Whatsapp end-to-end Encryption 2

Continuing Whatsapp end-to-end Encrpytion  Part 2
If you didn't read Part1 read now

Group Messages

Traditional unencrypted messenger apps typically employ “server-side fan-out” for group messages. A client wishing to send a message to a group of users transmits a single message, which is then distributed N times to the N different group members by the server.

This is in contrast to “client-side fan-out,” where a client would transmit a single message N times to the N different group members itself. Messages to WhatsApp groups build on the pairwise encrypted sessions outlined above to achieve efficient server-side fan-out for most messages sent to groups. This is accomplished using the “Sender Keys” component of the Signal Messaging Protocol.

The first time a WhatsApp group member sends a message to a group:

1. The sender generates a random 32-byte Chain Key.

2. The sender generates a random Curve25519 Signature Key key pair.

 3. The sender combines the 32-byte Chain Key and the public key from the Signature Key into a Sender Key message.

4. The sender individually encrypts the Sender Key to each member of the group, using the pairwise messaging protocol explained previously.

For all subsequent messages to the group:

1. The sender derives a Message Key from the Chain Key, and updates the Chain Key.

2. The sender encrypts the message using AES256 in CBC mode.

3. The sender signs the ciphertext using the Signature Key.

 4. The sender transmits the single ciphertext message to the server, which does server-side fan-out to all group participants.

The “hash ratchet” of the message sender’s Chain Key provides forward secrecy. Whenever a group member leaves, all group participants clear their Sender Key and start over.

Call Setup

WhatsApp calls are also end-to-end encrypted. When a WhatsApp user initiates a call:

 1. The initiator builds an encrypted session with the recipient (as outlined in Section Initiating Session Setup), if one does not already exist.

 2. The initiator generates a random 32-byte SRTP master secret.

3. The initiator transmits an encrypted message to the recipient that signals an incoming call, and contains the SRTP master secret.

4. If the responder answers the call, a SRTP encrypted call ensues.

Verifying Keys

 WhatsApp users additionally have the option to verify the keys of the other users with whom they are communicating so that they are able to confirm that an unauthorized third party (or WhatsApp) has not initiated a man-in-the-middle attack. This can be done by scanning a QR code, or by comparing a 60-digit number.

The QR code contains:

1. A version.

2. The user identifier for both parties.

3. The full 32-byte public Identity Key for both parties.

When either user scans the other’s QR code, the keys are compared to ensure that what is in the QR code matches the Identity Key as retrieved from the server.

 The 60-digit number is computed by concatenating the two 30-digit numeric fingerprints for each 

user’s Identity Key. To calculate a 30-digit numeric fingerprint:

1. Iteratively SHA-512 hash the public Identity Key and user identifier 5200 times.

2. Take the first 30 bytes of the final hash output.

3. Split the 30-byte result into six 5-byte chunks.

4. Convert each 5-byte chunk into 5 digits by interpreting each 5-byte chunk as a big-endian unsigned integer and reducing it modulo 100000.

5. Concatenate the six groups of five digits into thirty digits.

Transport Security

All communication between WhatsApp clients and WhatsApp servers is layered within a separate encrypted channel. On Windows Phone, iPhone, and Android, those end-to-end encryption capable clients use Noise Pipes with Curve25519, AES-GCM, and SHA256 from the Noise Protocol Framework for long running interactive connections.

This provides clients with a few nice properties:

1. Extremely fast lightweight connection setup and resume.

2. Encrypts metadata to hide it from unauthorized network observers. No information about the connecting user’s identity is revealed.

3. No client authentication secrets are stored on the server. Clients authenticate themselves using a Curve25519 key pair, so the server only stores a client’s public authentication key. If the server’s user database is ever compromised, no private authentication credentials will be revealed.

 Conclusion

Messages between WhatsApp users are protected with an endto-end encryption protocol so that third parties and WhatsApp cannot read them and so that the messages can only be decrypted by the recipient. All types of WhatsApp messages (including chats, group chats, images, videos, voice messages and files) and WhatsApp calls are protected by end-to-end encryption.

WhatsApp servers do not have access to the private keys of WhatsApp users, and WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.

The Signal Protocol library used by WhatsApp is Open Source, available here: https://github.com/whispersystems/libsignal-protocol-java/