Logo

dev-resources.site

for different kinds of informations.

A Deep Dive into WhatsApp’s Encryption: Identity, Keys, and Message Security

Published at
1/15/2025
Categories
secure
encryption
tutorial
beginners
Author
binoy123
Author
8 person written this
binoy123
open
A Deep Dive into WhatsApp’s Encryption: Identity, Keys, and Message Security

WhatsApp's End-to-End Encryption

End-to-End Encryption (E2EE) is a way to keep your messages private. With this feature, only you and the person you're talking to can see your messages. WhatsApp uses E2EE by default to ensure your messages are protected.

What is End-to-End Encryption?

End-to-end encryption means that your messages, calls, and shared files are encrypted on your phone and can only be decrypted on the other person’s phone. No one else, not even WhatsApp, can read or listen to them.

E2EE involves three key components: identity verification, session key generation, and message encryption. Here’s how each part works:

  1. Identity Verification ensures that the communication partners are legitimate and that they are who they claim to be. This prevents impersonation and ensures the authenticity of both parties.
  2. Session Key Generation establishes a secure connection between the two users. It allows both parties to independently derive the same shared secret (session key) that will be used to encrypt and decrypt the messages.
  3. Message Encryption ensures that the content of the communication remains private. The session key is used to encrypt the messages, so only the intended recipient, who has the corresponding key, can decrypt and read the messages.

Step-by-Step Explanation of Identity Verification

1. User Setup: Generating Keys

Each WhatsApp user generates a public-private key pair when they first set up their account:

  • Private Identity Key: This is kept secure on the user’s device and is never shared with anyone.
  • Public Identity Key: This is shared with other users so they can authenticate the user’s identity.

Example:

  • Ahalya generates her Identity Key Pair:
    • Private Identity Key: Stored securely on Ahalya’s phone.
    • Public Identity Key: Shared with WhatsApp’s servers.
  • Bharath generates his Identity Key Pair:
    • Private Identity Key: Stored securely on Bharath’s phone.
    • Public Identity Key: Shared with WhatsApp’s servers.

2. Key Exchange: Sharing Public Keys

When Ahalya wants to start a conversation with Bharath, both exchange their public identity keys. These keys are used to authenticate each other and ensure they are communicating with the correct person.

Example:

  • Ahalya sends Bharath a message. Along with the message, Ahalya’s Public Identity Key is also sent to Bharath.
  • Bharath’s WhatsApp app receives Ahalya’s Public Identity Key, and Bharath’s Public Identity Key is also shared with Ahalya’s device.

3. Security Code Verification: Confirming Key Authenticity

WhatsApp provides a Security Code to help users verify the authenticity of the public keys they receive. This code acts as a fingerprint of the user’s Public Identity Key.

  • WhatsApp automatically displays security codes for each user’s Public Identity Key in the contact info section.
  • If a user’s Public Identity Key changes (e.g., due to a device reinstall), WhatsApp notifies both users.

Example:

  • Ahalya’s app displays Bharath’s Security Code, and Bharath’s app displays Ahalya’s Security Code.
  • If the security codes match, both users can trust that their communication is secure. If not, WhatsApp alerts them to potential issues.

Step-by-Step Explanation of Session Key Generation

1. Key Exchange Setup

Before generating the session key, both users exchange the following public keys:

  1. Identity Key Pair: A long-term key pair for verifying identity.
  2. Signed Pre-Key Pair: A pre-generated key pair signed using the user’s private identity key.
  3. One-Time Pre-Key: A disposable public key ensuring session uniqueness.

When User A wants to communicate with User B, they exchange:

  • User A’s public identity key
  • User A’s public signed pre-key
  • User A’s one-time pre-key
  • User B’s corresponding public keys

2. Key Authentication

After receiving each other’s public keys, both users verify the keys:

  • User A verifies User B’s signed pre-key using User B’s public identity key.
  • Similarly, User B verifies User A’s signed pre-key using User A’s public identity key.

This prevents impersonation and ensures both users are legitimate.

3. Deriving the Shared Session Key

Each user independently computes the same shared session key using their private keys and the other user’s public keys. The session key is unique and never transmitted over the network. Here’s how this happens in detail:

  1. Private and Public Key Combination:

    • User A combines:
      • Their private identity key with User B’s public signed pre-key to derive a partial key.
      • Their private identity key with User B’s public one-time pre-key to ensure uniqueness for the session.
    • User B performs a similar process:
      • Their private identity key is combined with User A’s public signed pre-key.
      • Their private identity key is combined with User A’s public one-time pre-key.
  2. Mathematical Agreement:

    • Both users perform calculations to derive the same shared session key using the exchanged public keys and their private keys. The use of the one-time pre-key ensures that the session key is unique for this specific conversation.

