How WhatsApp End-to-End encryption works?

Wasif Irshad's photo
Wasif Irshad
·

3 min read

How WhatsApp End-to-End encryption works?

Many People are Amazed by WhatsApp End-To-End Encryption but many few knows how technically it actually works!

Wait, Can you read this *&53@#1!()-?/ ?
No! probably because this is what it seems to anyone who tries to hack & read the messages through the network (which is really really tough though!) whatsapp-2842640_640.png

Insights:

You sent a message to your friend. WhatsApp encrypts the message on your device, this encrypted message passes through bunch of networks and servers and reaches your friend and finally, it is decrypted on your friend’s device. The messages are secured with keys, and only the recipient has the key to decrypt and read the messages.

WhatsApp uses Signal Protocol developed by Open Whisper Systems. They have their own messaging application as well - Signal! (Remember when people protested against WhatsApp?) Signal Protocol consists of - Double Ratchet algorithm, pre-keys, and uses Curve25519, AES-256, and HMAC-SHA256 as cryptographic primitives.

Scenario:

Wasif wants to send a message to Ria. For this to happen Wasif & Ria has has 2 keys.
Wasif's Public Key & Private Key.
Ria's Public Key & Private Key.
Also,
PlainText(text, image etc) is unencrypted data and CipherText is the encrypted one.
PlainText + SecretKey = CipherText
CipherText - SecretKey = PlainText
 The idea is to keep one key with ourselves(called private key) and distribute corresponding key to anyone who wants to communicate with you (called public key)

Screenshot 2021-07-28 at 3.03.47 PM.png

Wasif wants to send a message to Ria, will encrypt using Ria's public key, which no one else can decrypt because nobody other than Ria has her Private key
(as we said only corresponding his/her private key can ONLY decrypt)

So what does END-to-END encryption means?

Your Private and Public Key is generated as when you install WhatsApp. And, no other entity surveillance or not even WhatsApp has the access to your private key,
as private key never goes into the network.

Bonus:

Screenshot_2021-07-28-15-43-21-989_com.whatsapp.jpg

On WhatsApp, you can actually see public-encryption-code used between you and the recipient.
It consists of a 60 digit number comprising of Your Public Key + Recipient's Public Key
As, you use your recipient's public to encrypt the messages and he uses his private key to decrypt and vice versa. (Again, your private key never goes into the network)

Postlude:

Signal protocol is implemented correctly, WhatsApp servers still know which whatsApp user is interacting with which user, how frequently, how recently. If you have your mobile number registered on facebook and is the same one you use for whatsApp. They could (hypothetically) use this information to associate your friend’s activity on facebook and serve you relevant ad which may end up surprising you :D

whatsappencryptionsocial mediaCryptographySecurity