-- [seb](https://twitter.com/sebsto)\n\n\n\n### **[Sébastien Stormacq](https://aws.amazon.com/blogs/aws/author/stormacq/)**\nSeb has been writing code since he first touched a Commodore 64 in the mid-eighties. He inspires builders to unlock the value of the Amazon Web Services cloud, using his secret blend of passion, enthusiasm, customer advocacy, curiosity and creativity. His interests are software architecture, developer tools and mobile computing. If you want to sell him something, be sure it has an API. Follow him on Twitter @sebsto.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","render":"<p>I am excited to announce the availability of <a href=\"https://aws.amazon.com/wickr/\" target=\"_blank\">Amazon Web Services Wickr</a>, an enterprise communications service with end-to-end encryption, that allows businesses and public sector organizations to communicate more securely, enabling customers to meet auditing and regulatory requirements like e-discovery, legal hold, and <a href=\"https://www.foia.gov/\" target=\"_blank\">FOIA requests</a>. Unlike many enterprise communication tools, Wickr uses end-to-end encryption mechanisms to ensure your messages, files, voice, or video calls are solely accessible to their intended recipients.</p>\n<p>The flexible administrative controls make it easy for your Wickr administrator to manage the communication channels and retain information to meet regulatory requirements when required. The information retained is stored on the servers you choose and stays entirely under your control.</p>\n<h3><a id=\"EndtoEnd_Encryption_4\"></a><strong><ins>End-to-End Encryption</ins></strong></h3>\n<p>Wickr provides secure communication between two or more correspondents. It means that the system provides authenticity and confidentiality: no unauthorized party can inject a message into the system, and no unintended party can access or understand the communications without being given them by one of the correspondents.</p>\n<p>Each message gets a unique AES encryption key and a unique ECDH public key to negotiate the key exchange with other recipients. The message content (text, files, audio, or video) is encrypted on the sending device (your iPhone, for example) using the message-specific AES key. The message-specific AES key is exchanged with recipients via a <a href=\"https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange\" target=\"_blank\">Diffie-Hellman</a> elliptic curve key exchange (EDCH521) mechanism. This ensures that only intended recipients have the message-specific AES key to decrypt the message.</p>\n<p>Message-specific keys are passed through a key derivation function that binds the key exchange to a recipient device. When the recipient adds devices to their account later on (for example, I add a macOS client to my Wickr account, in addition to my iPhone), the new device will not see the message history by default. There is a way to migrate history from your old device to your new device if you have the two devices at hand and single sign-on (SSO) configured.</p>\n<p>I drew the below diagram to show how the key exchange works at a high level.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/60b1a2fbf9df4d3c94a772f97eea0410_image.png\" alt=\"image.png\" /></p>\n<p>The <a href=\"https://wickr.com/wickrs-messaging-protocol/\" target=\"_blank\">Wickr secure messaging protocol</a> is open and documented, allowing the community to inspect it. The source code we use in Wickr clients to implement the secure messaging protocol <a href=\"https://github.com/WickrInc/wickr-crypto-c\" target=\"_blank\">is available to audit and review</a>.</p>\n<h3><a id=\"Wickr_Client_Application_17\"></a><strong><ins>Wickr Client Application</ins></strong></h3>\n<p>The Wickr client application is very familiar to end users and easy to get started with. It is available for Windows, macOS, Linux, Android, and iOS devices. Once downloaded from a preferred app store and registered, users can create chat rooms or send messages to individual recipients. They may use emoticons to react to messages, exchange files, and make audio and video calls.</p>\n<p>Here I am on macOS connected with me on iOS in my kitchen.