Prefer listening to the article? Just click play.
WhatsApp is a messaging service with over 1.2 MAU worldwide. Around 2 years back, I saw an alert as I opened up my chats that said my messages would be secured with end-to-end encryption. What does this really mean and why is encryption so important? As a Curious PM, I take a peek under the hood of end-to-end encryption.
Privacy is in our DNA
A whole slew of companies
“Arguing that you don’t care about privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”Edward Snowden, Whistleblower and Privacy Advocate
WhatsApp co-founders collaborated with Moxie Marlinspike, a decorated cryptographer and founder of Open Whisper Systems that developed the Signal Protocol. This protocol is now being used by WhatsApp, Facebook Messenger, Skype and Allo and is the largest deployed consumer end-to-end encryption.
How is end-to-end encryption different?
In general, when you send messages over the internet using services like Google, your messages are encrypted using https between you and them. This means that as soon as your messages reach google servers, they can be decrypted and stored on the servers. Your private messages can be compromised if Google servers are breached by hackers or if the government coerces them to give up the data.
With the implementation of end-to-end encryption, any message, photo, voice message, document, voice call or video call shared between two users or even a group of users of WhatsApp will be encrypted such that even WhatsApp servers will not be able to decrypt those messages. All messages are secured with locks and only the intended recipient has the key to open that lock. Additionally, each message has its own unique lock.
The Signal Protocol
WhatsApp has released a Whitepaper that provides a technical explanation of its end-to-end encryption system that can be accessed here. Here is a brief explanation of how the system works.
Registration – When you download and install WhatsApp, 3 different types of public and private keys are generated that are unique to you and each plays a different role in encryption. The public keys are shared with the WhatsApp server. At no time are the private keys shared with the server. To understand public keys and private keys in a non-complicated way click here.
Initiating a Session – To communicate with your friend, an encrypted session has to be initiated. Once the session has been built, it does not need to be rebuilt until the app is uninstalled.
Hence if Bob wants to send Alice a message, both install the latest version of WhatsApp. Then Bob and Alice both share their public keys with WhatsApp servers. Now Bob uses the public keys shared by Alice and his own private keys to create a master secret key and sends this master secret as the header of the first message that he sends to Alice. As soon as Alice comes online, she receives the master secret from Bob and using her own private keys and Bob’s public keys, decrypts the master secret to establish a session. All encryption and decryption is done on your phone itself which is different from the traditional method of doing it on company servers.
master_secret = ECDH(Iinitiator, Srecipient) || ECDH(Einitiator, Irecipient) || ECDH(Einitiator, Srecipient) || ECDH(Einitiator, Orecipient).
Exchanging Messages – Once a session has been built, every message sent is protected with a Message Key which is obtained by using some of the best cryptography methods. The Message Key uses a feature called “Perfect Forward Secrecy” This means that a Message Key cannot be reconstructed once the message has been received and unencrypted by Alice, hence your data can never be reconstructed by hackers.
Group Messages, Calls, Statuses, Live Location – All of these are encrypted using similar methods and you can read the Whitepaper to understand each one in detail.
The Pros, The Cons
Encryption is really important for privacy advocates. It becomes of supreme importance in countries like Syria where government can monitor your communication if encryption does not exists. Businesses, Journalists and Lawyers are particularly excited since they are always searching for secure means of communication to transfer confidential information.
Although technology has a lot of boons, there will always be perpetrators who misuse it. The Paris attacks are one example where WhatsApp was used as a means of communication among the terrorists.
Good or bad, encryption is here to stay.