For example:

  • User A calculates:

    • Session Key = f(Private Key of A, Public Key of B)

  • User B calculates:

    • Session Key = f(Private Key of B, Public Key of A)

  • The function ( f ) ensures that both calculations produce the same session key.

So, when you see
f(Private Key of A,Public Key of B)
f(Private Key of A,Public Key of B), it implicitly includes the process of combining A's private identity key with:

B's public identity key,
B's signed pre-key,
B's one-time pre-key.

  1. Ensuring Security:

    • Since the session key is generated locally on each device and not transmitted over the network, it remains secure from potential eavesdroppers.
  2. Session Key Properties:

    • The session key is:
      • Unique to each session.
      • Disposable after use.
      • Essential for encrypting and decrypting messages during the conversation.

4. Ensuring Uniqueness with the One-Time Pre-Key

To make the session key unique for every session:

  • User A and User B incorporate the one-time pre-key into the key generation process. This ensures that even if keys are reused, the resulting session key will be different.
  • Once the one-time pre-key is used, it is discarded and cannot be reused, further enhancing security.

Message Encryption: Ensuring Privacy with the Session Key

1. Encrypting the Message (Sender Side)

When User A sends a message to User B:

  1. The message starts as plaintext on User A’s device.
    • Example: “Hello, how are you?”
  2. The session key is used to encrypt the plaintext into ciphertext.
  3. A nonce (a unique random number) is added to ensure identical messages produce different ciphertexts.
    • Example Ciphertext: 4A8f2H93l!#gkL2
  4. The ciphertext and nonce are sent to User B.

2. Decrypting the Message (Recipient Side)

When User B receives the encrypted message:

  1. The ciphertext and nonce are received by User B’s device.
  2. The session key (already generated on User B’s device) decrypts the ciphertext back into plaintext.
    • Example: “Hello, how are you?”

Key Features of Message Encryption

  1. Role of the Session Key:

    • The session key ensures that only the sender and receiver can encrypt and decrypt messages.
    • It is never transmitted over the network.
  2. Use of a Nonce:

    • Prevents identical messages from producing identical ciphertexts.
    • Adds randomness, making it harder for attackers to identify patterns.
  3. Message-Specific Encryption:

    • Each message is encrypted individually, ensuring that compromising one message doesn’t affect others.
  4. Forward Secrecy:

    • Unique session keys for each conversation prevent past or future messages from being compromised.

Conclusion

WhatsApp’s End-to-End Encryption ensures that every message, call, and file shared is private, secure, and accessible only to the intended recipient. By combining robust identity verification, session key generation, and message encryption, WhatsApp protects users from eavesdropping, impersonation, and data breaches. Whether you’re sharing personal messages or sensitive information, WhatsApp’s encryption system provides the highest level of security and privacy.

With features like nonce-based encryption and forward secrecy, WhatsApp sets a high standard for secure communication, ensuring users can communicate confidently and privately.

secure Article's
29 articles in total
Favicon
A Deep Dive into WhatsApp’s Encryption: Identity, Keys, and Message Security
Favicon
Essential Aspects of IoT Security Assessments for Scalable and Secure Solutions
Favicon
Legal Templates Every Software Developer Should Know
Favicon
Mastering GitLab with SSH Key: A Step-by-Step Guide for Secure Authentication
Favicon
เปิดการใช้งาน ซีเคียวเชล (Secure Shell หรือ SSH) รีโมท linux server โดยไม่ต้องใช้ password
Favicon
Childproof Jars: Safe and Secure Storage Solutions for THC Products
Favicon
Building a Secure dApp: Best Practices and Common Pitfalls
Favicon
How does CloudFlare use lava lamps to keep the internet secure?
Favicon
Secure Password Storage and Authentication Best Practices
Favicon
Get a Trusted DAPP Service For Your Vision and Turn it into Reality
Favicon
Secure Coding for Authentication
Favicon
BlockChain: A Secure Pavement to Fintech
Favicon
Secure by Design: An In-Depth Introduction to Secure Coding Practices and Common Vulnerabilities
Favicon
Ensuring Data Security: Best Practices and Tips
Favicon
Secure Instant Messaging
Favicon
Differences Between HTTP and HTTPS?
Favicon
Best encrypted cloud storage
Favicon
Passgen: A password generator that uses a regex-like syntax to create secure passwords of any shape.
Favicon
Ways to secure APIs
Favicon
How to secure NodeJS REST API from Attacks
Favicon
3 Ways to Read SSM Parameters
Favicon
A Bot Protection Overview
Favicon
How to secure your WordPress web site?
Favicon
Enhance Security in Your .NET Configuration Files
Favicon
0x00SEC CTF - Exercise #2
Favicon
PBKDF2 Hash a secure password
Favicon
Free Decentralised code snippet manager
Favicon
Simple and secure email sending
Favicon
Secure Devops Tactics

Featured ones: