WARP key wrap¶
Crypto - warp-crypto
CRY-07 - status: review - audio, video
WARP adds a per-call authentication key and a truncated per-packet MESSAGE-INTEGRITY tag, carried by the audio-piggyback RTP extension word.
WARP adds a per-call authentication key and a per-packet
MESSAGE-INTEGRITY (MI) tag on top of the E2E SRTP payload cipher
(srtp-e2e). RTP extension profile: 0xDEBE.
WARP auth key. Derive from the 32-byte call key (callKey, see
call-offer) with HKDF-SHA256:
IKM = callKey ; full 32 bytes
salt = (empty) ; zero-length
info = "warp auth key" ; ASCII, no NUL terminator
L = 32
authKey = OKM(32)
Derivation MUST NOT run unless callKey is exactly 32 bytes.
MI tag. First 4 bytes of HMAC-SHA1 over the protected packet bytes (everything preceding the tag) concatenated with the 32-bit ROC in big-endian:
tag = HMAC-SHA1(authKey, packet_without_tag || ROC_be32)[0..4]
wire = packet_without_tag || tag(4)
ROC_be32 is the 4-byte big-endian encoding of the same ROC used to build the
E2E SRTP packet index. The sender MUST append the 4-byte tag to every
protected packet.
Audio piggyback extension. The MI tag is carried via a WARP RTP extension, selected by 0-based packet index:
packet_index 0, 1 -> no piggyback word (empty extension)
packet_index >= 2 -> piggyback word 0x30010000
The piggyback word MUST be emitted as a big-endian 32-bit value
(0x30 0x01 0x00 0x00).
Notes. The MI tag is present on the wire but the receiver does not re-verify it; the payload cipher's correctness gates a valid frame.
Requires: srtp-e2e, call-offer
Implemented by
| Flavor | Status | Source | Notes |
|---|---|---|---|
whatsapp-rust |
working | history - blame - commits 674e851 |
— |
zapo-caller |
working | — | — |
meowcaller |
planned | — | — |
Annotation wacrg:CRY-07 — a flavor marks its implementation site in source with this comment; a script clones the source, finds it, and attaches the commit blame/permalink.
Contributors
| Contributor | Role |
|---|---|
 Rajeh Taher |
wrote initial spec |
protocol history / diff - blame
Open questions - Whether the receiver is ever required to verify the WARP MI tag, and what action a mismatch triggers. - The full meaning of the 0x30010000 piggyback word beyond signalling MI presence, and the video-stream piggyback schedule (only the audio schedule is pinned). - Whether the empty-extension-then-piggyback start offset (index >= 2) is fixed on the wire or negotiable.
References - RFC 2104 — HMAC - RFC 5869 — HKDF - RFC 8285 — A General Mechanism for RTP Header Extensions
Changelog¶
- 2026-06-21 — Initial spec entry.