A Case Study On End-to-End Encryption Used In Whatsapp

A Case Study On End-to-End Encryption Used In Whatsapp

1.Introduction to End-to-End Encryption

WhatsApp's end-to-end encryption is available when you and the people you message use the latest versions of the app. WhatsApp's end-to-end encryption ensures only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. For added protection, every message you send has its own unique lock and key.

WhatsApp, since its inception six years ago, has quickly grown into a global phenomenon, becoming one of the most popular mobile based communications applications in the world today. With a user base that eclipsed one billion in February, WhatsApp provides a service that potentially endangers the privacy of over 10% of the entire human population. In order to address these security concerns, it was announced in early April that the application now offers full end to end encryption (E2EE) , meaning all messages, calls, and files, both in a One on one and group setting, are completely secure from hackers or even WhatsApp itself. In addition to this announcement, WhatsApp released a technical white paper detailing the newly incorporated security protocol, from session establishment to actual message encryption, all to support its claim of achieving E2EE. We are here to examine the low level technical features of each component of the proposed security scheme as well as the algorithms that were utilized, ultimately analysing if the system as a whole does indeed provide the level of security that it takes credit for.

2.Need to Encryption

A) Messages were sent as plain text between two clients.

B) All the messages were stored in the server until the messages are read by the recipient.

C) WhatsApp's adoption of end-to-end encryption follows Apple's debate with the FBI over the unlocking of a terrorist's iPhone. During the dispute Jan Koum, WhatsApp’s co-founder, said that he supported Apple's position and admired its "efforts to protect user data".

D) In March it was revealed that WhatsApp had been targeted by court orders asking to access information it holds.

3.End to End Encryption used in Whatsapp

WhatsApp Messenger allows people to exchange messages (including chats, group chats, images, videos, voice messages and files) and make WhatsApp calls around the world. WhatsApp messages, voice and video calls between a sender and receiver that use WhatsApp client software released after March 31, 2016 are end-to-end encrypted.

 The Signal Protocol, designed by Open Whisper Systems, is the basis for WhatsApp’s end-to-end encryption. This end-to-end encryption protocol is designed to prevent third parties and WhatsApp from having plaintext access to messages or calls. What’s more, even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages.

WhatsApp partnered with Open Whisper Systems for the cryptographic portions of messaging. The process involves a variation of Off the Record (OTR), Perfect Forward Secrecy (PFS), and the Double Ratchet Algorithm (DRA).

3.Term And Technology Used

A)Public Key Types

Identity Key Pair – A long-term Curve25519 key pair, generated at install time.

Signed Pre Key – A medium-term Curve25519 key pair, generated at install time, signed by the Identity Key, and rotated on a periodic timed basis.

One-Time Pre Keys – A queue of Curve25519 key pairs for one time use, generated at install time, and replenished as needed.

B) Session Key Types

Root Key – A 32-byte value that is used to create Chain Keys.

Chain Key – A 32-byte value that is used to create Message Keys.

Message Key – An 80-byte value that is used to encrypt message contents. 32 bytes are used for an AES-256 key, 32 bytes for a HMAC-SHA256 key, and 16 bytes for an IV.

 C) Initiating Session Setup

To communicate with another WhatsApp user, a WhatsApp client first needs to establish an encrypted session. Once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.

To establish a session:

1. The initiating client (“initiator”) requests the public Identity Key, public Signed

Pre Key, and a single public One-Time Pre Key for the recipient.

2. The server returns the requested public key values. A One-Time Pre Key is only used once, so it is removed from server storage after being requested.If the recipient’s latest batch of One-Time Pre Keys has been consumed and the recipient has not replenished them, no One-Time Pre Key will be returned.

3. The initiator saves the recipient’s Identity Key as Irecipient, the Signed Pre

Key as Srecipient, and the One-Time Pre Key as Orecipient.

4. The initiator generates an ephemeral Curve25519 key pair, Einitiator.

5. The initiator loads its own Identity Key as Iinitiator.

6. The initiator calculates a master secret as master_secret = ECDH(Iinitiator, Srecipient) || ECDH (Einitiator, Irecipient) || ECDH(Einitiator, Srecipient) || ECDH(Einitiator, Orecipient).If there is no One Time Pre Key, the final ECDH is omitted.

