Even calls and group chats will be encrypted.
By Dileep Thekkethil
WhatsApp has introduced a new end-to-end encryption feature along with its new update, enabling the long awaited secured messaging that automatically encrypts text, images and videos sent through the world’s most used instant messaging app.
According to the Facebook-owned company, the new feature makes it impossible for third parties, including WhatsApp to read private messages.
Even calls and group chats will be encrypted, which essentially means that cyber criminals, law enforcement agencies, and even WhatsApp cannot snoop into conversations.
The release of the new feature was announced by WhatsApp co-founder Jan Koum through his official Facebook handle. He said that the company has been striving hard for the last two years to come up with the feature.
Koum wrote, “We’ve been working for the past two years to give people better security over their conversations on WhatsApp… People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”
According to Washington Post, the instant messaging giant now uses a new encryption protocol called “The Signal Protocol”, designed by Open Whisper System.
WhatsApp has released a document explaining how the new encryption works. According to the manual, each user will establish a secured encrypted session once a message is sent to a WhatsApp user. The encrypted session doesn’t get lost until the app is deleted or reinstalled by external events.
To start an encrypted conversation with a WhatsApp client, the initiator (WhatsApp does this automatically) requests for a public Identity Key, public Signed Pre Key and a single public One-Time Pre Key for the recipient.
The WhatsApp server returns all the requested public key values including the one-Time Pre Key that will be used only once and later it is removed from the server. All the secret keys are saved in the initiator’s WhatsApp data.
While initiating a session the public keys including the one-time passcode are advertised in the header of the message, which will be decoded using the private keys saved in the receiving end.
Once a session has been established, clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
The Message Key changes for each message send and is temporary, such that the Message Key used to encrypt a message cannot be reconstructed from the session state after a message has been transmitted or received.
The Message Key is derived from a sender’s Chain Key that “ratchets” forward with every message sent. Additionally, a new ECDH agreement is performed with each message roundtrip to create a new Chain Key. This provides forward secrecy through the combination of both an immediate “hash ratchet” and a round trip “DH ratchet.”
The WatsApp document on encryption also says that voice calls and large file attachments like images and videos also pass through encryption. As each new message uses separate key there is a possibility that downloading might take a bit delayed than usual.
The new WhatsApp feature comes as a default option and users cannot disable it like in Telegram, which gives users an option to disable the encryption feature. Also, the encryption feature will be active only if users at both ends are on the latest version of the app.
Once WhatsApp detects two users with the updated version, it notifies saying “Messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info.”
On tapping the notification a new pop-up window will open with a message saying: Messages you send to this chat and calls are now secured with end-to-end encryption, which means WhasApp and third parties can’t read or listen to them.
To ascertain whether the new encryption feature is working on the phone users can tap on the verify option which will take them to a QR code page with a string of 60 numbers. If the friend is nearby, the users can verify by scanning the QR code. If the QR codes match the messages send between the accounts will be automatically encrypted.
However, a few reports claim that the encryption verification has failed in chats between Android based phones and the once running on iOS. Probably another update from WhatsApp will come with a fix for the bug.
Social Media Update
1 Comment
When I am trying to verify the end to end encyption with my friend who is not physically present with me (by scanning the screen shot send by him) the application suddenly quits.