WhatsAppSecurityPaperAnalysis

CalvinLi,DanielSanchez,SeanHua

Introduction

WhatsApp,sinceitsinceptionsixyearsago,hasquicklygrownintoaglobalphenomenon,
becomingoneofthemostpopularmobilebasedcommunicationsapplicationsintheworld
today.WithauserbasethateclipsedonebillioninFebruary[1],WhatsAppprovidesaservice
thatpotentiallyendangerstheprivacyofover10%oftheentirehumanpopulation.Inorderto
addressthesesecurityconcerns,itwasannouncedinearlyAprilthattheapplicationnowoffers
full
endtoendencryption
(E2EE)[2],meaningallmessages,calls,andfiles,bothina
oneononeandgroupsetting,arecompletelysecurefromhackersorevenWhatsAppitself.

Inadditiontothisannouncement,WhatsAppreleasedatechnicalwhitepaper[3]detailingthe
newlyincorporatedsecurityprotocol,fromsessionestablishmenttoactualmessageencryption,
alltosupportitsclaimofachievingE2EE.Weareheretoexaminethelowleveltechnical
featuresofeachcomponentoftheproposedsecurityschemeaswellasthealgorithmsthatwere
utilized,ultimatelyanalyzingifthesystemasawholedoesindeedprovidethelevelofsecurity
thatittakescreditfor.

Lastly,wewanttocritiquethetechnicalwhitepaperitself,specificallyonitsclarityand
thoroughnessregardingpotentialthreatsandhowtheE2EEschemeprotectsagainstthem.

SecurityProtocolOverview

2.1EstablishingSessions
EstablishinganencryptedsessionisvitalintheSignalProtocol,notjustbecauseitallowstwo
partiestogetintouchandcommunicate,butalsobecausethedetailsofthesessionsetupallow
forthecommunicationbetweenthepartiestoremainsecure.

2.1.1SessionsTerminology
Thesearethethreekeysthatareusedtoestablishasessionbetweentwousers:

IdentityKey
AlongtermCurve25519keypair,generatedatinstalltime.
Purpose
:Signingthe
SignedPreKeys
,usedincreating
master_secret
SignedPreKey
AmediumtermCurve25519keypair,generatedatinstalltime,signedby
the
IdentityKey
,androtatedonaperiodictimedbasis.
Purpose
:Usedincreating
master_secret
OneTimePreKey
AonetimeusekeypairobtainedfromaqueueofCurve25519keypairs.Generatedat
installtime,andreplenishedasneeded.
Purpose
:Usedincreating
master_secret
whenavailable

Herearesomegeneraltermsthatwillbeusedlaterinthepaper:

Initiator
Startsthesessionestablishmentprocess.

Recipient
Theotheruserwithwhomthe
initiator
istryingtoestablishasessionwith.

EDCH
EllipticCurveDiffieHelman,ananonymouskeyagreementprotocolthatallowstwo
parties,eachhavinganellipticcurvepublicprivatekeypair,toestablishasharedsecret
overaninsecurechannel.

HKDF
HMACbasedExtractandExpandKeyDerivationFunction.Keyderivationfunction
usedtoderive
RootKey
and
ChainKey
(seesection
2.3.1
)from
master_secret

2.1.2SessionSetupProcess
Toestablishasession:
1. Initiatorrequests
IdentityKey
,
SignedPreKey
,and
OneTimePreKey
fromrecipient
2. Serverreturnstherequestedvalues.Ifthequeueof
OneTimePreKeys
isempty,
no
OneTimePreKey
isreturned.
3. Initiatorsavesthesevaluesas
I
r,S

r,O

r
4. InitiatorgeneratesephemeralCurve25519keypair
E
i

5. Initiatorloadsitsown
IdentityKey
as
I
i
6. Initiatorcalculates
master_secret
=ECDH(
I
E
E
E
i,S

r)||ECDH(

i,I

r)||ECDH(

i,S

r)||ECDH(

i,O

r)

7. InitiatorusesHKDFtocreate
RootKey
and
ChainKeys
from
master_secret

2.2ReceivingSessions
Aftertheinitialsessionsetupprocess,untiltherecipientresponds,allinformationnecessaryto
buildacorrespondingsessionissentintheheaderofallmessagesfromtheinitiator(
Ei
,Ii
).The

stepstocreateacorrespondingsessionarethen:
1. Recipientcalculatesthecorresponding
master_secret
usingit'sownkeysandthe
publickeysadvertisedintheheaderofthemessage.
2. Therecipientdeletesthe
OneTimePreKey
usedbytheinitiator.
3. InitiatorusesHKDFtoderiveacorresponding
RootKey
and
ChainKeys
from
master_secret

2.3UsertoUserMessagingProtocol
Afterestablishingsessions,userscansecurelysendmessagestoeachotherusinga
doubleratchetimplementationtoprovideauniqueonetimekeyforeveryindividualmessage
sent.Thissystemclaimsthattheseephemeralkeyscannotbecompromisedevenifothersimilar
keysare.

2.3.1MessagingTerminology
Therearethreekeysthatareusedforencryptingmessagessentbetweentwousers:

RootKey
32bytekeyderivedfrom
master_secret
Purpose
:Deriving
ChainKeys

ChainKey
32bytekeyderivedfrom
RootKey
Purpose
:Deriving
MessageKeys

MessageKey
80bytekeyderivedfrom
ChainKey
32byteforAES256key(messageencryption)
32byteforHMACSHA256key(messageauthentication)
16byteforIV(randominitialization)
Purpose
:Encryptingandauthenticatingamessage(onetimeuse)

2.3.2DoubleRatchetAlgorithm
TheDoubleRatchetAlgorithmgetsitsnamefromitsratchetingmechanismonthe
Chain
Key
togetnew
ChainKeys
,occurringwhenausersendsamessageandwhenauserreceives
amessageafterwards.Whenausersendsamessage,ithashesthe
ChainKey
togetthenext
ChainKey
.Afterwards,whentheuserreceivesamessage,itwillalsoreceiveanephemeral
Curve25519keyusedforratchetingthe
ChainKey
and
RootKey
forward.

