What makes Threema secure?

Threema uses state-of-the-art asymmetric cryptography to protect messages and calls between sender and receiver, as well as the communication between the app and the servers. Threema uses the open-source library NaCl  for encryption. Since the Threema apps are open source, anyone knowledgeable enough can confirm Threema’s security on their own.

There are two layers of encryption: the end-to-end layer between the conversation participants, and an additional layer to protect against eavesdropping of the connection between the app and the servers. The latter is necessary to ensure that an adversary who captures network packets (e.g. on a public wireless network) cannot even learn who is logging in and who is communicating with whom.

All encryption and decryption happens directly on the device, and the user is in control over the key exchange. This guarantees that no third party — not even the server operators — can decrypt the content of the messages and calls.

Strength of the encryption: The asymmetric ECC based encryption used by Threema has a strength of 255 bits. According to a NIST estimate (page 54), this corresponds at least with the strength provided by 2048 bit RSA. ECDH on Curve25519 is used in conjunction with a hash function and a random nonce to derive a unique 256 bit symmetric key for each message, and the stream cipher XSalsa20 is then used to encrypt the message. A 128 bit message authentication code (MAC) is also added to each message to detect manipulations/forgeries.

Forward secrecy: Threema provides forward secrecy on the network connection (not on the end-to-end layer). Client and server negotiate temporary random keys, which are only stored in RAM and replaced every time the app restarts. An attacker who has captured the network traffic will not be able to decrypt it even if he finds out the long-term secret key of the client or the server after the fact.

For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.