Fundamentals
In Verji, all data is protected by encryption, both in-flight, and at rest. Additionally messages, files and images, communicated in Verji rooms are protected by an additional layer of end-to-end-encryption (E2EE).
Use of standards
Adversaries and attackers have access to increasingly powerful tools and methods, so while expertise and knowledge used to be crucial requirements for effective attacks, we are now getting into a situation where motivation, is the only requirement to launch advanced attacks.
Additionally, implementing secure technology is notoriously hard to do.
With this as a backdrop, Verji Tech avoids inventing new crypto, and new protocols, and instead relies on industry standards, best practise, and battle tested frameworks and implementations wherever possible.
The core of Verji is based on Matrix, which is an open standard and protocol, with a vibrant community, and a healthy and transparent governance model (https://matrix.org/about/)
With this strategy Verji is in good company, as numerous other security-conscious organizations have chosen to build their solutions on the same core technologies, e.g.
- German Armed Forces:https://element.io/blog/bundesmessenger-is-a-milestone-in-germanys-ground-breaking-vision/
- Gematik (German Healthcare):https://element.io/matrix-in-germany/projects/ti-messenger
- French Government: https://element.io/case-studies/tchap
- Sweden: https://element.io/blog/dsam-och-esam-forordar-matrix-for-saker-och-federerad-kommunikation-inom-sveriges-offentliga-sektor/
- Mozilla: https://matrix.org/blog/2019/12/19/welcoming-mozilla-to-matrix/
Messaging
Verji employs battle tested and industry recognized methods for message encryption. Verji employ Elliptic Curve Cryptopgraphy (ECC) along with Advanced Encryption Standard (AES), to protect content such as
messages, files and images. To support asynchronous communication, where all parties may not be online at the same time, we use a Double Ratched algorithm (https://en.m.wikipedia.org/wiki/Double_Ratchet_Algorithm.)
Specifically, Verji uses an implementation of the Double Ratchet algorithm called Olm. To allow effective communications also in group conversations with many participants, a group ratchet called Megolm is used. For details about Olm and Megolm, please see:
- https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/olm.md
- https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md
A third party, independent, analysis and audit of Olm 1.3.0 can be found here:
The vulnerabilities covered in the report were addressed and patched in subsequent release of Olm (v2.0.0 fra 25/10-2016).
A more recent, Rust based, implementation of the Olm and Megolm protocols (called Vodozemac) is developed and maintained here:
And a third party analysis and audit of the implemention can be found here:
To exchange messages, and negotiate keys, Verji use the open, battle tested and well documented Matrix protocol https://en.wikipedia.org/wiki/Matrix_(protocol)
An analysis of the key exchange protocol in matrix can be found here:
Authentication and authorization
Authentication
To authenticate users Verji use the industry standard OpenIdConnect protocol, which is based on the OAuth 2.0 framework. The implementation uses the mature and OpenId certified, Duende framework, which is also featured in the official Microsoft Identity documentation:
- https://duendesoftware.com/
- https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-8.0&tabs=visual-studio
Authorization
Fine grained access control is implemented in Verji using the popular Casbin framework.
Summary
To summarize; Verji uses well established, well tested, industry standard algorithms, protocols and frameworks to secure the user’s messages and accounts.
