WhatsApp has extended the Signal Protocol it uses to provide end-to-end encryption to all platforms.
Open Whisper Systems said it has integrated its Signal Protocol into WhatsApp’s Android, iPhone, Windows Phone, Nokia S40, Nokia S60, BlackBerry, and BlackBerry 10 apps.
Signal Protocol is an open-source, forward-secure, encryption protocol for asynchronous messaging systems.
WhatsApp released a white paper which gives a technical overview of how its encryption system works – as detailed below.
How encryption works
Encryption systems are typically based on a combination of public-key and symmetric-key cryptography.
In public-key cryptography, you and the person you want to chat to generate two “keys”: a public one that anyone can see, and a private one that you have to keep secret.
You use someone’s public key to encrypt a message only they can see, which they decrypt with their secret private key. This is illustrated below.
For a messaging system like WhatsApp, private keys are typically used to exchange symmetric keys – which must be securely generated.
Messages are then encrypted with the shared symmetric keys, which all parties in a conversation share.
The Signal Protocol implemented in WhatsApp is more complex than the example above, with more keys used to generate other keys.
For example, the same symmetric key is not used to encrypt all messages in a conversation, but WhatsApp avoids the expensive operation of exchanging the new key with a public-key encrypted message.
Although there are differences between the example above and the Signal Protocol, the principle remains the same.
When you register, WhatsApp sends a public Identity Key, public Signed Pre Key with its signature, and a batch of public One-Time Pre Keys to the server.
WhatsApp’s servers never access your private keys.
Setting up an encrypted chat or call
Your WhatsApp clients first need to establish an encrypted session.
Once the session is established, clients do not need to set up a new session with each other unless something causes the session state to be lost.
This can happen if you reinstall the app, or switch to a different device.
Until everyone on WhatsApp has updated to the latest version of the app, some chats may still be unencrypted.
WhatsApp displays notifications in chats that are secure. You can also verify that a chat is secure via the chat’s menu.
Receiving Session Setup
After building the encryption session, the person who started the chat can start sending messages.
Until the recipient responds, the initiator includes the information needed for the recipient to build a corresponding session in the header of all messages sent.
Once a session has been established, clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
Large attachments – video, audio, images, or files – are also encrypted.
WhatsApp uses similar mechanisms to encrypt group messages.
One difference is that the sending WhatsApp client generates a Sender Key, which is encrypted and transmitted to each of the group’s members individually.
Whenever a group member leaves, all group participants clear their Sender Key and start over.
WhatsApp gives users the option to verify the keys of other users.
This lets you confirm that neither an unauthorised third party nor WhatsApp have initiated a man-in-the-middle attack.
This can be done by scanning a QR code, or by comparing a 60-digit number, as depicted below.
All communication between WhatsApp clients and servers is layered within a separate encrypted channel.
On Windows Phone, iPhone, and Android, end-to-end encryption uses noise pipes with Curve25519, AES-GCM, and SHA256 from the Noise Protocol Framework for long-running interactive connections.
WhatsApp said this provides clients with:
- Extremely fast, lightweight connection setup and resume.
- Metadata is encrypted, hiding it from unauthorised network observers. No information about the connecting user’s identity is revealed.
- No client authentication secrets are stored on the server. If the server’s user database is compromised, no private authentication credentials will be revealed.
Summary of key types
Public Key Types
- Identity Key Pair – A long-term Curve25519 key pair, generated at install time.
- Signed Pre Key – A medium-term Curve25519 key pair, generated at install time, signed by the Identity Key, and rotated on a periodic basis.
- One-Time Pre Keys – A queue of Curve25519 key pairs for one-time use, generated at install time, and replenished as needed.
Session Key Types
- Root Key – A 32-byte value that is used to create Chain Keys.
- Chain Key – A 32-byte value that is used to create Message Keys.
- Message Key – An 80-byte value that is used to encrypt message contents. 32 bytes are used for an AES-256 key, 32 bytes for a HMAC-SHA256 key, and 16 bytes for an IV.