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/bef0641953cc48a286588df691de5658_image.png\" alt=\"image.png\" /></p>\n<h3><a id=\"Wickr_for_the_Administrator_24\"></a><strong><ins>Wickr for the Administrator</ins></strong></h3>\n<p>Wickr administration is now integrated and available in the <a href=\"https://console.aws.amazon.com/\" target=\"_blank\">Amazon Web Services Management Console</a>. You can control access to Wickr administration using familiar <a href=\"https://aws.amazon.com/iam/\" target=\"_blank\">Amazon Web Services Identity and Access Management (IAM)</a> access control and policies. It is integrated with <a href=\"https://aws.amazon.com/cdk/\" target=\"_blank\">Amazon Web Services Cloud Development Kit (Amazon Web Services CDK)</a> and <a href=\"https://aws.amazon.com/cloudwatch/\" target=\"_blank\">Amazon CloudWatch</a> for monitoring.</p>\n<p>A Wickr administrator manages networks. A network is a group of users and its related configuration, similar to Slack workspaces. Users might be added manually or imported. Most organizations will federate users through an existing identity system. Wickr will federate users with any <a href=\"https://openid.net/connect/\" target=\"_blank\">OpenID Connect</a>-compliant system.</p>\n<p>A Wickr network is also the place where Wickr administrators configure security groups to manage messaging, calling, security, and federation settings. It also allows Wickr administrators to configure logging, data retention, and bots.</p>\n<p>To get started, I select Wickr in the Amazon Web Services Management Console. Then, I select <strong>Create a network</strong>. I enter a <strong>Network name</strong>, and I select <strong>Continue</strong>.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/75b12a859a794699acda34f516f25c83_image.png\" alt=\"image.png\" /></p>\n<p>The Wickr page of the Management Console lets you configure the Wickr network, the user federation with other Wickr networks, and more.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/0075de0de3f048cfbca27069ab7b896a_image.png\" alt=\"image.png\" /></p>\n<p>In this demo, I don’t use single sign-on. I manually add two users by selecting <strong>Create new user</strong>. Once added, the user receives an invitation email with links to the client app. The client app asks the user to define a password at first use.</p>\n<h3><a id=\"CustomerControlled_Data_Retention_and_Bots_41\"></a><strong><ins>Customer-Controlled Data Retention and Bots</ins></strong></h3>\n<p>Wickr allows administrators to selectively retain information that must be maintained for regulatory needs into a secure, controlled data store that they manage. No one other than the recipient—including Amazon Web Services—has access to keys to decrypt conversations or documents, giving organizations full control over their data. It helps organizations in the public sector to use Wickr for their secure collaboration needs.</p>\n<p>Data retention is implemented as a process added to conversations, like a participant. The data retention process participates in the key exchange, just like any recipient, allowing it to decrypt the messages. The data retention process can run anywhere: on-premises, on an <a href=\"https://aws.amazon.com/ec2/\" target=\"_blank\">Amazon Elastic Compute Cloud (Amazon EC2)</a> virtual machine, or at any location of your choice. Once data retention is configured in the console, Wickr administrators may start the data retention process and register it with their Wickr network.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/235285a04e8e49b988c3061b14e9fae7_image.png\" alt=\"image.png\" /></p>\n<p>The data retention process is available as a <a href=\"https://hub.docker.com/r/wickr/bot-compliance-cloud\" target=\"_blank\">Docker container</a> for ease of deployment. The process stores clear text messages on the storage of your choice: a local or remote file system or <a href=\"https://aws.amazon.com/s3/\" target=\"_blank\">Amazon Simple Storage Service (Amazon S3)</a>.</p>\n<p>To try this process, I <a href=\"https://docs.aws.amazon.com/wickr/latest/adminguide/configure-data-retention.html\" target=\"_blank\">follow the documentation</a>. I open the Wickr administration page and selected <strong>Data Retention</strong> under <strong>Network Setting</strong>s.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/6b800a42ef1f41f69a035f8993c3b003_image.png\" alt=\"image.png\" /></p>\n<p>I copy the<br />\n<code>docker</code> command, the <strong>Username</strong>, and the <strong>Password</strong> (not shown in the previous screenshot). Then, I connect to a Linux EC2 instance I created beforehand. I create a local directory for data retention, and I start the container.