Especially in context events of the past months it is very interesting news that all communication via the popular application WhatsApp is now fully encrypted using the end-to-end method. A billion active users of the service can now have a secure conversation, both on iOS and Android. Text messages, sent images and voice calls are encrypted.
The question is how bulletproof is the encryption. WhatsApp continues to handle all messages centrally and also coordinates the exchange of encryption keys. So if a hacker or even the government wanted to get to the messages, getting the users' messages would not be impossible. In theory, it would be enough for them to get the company on their side or directly attack it in some way.
Encryption for the average user in any case means a huge increase in the security of their communications and is a big leap forward for the application. The technology of the renowned company Open Whisper is used for encryption, with which WhatsApp has been testing encryption since November last year. The technology is based on open source code (open source).
It is not clear to me why the central encryption, why WhatsApp does not let both participants of the conversation exchange keys?
In one sentence – usability for BFU. With a fully independent key exchange, it would be nice, but unusable.
Well, of course I meant, under the hood. Lame user doesn't have to know about it at all.
I don't see any mention of central encryption anywhere, quite the opposite.
It used to be customary for the author of the article to post a comment based on the post edit and write it briefly in the discussion and say "specified".
However, the author of the article would have to change something.
so in that case I'm very sorry, I had a wolf fog. The error was between my computer and the wall.
Threema
I don't know what the author means by the key coordination. As far as I know, and as mentioned in the article, WhatsApp is newly using the Signal protocol, which is based on the fact that each conversation means a new exchange of keys via Diffie-Hellmann and the generation of a new AES and MAC. All this takes place on the client side and no one along the way can do anything about it, not even WhatsApp, which maximally routes encrypted messages between users and can (and probably does) store and analyze metadata. Or did I miss something?
Hello, I'm not exactly an expert on encryption and I didn't want to get into technicalities that I don't even really understand. Anyway, if I understand correctly, WhatsApp operates with public keys that are used to encrypt the message. Thus, if an attacker through WhatsApp managed to slip his own encryption key to someone, he could also decrypt the encrypted message.
Otherwise, you are right and I confess without torture, you most likely have the upper hand when it comes to encryption and I will be happy if you teach me.
Hello, it's a fairly comprehensive topic, but I'll try to simplify it - the only thing that is stored on the WhatsApp server is a few of your public keys, which are used when creating a chat session between you and someone else. It would be possible without them, but these so-called pre-keys allow, among other things, to create an encrypted session even when the other party is offline (which is a specialty of the Signal protocol, it can't do anything else, at least as far as we know). The Signal protocol also includes a method for reliable verification of the other party, preventing someone from impersonating you. Symmetric cryptography is then used to encrypt the message itself, i.e. the message is encrypted and decrypted with the same key. This key is generated for every new message and WhatsApp (the company) does not have access to it, it is generated on end devices (hence End to End cryptography), which first performed the so-called handshake using the Diffie-Hellman protocol (more precisely, ECDH). Thanks to this handshake, both parties get a so-called shared secret, i.e. some big random number that both parties know, but no one else can eavesdrop on. Based on this shared secret, both parties can generate new and new encryption keys that are unique for each message. The input for generating such a key is not only the shared "shared secret", but also the previous message. Thanks to this and other properties of the Signal protocol, the so-called forward secrecy and future secrecy are ensured, i.e. even if someone gets your encrypted message and somehow manages to crack it in the future and gains access to the encryption key, he cannot decrypt another message. which you sent.
I apologize if I wrote this in too much detail and repeated something you already know and I hope I answered the confusion. I'm not an expert on cryptography, but by coincidence I've been dealing with this topic quite in-depth recently :) Still, if someone finds any inaccuracies in what I wrote, I'd be happy if you correct me.
Thank you very much for the info, you have explained it in a very clear way. Next time I will be better equipped with information ;)
Does this mean WhatsApp doesn't have central history now?
It has a central history, but each message is encrypted with a unique key that only the recipient of the message has.