Leading instant messenger Whatsapp with 1 billion users now comes with Encryption. Security and Privacy are always a concern for every internet users. Recently iPhone lock issue with FBI put a thought in people about guarantee of their privacy. Whatsapp were working on their users privacy for a long time.
Receiving Session Setup
Exchanging Messages
Encryption feature activated when you updated the latest version of Whatsapp. It simply means that your messages, calls, photos , videos sent through whatsapp is not accessible to any third parties like cyber criminals, hackers and even whatsapp Inc itself. But it arises many questions about the stand of Whatsapp When government will push power to de-crypt messages.
I like to share detailed technical details of the Whatsapp end-to-end Encryption below.( From the white paper published by Whatsapp)
Terms
Public Key Types
• Identity Key Pair – A long-term Curve25519 key pair,
generated at install time.
• Signed Pre Key – A medium-term Curve25519 key pair,
generated at install time, signed by the Identity Key, and rotated on a
periodic timed basis.
• One-Time Pre Keys –
A queue of Curve25519 key pairs for one time use, generated at install time, and replenished as needed.
Session Key Types
• Root Key – A 32-byte value that is used to create Chain
Keys.
• Chain Key – A 32-byte value that is used to create Message
Keys.
• Message Key – An
80-byte value that is used to encrypt message contents. 32 bytes are used for
an AES-256 key, 32 bytes for a HMAC-SHA256 key, and 16 bytes for an IV.
Client Registration
At registration time, a WhatsApp client transmits its public
Identity Key, public Signed Pre Key (with its signature), and a batch of public
One-Time Pre Keys to the server. The WhatsApp server stores these public keys
associated with the user’s identifier. At no time does the WhatsApp server have
access to any of the client’s private keys.
Initiating Session
Setup
To communicate with another WhatsApp user, a WhatsApp client
first needs to establish an encrypted session. Once the session is established,
clients do not need to rebuild a new session with each other until the existing
session state is lost through an external event such as an app reinstall or
device change.
To establish a session:
1. The initiating client (“initiator”) requests the public
Identity Key, public Signed Pre Key, and a single public One-Time Pre Key for
the recipient.
2. The server returns
the requested public key values. A One-Time Pre Key is only used once, so it is
removed from server storage after being requested. If the recipient’s latest
batch of One-Time Pre Keys has been consumed and the recipient has not
replenished them, no One-Time Pre Key will be returned.
3. The initiator saves the recipient’s Identity Key as
Irecipient, the Signed Pre Key as Srecipient, and the One-Time Pre Key as
Orecipient.
4. The initiator generates an ephemeral Curve25519 key pair,
Einitiator.
5. The initiator loads its own Identity Key as Iinitiator.
6. The initiator calculates a master secret as master_secret
= ECDH(Iinitiator, Srecipient) || ECDH(Einitiator, Irecipient) ||
ECDH(Einitiator, Srecipient) || ECDH(Einitiator, Orecipient). If there is no
One Time Pre Key, the final ECDH is omitted.
7. The initiator uses HKDF to create a Root Key and Chain
Keys from the master_secret.
After building a
long-running encryption session, the initiator can immediately start sending
messages to the recipient, even if the recipient is offline. Until the
recipient responds, the initiator includes the information (in the header of
all messages sent) that the recipient requires to build a corresponding
session. This includes the initiator’s Einitiator and Iinitiator. When the
recipient receives a message that includes session setup information:
1. The recipient calculates the corresponding master_secret
using its own private keys and the public keys advertised in the header of the
incoming message.
2. The recipient deletes the One-Time Pre Key used by the
initiator.
3. The initiator uses HKDF to derive a corresponding Root
Key and Chain Keys from the master_secret.
Once a session has
been established, clients exchange messages that are protected with a Message
Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
The Message Key changes for each message transmitted, and is
ephemeral, such that the Message Key used to encrypt a message cannot be
reconstructed from the session state after a message has been transmitted or
received.
The Message Key is derived from a sender’s Chain Key that
“ratchets” forward with every message sent. Additionally, a new ECDH agreement
is performed with each message roundtrip to create a new Chain Key. This
provides forward secrecy through the combination of both an immediate “hash ratchet”
and a round trip “DH ratchet.”
Calculating a Chain Key from a Root Key
Each time a new Message Key is needed by a message sender,
it is calculated as:
1. Message Key = HMAC-SHA256(Chain Key, 0x01).
2. The Chain Key is then updated as Chain Key =
HMAC-SHA256(Chain Key, 0x02).
This causes the Chain
Key to “ratchet” forward, and also means that a stored Message Key can’t be
used to derive current or past values of the Chain Key.
Calculating a Chain Key from a Root Key
Each time a message is transmitted, an ephemeral Curve25519
public key is advertised along with it. Once a response is received, a new
Chain Key and Root Key are calculated as:
1. ephemeral_secret =
ECDH(Ephemeralsender, Ephemeralrecipient).
2. Chain Key, Root Key = HKDF(Root Key, ephemeral_secret).
A chain is only ever used to send messages from one user, so
message keys are not reused. Because of the way Message Keys and Chain Keys are
calculated, messages can arrive delayed, out of order, or can be lost entirely
without any problems.
Transmitting Media and Other Attachments
Large attachments of
any type (video, audio, images, or files) are also end-to-end encrypted:
1. The WhatsApp user
sending a message (“sender”) generates an ephemeral 32 byte AES256 key, and an
ephemeral 32 byte HMACSHA256 key.
2. The sender
encrypts the attachment with the AES256 key in CBC mode with a random IV, then
appends a MAC of the ciphertext using HMAC-SHA256.
3. The sender uploads
the encrypted attachment to a blob store.
4. The sender transmits a normal encrypted message to the
recipient that contains the encryption key, the HMAC key, a SHA256 hash of the
encrypted blob, and a pointer to the blob in the blob store.
5. The recipient decrypts the message, retrieves the
encrypted blob from the blob store, verifies the SHA256 hash of it, verifies
the MAC, and decrypts the plaintext.
No comments:
Post a Comment