</p>\n<pre><code class=\"lang-\">docker run -v \n /home/ec2-user/retention_34908291_bot:/tmp/retention_34908291_bot\n --restart on-failure:5 \n --name=&quot;retention_34908291_bot&quot;\n -it \n -e WICKRIO_BOT_NAME='retention_34908291_bot'\n wickr/bot-retention-cloud:5.109.08.03\n</code></pre>\n<p>The application prompts for the username and password collected in the console. When the process starts, I return to the console and activate the <strong>Data Retention</strong> switch at the bottom of the screen.</p>\n<p>Note that for this demo, I choose to store data on the local file system. In reality, you might want to use S3 to securely store all your organization communications, encrypt the data at rest, and use the mechanisms you already have in place to control access to this data. The data retention process natively supports integration with <a href=\"https://aws.amazon.com/secrets-manager/\" target=\"_blank\">Amazon Web Services Secrets Manager</a> and S3.</p>\n<p>As a user, I exchange a few messages in a Wickr room. Then, as an administrator, I look at the data captured. I can observe that the data retention process captured the message and its metadata in JSON format.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/19b0cd27ce8845938bb74967f858c4b5_image.png\" alt=\"image.png\" /></p>\n<p>When configuring the data retention capability, compliance and security officers can audit and review communications in a secure and controlled data store.</p>\n<p>The retention bot is not the only bot available for Wickr. The Wickr Broadcast Bot allows you to broadcast messages to all of the members of your network or specific security groups. Developers can create workflows using <a href=\"https://wickrinc.github.io/wickrio-docs/#wickr-io\" target=\"_blank\">Wickr Bots</a> to automate chat-based workflows and integrate them with other systems. Similarly, a bot is a process integrated into conversation or chat rooms that can receive and act upon messages. Developers write bots with <a href=\"https://nodejs.org/en/\" target=\"_blank\">NodeJS</a>. Bot processes securely integrate with a Wickr network, as defined by the network administrator. They are typically packaged as Docker containers for ease of deployment at the location of your choice. If you are a developer, have a look at the <a href=\"https://wickrinc.github.io/wickrio-docs/#wickr-io\" target=\"_blank\">Wickr bot developer documentation</a> to learn all the details.</p>\n<h3><a id=\"Pricing_and_availability_80\"></a><strong><ins>Pricing and availability</ins></strong></h3>\n<p>Wickr is available in the US East (N. Virginia) Amazon Web Services Region.</p>\n<p>Wickr is free for individuals and teams of up to 30 users looking for a more secure workspace for the first 3 months. For organizations with more than 30 users, there is a standard plan available starting at $5 per user per month and a premium plan for $15 per user per month. The premium plan adds features and retention capabilities like granular administrative controls, client-side data expiration timer of up to 1 year, data retention, and e-discovery. As usual, there are no upfront fees or long-term engagement. You pay per user and per month (annual billing is available, <a href=\"https://pages.awscloud.com/wickr-contact-us\" target=\"_blank\">contact us</a>). Have a look at the <a href=\"https://aws.amazon.com/wickr/pricing/\" target=\"_blank\">pricing page</a> for details.</p>\n<h3><a id=\"Create_your_first_Wickr_network_todayhttpsawsamazoncomwickr_85\"></a><strong><a href=\"https://aws.amazon.com/wickr/\" target=\"_blank\">Create your first Wickr network today!</a></strong></h3>\n<p>– <a href=\"https://twitter.com/sebsto\" target=\"_blank\">seb</a></p>\n<p><img src=\"https://dev-media.amazoncloud.cn/387b38420b414089ad9e62c8dd957c2d_image.png\" alt=\"image.png\" /></p>\n<h3><a id=\"Sbastien_Stormacqhttpsawsamazoncomblogsawsauthorstormacq_91\"></a><strong><a href=\"https://aws.amazon.com/blogs/aws/author/stormacq/\" target=\"_blank\">Sébastien Stormacq</a></strong></h3>\n<p>Seb has been writing code since he first touched a Commodore 64 in the mid-eighties. He inspires builders to unlock the value of the Amazon Web Services cloud, using his secret blend of passion, enthusiasm, customer advocacy, curiosity and creativity. His interests are software architecture, developer tools and mobile computing. If you want to sell him something, be sure it has an API. Follow him on Twitter @sebsto.</p>\n"}