Better Late Than Never - WhatsApp Is Using End-to-End Encryption – Finally!
The article is written by Filip Chytry, Mobile Threat Intelligence Manager from Avast.
Can you imagine leaving your house without locking the main door? I guess not. Locking the door is a routine that we do automatically. So why there is so much noise about the latest update from WhatsApp as if the company has just reinvented communication encryption?
What is End-to-End encryption
End-to-End encryption (E2EE) is a system of communication where only the people who are communicating can read the messages. No eavesdropper can access the cryptographic keys needed to decrypt the conversation, including telecom providers, Internet providers and the company that runs the messaging service. Theoretically, that means nobody else can access your transmitted data even if and when they can intercept the traffic.
This is like using a house key and not leaving the door open, isn't it? The same standard should be followed by any App or service communicating from of your device no matter what kind of data you are transmitting.
How does End-to-End encryption technically work in WhatsApp?
To communicate with another WhatsApp user, a WhatsApp client first needs to establish an encrypted session. Once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.
To establish a session:
- The initiating client (“initiator”) requests the public Identity Key, public Signed Pre Key, and a single public One-Time Pre Key for the recipient.
- The server returns the requested public key values. A One-Time Pre Key is only used once, so it is removed from server storage after being requested. If the recipient’s latest batch of One-Time Pre Key has been consumed and the recipient has not replenished them, no One-Time Pre Key will be returned.
- The initiator saves the recipient’s Identity Key as Irecipient, the Signed Pre Key as Srecipient, and the One-Time Pre Key as Orecipient.
- The initiator generates an ephemeral Curve25519 key pair, Einitiator.
- The initiator loads its own Identity Key as Iinitiator.
- The initiator calculates a master secret as master_secret = ECDH(Iinitiator, Srecipient) || ECDH(Einitiator, Irecipient) || ECDH(Einitiator, Srecipient) || ECDH(Einitiator, Orecipient) If there is no One Time Pre Key, the final ECDH is omitted.
- The initiator uses HKDF (Extract-and-Expand Key ) to create a Root Key and Chain Keys from the master_secret.
Once a session has been established, clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session state after a message has been transmitted or received.
The Message Key is derived from a sender’s Chain Key that “ratchets” forward with every message sent. Additionally, a new ECDH agreement is performed with each message roundtrip to create a new Chain Key. This provides forward secrecy through the combination of both an immediate “hash ratchet” and a round trip “DH ratchet.”
Let's make it a little bit simpler
What happens after this process is that each device on one side A and B have exchanged private keys which are unique for each session and each user. If we compare this situation to keys from your home, it means each time you go home, you will have a new key in your pocket, but all exchanges will be done automatically without you being involved.
Why is WhatsApp's end-to-end encryption not such a big step forward?
I know immediately this is big news, but don't you think your privacy should be protected from the very beginning once you are actually installing any application? I can understand when some early-stage startups can't afford to have encryption implemented properly while they are starting out. However, a company with the size and reputation of WhatsApp should already have end-to-end encryption implemented a long time ago.
Luckily these days, we have companies like TL that are trying to move security standards closer to people and make them more affordable for everyone. So if you are an App developer or service provider, you can use pre-built end-to-end encryption solution which is ready straight out of the box.
Request a FREE Demo or visit www.teskalabs.com/products/seacat-mobile-secure-gateway to learn more about TeskaLabs Application Security technology and how we can help you with the security of your mobile app and its backend systems.
Most Recent Articles
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
- Entangled ways of product development in the area of cybersecurity #1 - Asynchronous or parallel?
- State machine miracle
You Might Be Interested in Reading These Articles
Industrial IoT Security: Cyber Security Implications for IT-OT Convergence
In June 2017, two information security firms researching the 2016 hack of the electricity grid in Ukraine announced that they had identified the malicious code used to shut down power stations and leave thousands of households and businesses in darkness for several hours. The malware used to target the Kiev power grid has been named Industroyer, and it serves as a sobering reminder about the dangers faced by the Industrial Internet of Things (IIoT).
Published on September 05, 2017
5 Things You Need To Know About Securing Your Game App
The game industry is constantly evolving and growing on a rapid scale by each passing day. A significant part of this industry is mobile gaming. With huge advancements in mobile device technologies, gaming apps are on a high demand and so is their supply. One of the major reason behind this are the developers who are splurging millions of dollars in their time to market strategies. In all of this, the security of gaming apps takes a backseat, overlooked by developers in a haste a to launch their product before their respective competitors.
Published on November 08, 2016
TeskaLabs SeaCat PKI deployment for NordicWay C-ITS pilot in Norway
In many respects, today's motor vehicles function as connected devices. With this in consideration, joint EU initiatives have broadened the impact of Cooperative Intelligent Transport Systems (C-ITS) to include more expanded connections, including road infrastructure. This enhanced connectivity is expected to result in significant improvements to both road safety and traffic efficiency.
Published on June 15, 2021