 D) Exchanging Messages

Once a session has been established, clients exchange messages that are protected with a Message Key using AES 256 in CBC mode for encryption and HMAC- SHA256 for authentication. The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session state after a message has been transmitted or received. The Message Key is derived from a sender’s Chain Key that “ratchets” forward with every message sent. Additionally, a new ECDH agreement is performed with each message roundtrip to create a new Chain Key.This provides forward secrecy through the combination of both an immediate “hash ratchet” and a round trip “DH ratchet.”

E) Calculating a Message Key from a Chain Key Each time a new Message Key is needed by a message sender, it is calculated as:

1).Message Key = HMAC-SHA256(Chain Key, 0x01). 2).The Chain Key is then updated as Chain Key = HMAC-SHA256(Chain Key, 0 x02). This causes the Chain Key to “ratchet” forward, and also means that a stored Message Key can’t be used to derive current or past values of the Chain Key.

4.End To End Encryption – Advantages

The new end-to-end encryption feature is based on the Signal Protocol, designed by Open Whisper Systems.

According to the technical White Paper on WhatsApp encryption, the end-to-end encryption protocol has been designed to prevent third parties and WhatsApp from having plaintext access to messages or calls.

From now on, when you send any message to a group or an individual, the data will only be visible to you and the group/individual you sent it to—no one else can peep inside that message.

A blog said: “No one can see inside that message. Not cyber criminals. Not hackers. Not oppressive regimes. Not even Whatsapp. End-to-end encryption helps to make communication via WhatsApp private – sort of like a face-to-face conversation.” Now this is an amazing initiative, considering the exponential increase of hackers in the recent past. With more people using smartphones and instant messaging platforms for business, the new feature will certainly assist users in keeping data protected from cyber criminals.

 In fact, more businesses and organizations are excessively employing mobile-based messaging platforms for discussing company policies, plans, and other confidential details. In such a scenario, this feature will definitely help in safeguarding data better.

With the new end-to-end encryption feature, WhatsApp will not only protect text messages, but will also secure photos, videos, voice messages, documents, and even calls.

Now individual users will be able to share data without any hiccups. As mentioned earlier, WhatsApp claims that even they cannot access the message.

According to another blog, with the new update, all your messages on WhatsApp will be secured with a lock and “only the recipient and you have the special key” to unlock and access them.

“For added protection, every message you send has its own unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages,” the blog added.

5.End To End Encryption – Disadvantages

While the aforementioned points indicate that the Facebook-owned instant messaging app is taking serious measures to sustain security requisites of users, there is a serious loophole that needs to be addressed to make it full proof.

Sure the new measure will prevent cyber-crimes, hacking, and misuse of data, but at the same time it will become a safe haven for terrorists and criminals to communicate, which is a huge setback.

In Apple’s case, the main issue raised was related to iPhone users, which is a fraction of WhatsApp users in the world. However, encrypting the messaging platform opens the door for a large number of criminals and terrorists to communicate safely without coming under the radar.

While encrypting messages is a great step by WhatsApp, they should also figure out a way to accumulate as much user data as possible at the time of signing up/installing WhatsApp. Currently, the process of joining the messaging is so simple that even a 10-year-old can set it up in less than five minutes. With augmented focus on safekeeping data, the company should at least try to come up with a restricted sign-up process to avoid malicious users.

 To sum it up, the new end-to-end encryption protocol is definitely something that will protect you from the cyber-attacks, hackers, and government monitoring.

However, the WhatsApp crew should also look for ways to tauten the initial installation/ signup procedure to avoid unwanted users, and have some record about each of its user in case of an emergency.

CONCLUSION

Messages between WhatsApp users are protected with an end-to-end encryption protocol so that third parties and WhatsApp cannot read them and so that the messages can only be decrypted by the recipient. All types of WhatsApp messages (including chats, group chats, images, videos, voice messages and files) and WhatsApp calls are protected by end-to-end encryption.

WhatsApp servers do not have access to the private keys of WhatsApp users, and WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.

WhatsApp claims this loophole exists so that if someone changes their phone, and therefore their automatic security key, messages will still send so as not to disrupt service. This is, to be fair, a valid point, as not doing so would disrupt the service of 1 billion people relatively frequently. WhatsApp's full statement can be found here via Reddit.