How does WhatsApp “End-End Encryption” Feature Keeps data Safe?

WhatsApp has emerged as a popular smart app and is even more admired due to its secured chatting feature. With different versions, it offers users an additional security level each time, thus ensuring the safe messaging experience, but the updated version of WhatsApp post 31st march 2016 brought a revolutionary change by introducing a strong security feature for its users known as “end-to-end encryption”, designed on Open Whisper System. This has added another layer of safety to its application and has made more well-liked.

What is End-to-end Encryption?

End to end encryption means no one except you and the recipient can see the message that you people are sharing, not even WhatsApp. But the only requirement is that both of you must be using the latest version of WhatsApp. Another best eyebrow-raising fact is that, the encryption is needed just for once and will be again required if either your device will be changed or if you download any latest version of WhatsApp again.

Messaging experience through end to end encryption ensures that the pictures, messages, videos or even links are kept in a secret level between only you and the recipient. No third party, even WhatsApp, will have access to these stuffs. It will be activated automatically by the time you install the latest version of WhatsApp and cannot be turned off by you manually.

The encryption is made through a 16-digit code that can be clearly visible on your device with a lock symbol depicting that your messages are “End-to-end” encrypted. To conform, visit the “setting” and click on “account”. In account section, you can see a number of options, among them select “Privacy”. If you have downloaded the latest version, it will clearly show the lock symbol with information on encryption below.

WhatsApp’s Encryption Features

WhatsApp has some common keys as well as session keys which play major roles in end to end encryption. Identity key, signed pre-key and one-time pre-keys are known as public keys; each having different length of curve pair. On the other hand, session keys are also of 3 types; root key, chain key and message key.

First two are 32 byte whereas message key is 80 byte in length. During the initial set-up, user transmits automatically its identity key, signed key and a bunch of onetime pre keys to the WhatsApp server. However, it does not have the authority to access the private keys of its users.

Initiation of the session for a chat is done through a key request process. To initiate the session for the first time, sender requests WhatsApp server the identity key (I_recipient), signed key (S_recipient), and one-time pre key (O_recipient), WhatsApp then revert back with all those keys. As the one-time pre key is delivered to the sender, it gets eliminated from the WhatsApp server for ever.

The initiator (sender) generates an ephemeral key named as (E_initiator), and also own identity key termed as (I_initiator). Now a 16 digit Master_secret code is generated in the following format;

ECDH(I_initiator,S_recipient) ||ECDH(E_initiator,I_recipient)||
ECDH(E_initiator,S_recipient) ||ECDH(E_initiator,O_recipient)

Code Generation Process

Similarly, HKDF code is used to generate chain & root keys from the Master Secret code by both the initiator and the recipient during each time of message exchange. Now the recipient can send message to the sender at it will be automatically received at the other end irrespective of the online status of recipient.

On opening the message recipient can view the header message, deciphers the master-client code using its own private and public keys and deletes the one-time pre-key send by the sender.With encryption feature, now each of your transacted messages are now more secure through Message key.

This key changes with each transmitted message and can not be reconstructed after the transaction.

Message key can only be retrieved through chain key of the recipient and which itself regenerates with each round trip message.

Encryption of Attachment Files

Like plain text message, large attachments also do encrypted and travels securely between you and the recipient. Each sent attachment is encapsulated with a 32 bit ephemeral key and some other keys. At the recipient side they get de-crypted and original message gets delivered.

When it comes to even group messaging, WhatsApp stands out unique among its competitor due to its “client side fan out” feature enabling clients to send N messages to N group members through group members. Generally, most apps carry out group messaging through ” server side fan out” feature where N messages are delivered into N group members from server side.

Now coming to the most popular section-“WhatsApp call”. This amazing call feature is also end to end encrypted. With every call, initiator generates a 32 bit SRTP code. This code on receiving at the other end, generates incoming call signal. On successful receiving of the call on the other side, the SRTP encrypted code keeps on following.

In case you want to test the authenticity of the secure data transfer claim by WhatsApp, it has provided you the options to verify the security keys. Either you can scan the QR code or else you can go for a manual comparison of the 60 digit key. If anyone of you will scan the code of other and will compare with the 60 digit code, it will be equal.

Additional Encryption Layers

Additional strong security is also maintained between the client and server through a number of encrypted layers. This ensures no third party can breach the wall and can get access to the transported data between client and server. The process is carried out by various noise pipes for long running interactive connection.

The layered security is so designed that it ensures an easy set up and a quick resume of the encryption service, smart hide of metadata from unauthorized spammers and superior client authentication through Curve25519 key pair. So basically saying, you can stay assured on nil chance of your private data being hacked by spam artists.

A detailed analysis on the end to end encryption can lead us to certain basic doubts. Though WhatsApp is claiming that it has no access to any private keys of the users, it is hard to believe as we do not have any access to the source code of the WhatsApp server either. Hence we have no option other than to build a blind trust.

Many times in this article, we have described that the architecture of WhatsApp is a client-server model, which means, users have to interact with the server. In this scenario also it is hard to believe that user’s private keys are not accessible by WhatsApp.

But as far as client satisfaction is concerned, this app is still trending in the group of other messaging apps. Previously WhatsApp has made history by getting into accusation by Facebook. Now through this “end-to-end encryption” it has added another chapter to its glory.

karthikeya Boyini
karthikeya Boyini

I love programming (: That's all I know