Using Germ DM
This page was last updated on August 27, 2024
This guide explains how Germ’s technology works and how to understand and use our features to protect your experience. Some of our features and ways of interacting may be familiar to you and others may be new. Germ DM is an emerging product that is continually growing in response to your feedback, which we gladly receive by email or in our Discord.
Our Cryptography
How do you use cryptography?
Each card has a corresponding root signing key (Ed25519), which asserts the user-facing data (name, photo, etc) that should be associated with the key, and its connection to additional scoped signing keys for each connection you make.
When you share a card, you’re sharing
the root public key and its assertions about your name, photo, and other information on the face of the card, and that you can setup a channel using an additional scoped key.
a scoped public key that is used to set up E2EE channel(s) for this share action - it asserts addresses and a MLS keypackage.
When you share a card, the Germ app symmetrically encrypts this data (with ChaCha20-Poly1305) and uploads it to Germ’s servers. The link to the encrypted card at Germ, and the symmetric key that unlocks it, are packaged as a URL with the key in the URL fragment, so that Germ never receives the symmetric key. This link can be shared as-is or packaged as a QR code. Anyone who possesses the full link can see the contents of a shared card.
With a decrypted card that contains public keys and addresses, you can send a message asymmetrically encrypted to the creator of the card.
In sum, when exchanging cards and messaging on Germ:
The first card is symmetrically encrypted with ChaCha20-Poly1305
A MLS welcome, in reply to the first card, is asymmetrically encrypted using HPKE in base mode.
Subsequent messages, depending on both parties possessing each other’s cards, are sent using MLS.
What cryptographic libraries do you use?
The Germ app uses the built-in CryptoKit library from the iOS SDK for all cryptographic primitives. We use the mls-rs implementation of the MLS protocol, adapted to use CryptoKit as the crypto provider.
For MLS, we use the MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 cipher suite. We additionally protect MLS message metadata by wrapping it in ChaCha20-Poly1305 symmetric encryption with a key derived from the MLS epoch. For the MLS welcome, we encrypt it with the corresponding HPKE cipher suite comprised of X25519 key agreement, SHA-256 key derivation, and ChaCha20-Poly1305 symmetric encryption.
We use Web Crypto on our servers to authenticate requests from your app (against a separate Ed25519 signing key from those on your cards), and to symmetrically encrypt push notification payloads (using AES-GCM) through the Apple Push Notification Service, to the receiving app.
