Whatsapp Introduced new end to end Encryption to its 1 billion users which brought a paradigm shift towards security and privacy in communication. This is kind of state of art ground breaking technology which ensures both channel and message are completely encrypted and tamper proof using strongest encryption methodology available today. Before we dig into what is the key technology enabler in Whatsapp Security Model, lets understand how whatsapp communication worked so far.
Whatsapp use a customized version XMPP - eXtensible Messaging and Presence Protocol. It is a slightly modified version of XMPP; So WhatsApp server has got ability to listens in on your chat and analyses it for marketing/advertising purposes. And it was really easy to hack system if eavesdropper can decode the customized XMPP protocol.
However with new this new end to end Encryption technology, its now impossible hack and tamper the communication between whatsapp chat users.
Now lets understand how this whatsapp ground breaking security model is working. It is a two step process.
1. Established a secured session between two users in two Whatsapp device. Once this secured session is established, it will use same secured for all future chat among those users unless user change the device or uninstall the software.
2. Once a secured session established every messages will be end to end encrypted using a unique different private key which can not be used to decrypt any old or future message. This is called "Rachet" forward. This second step is key differentiation to make this encryption model unique. This will make sure even Whatsapp server will not have ability to read the message in their network as it has only public key and does not have the required private key to decrypt it.
Lets see how in technically an encrypted message is transmit using secured session over customized XMPP protocol:
1. The WhatsApp user sending a message (“sender”) generates an ephemeral 32 byte AES256 key, and an ephemeral 32 byte HMACSHA256 key.
2. The sender encrypts the attachment with the AES256 key in CBC mode with a random IV, then appends a MAC of the ciphertext using HMAC-SHA256.
3. The sender uploads the encrypted attachment to a blob store.
4. The sender transmits a normal encrypted message to the recipient that contains the encryption key, the HMAC key, a SHA256 hash of the encrypted blob, and a pointer to the blob in the blob store.
5. The recipient decrypts the message, retrieves the encrypted blob from the blob store, verifies the SHA256 hash of it, verifies the MAC, and decrypts the plaintext
Please refer here for more details.
The whole encryption technology has been implemented using signal library protocol called Open Whisper System. The core implementation is done using a open source Java Library. Here is maven dependency and code snippet:
Maven Dependency
During App Installation:
So Java rocks here too.
This article belongs to part 3 of series on how modern day cryptography works.
Whatsapp use a customized version XMPP - eXtensible Messaging and Presence Protocol. It is a slightly modified version of XMPP; So WhatsApp server has got ability to listens in on your chat and analyses it for marketing/advertising purposes. And it was really easy to hack system if eavesdropper can decode the customized XMPP protocol.
Hacker |
Now lets understand how this whatsapp ground breaking security model is working. It is a two step process.
1. Established a secured session between two users in two Whatsapp device. Once this secured session is established, it will use same secured for all future chat among those users unless user change the device or uninstall the software.
2. Once a secured session established every messages will be end to end encrypted using a unique different private key which can not be used to decrypt any old or future message. This is called "Rachet" forward. This second step is key differentiation to make this encryption model unique. This will make sure even Whatsapp server will not have ability to read the message in their network as it has only public key and does not have the required private key to decrypt it.
Lets see how in technically an encrypted message is transmit using secured session over customized XMPP protocol:
1. The WhatsApp user sending a message (“sender”) generates an ephemeral 32 byte AES256 key, and an ephemeral 32 byte HMACSHA256 key.
2. The sender encrypts the attachment with the AES256 key in CBC mode with a random IV, then appends a MAC of the ciphertext using HMAC-SHA256.
3. The sender uploads the encrypted attachment to a blob store.
4. The sender transmits a normal encrypted message to the recipient that contains the encryption key, the HMAC key, a SHA256 hash of the encrypted blob, and a pointer to the blob in the blob store.
5. The recipient decrypts the message, retrieves the encrypted blob from the blob store, verifies the SHA256 hash of it, verifies the MAC, and decrypts the plaintext
Please refer here for more details.
The whole encryption technology has been implemented using signal library protocol called Open Whisper System. The core implementation is done using a open source Java Library. Here is maven dependency and code snippet:
Maven Dependency
<dependency>
<groupId>org.whispersystems</groupId>
<artifactId>signal-protocol-java</artifactId>
<version>(latest version number)</version>
</dependency>
Code ImplementationDuring App Installation:
IdentityKeyPair identityKeyPair = KeyHelper.generateIdentityKeyPair();
int registrationId = KeyHelper.generateRegistrationId();
List<PreKeyRecord> preKeys = KeyHelper.generatePreKeys(startId, 100);
SignedPreKeyRecord signedPreKey = KeyHelper.generateSignedPreKey(identityKeyPair, 5);
// Store identityKeyPair somewhere durable and safe.
// Store registrationId somewhere durable and safe.
// Store preKeys in PreKeyStore.
// Store signed prekey in SignedPreKeyStore.
During Secured Session Establishment and Messaging:SessionStore sessionStore = new MySessionStore();
PreKeyStore preKeyStore = new MyPreKeyStore();
SignedPreKeyStore signedPreKeyStore = new MySignedPreKeyStore();
IdentityKeyStore identityStore = new MyIdentityKeyStore();
// Instantiate a SessionBuilder for a remote recipientId + deviceId tuple.
SessionBuilder sessionBuilder = new SessionBuilder(sessionStore, preKeyStore, signedPreKeyStore,
identityStore, recipientId, deviceId);
// Build a session with a PreKey retrieved from the server.
sessionBuilder.process(retrievedPreKey);
SessionCipher sessionCipher = new SessionCipher(sessionStore, recipientId, deviceId);
CiphertextMessage message = sessionCipher.encrypt("Hello world!".getBytes("UTF-8"));
deliver(message.serialize());
The library is available in gitbub here.So Java rocks here too.
This article belongs to part 3 of series on how modern day cryptography works.
This comment has been removed by the author.
ReplyDeleteSo just out of curiosity, When this process is done the plain text will be saved in the senders and receivers device. When it comes to web and desktop platforms, how does it work, any idea ? I mean does it again follow the same mechanism between the mobile app and desktop app or is it establishing some kind of a peer to peer connection?
ReplyDelete