Thefirstratchetphaseisreferredtoasthe
HashRatchet
,sincethe
ChainKey
ishashedwith
HMACSHA256togetthenew
ChainKey
.Inthisphase,the
ChainKey
isusedtoderive
theonetimeuse
MessageKey
bythefollowing:

MessageKey=HMACSHA256(ChainKey,0x01)

Subsequently,theChainKeyisratchetedforwardbythefollowing:

ChainKey=HMACSHA256(ChainKey,0x02)

Thesecondphase,referredtoasthe
DHRatchet
(DiffieHellman),occurswhenauserreceives
themessage.Inadditiontoreceivingtheencryptedmessage,italsosendsapublicephemeral
Curve25519key.Usingthatephemeralkeyalongwithitsown(whichtheuseralsosends),they
bothcalculatethe
ChainKey
and
RootKey
asfollows:

ephemeral_secret=ECDH(Ephemeral
phemeral
sender,
E
recepient)

ChainKey,RootKey=HKDF(RootKey,ephemeral_secret)

Afterwards,itcanusethesenew
ChainKeys
createmoreonetimeuse
MessageKeys
to
encryptfuturemessages.

2.4GroupMessagingProtocol
Forthegroupmessagingprotocol,WhatsAppusessimilarratchetschemestoprovidesecurity
tothemessagestothegroup.Foranygroup,eachuserhasapairwiseencryptionschemeby
havinga
SenderKey
fromallusersinthegroup,usedforgenerating
MessageKeys
for
encryption.Wheneveragroupmemberdecidestoleave,theywilldeletethe
SenderKey
for
thatgivenmember.TheencryptedmessagesaresenttotheWhatsAppserver,whichwillthen
fanoutthemessages
N
timesforthe
N
othergroupmembers.

2.4.1

EstablishingSenderKey
Whenanewuserjoinsagroupandsendsitsfirstmessage,itwillfirstgeneratearandom32byte
ChainKey
andCurve25519
SignatureKey
keypair.Then,the
ChainKey
andpublic

SignatureKey
willbecombinedtogethertocreatethe
SenderKey
.This
SenderKey
willbedistributedamongthe
N
usersgroupusingthesameusertouserprotocolasmentioned
above.

2.4.2SendingMessagesinGroupChat
The
ChainKey
willcreatethe
MessageKey
tothenencryptthemessage.Following,itwill
ratchetforwardandupdatethe
ChainKey
.Theencryptedmessagewillthenbesignedbythe
senderusingthe
SignatureKey
fromthe
SenderKey
,andtheciphertextwillbesentto
theservertofanouttotheothermembersinthegroup.

PaperAnalysis

Overall,wethinkthepaperdoesagreatjobofdescribingtheprotocolusedforWhatsApp
encryption.Theyprovidedetailsabouttheencryptionschemesforestablishingsessionsand
creatingciphertext,alongwithsomeslightjustificationsonwhytheirimplementationensures
theconfidentialityandintegrityoftheirusersmessages.However,Ithinkthereareseveral
issuesthattheirpaperdoesnotexplicitlyoutline,someofwhicharecrucialtoprotectingthose
claims.

3.1LackofThreatModel
Onemajorflawofthepaperisthelackofathreatmodelpresentedtothereader.Athreatmodel
providesanoverviewofwhatreaderscanexpectanadversarytodotonegatetheconfidentiality
andintegrityofthemessagesbeingsent.Withoutthepaperexplicitlymentioningone,thereader
cannotbecertainhowsafetheprotocolactuallyis.Perhaps,withasimpleadversarywhoonly
eavesdropsintothenetwork,theremaynotbeanysecurityflaws.However,withamore
aggressiveadversarywhomaytrytoposeasanimposter(e.g.ManIntheMiddleAttack)and
interceptmessages,WhatsAppprotocolmaynotbeabletoprovidethatsamesecurity.

Granted,thepaperdoesmentionoccasionallyhowcomponentsoftheirprotocolprovidesecurity
againstcertaintypesofadversaries.Forinstance,theyclaimtheDoubleRatchetAlgorithmfor
usertousermessagingpreventsevenWhatsAppfromdecipheringthemessages.However,we
believethatthethreatmodelshouldbethefoundationofthepaper,andtheirdescriptionsand
analysisoftheprotocolshouldbedependentonthisthreatmodel.

SecurityAnalysis

4.1EstablishingaThreatModel
Forourthreatmodel,webelievethattheadversariescanbeaggressiveandwanttobreakthe
protocolbyeither(1)decryptingtheciphertextofmanymessagesor(2)imposteringasanother
user.WearefocusingontheconfidentialityandintegrityofWhatsAppsecurityprotocoland
wanttoseeifanyadversary,includingWhatsApp,caninterferewiththemessagingbetween
users.Weassumethatallattackscanbedoneincomputationallypolynomialtime.

4.2SecurityofSessions
Establishingthesessionsisthebasisofthesecurityofthemessagingprotocol,sincethe
Root
Key
and
ChainKeys
arederivedfrom
master_secret
,and
master_secret
canonly
bederivedbyusingthecorrespondingsessionkeysofthetwouserscommunicating.Whilethe
IdentityKey
,
SignedPreKey
,and
OneTimePreKey
arepublic,theephemeral
keypair
E
isgeneratedwhen

master_secret
isgenerated,andisonlypassedintotheECDH
i
function,andneversentacrossthechannelbyitself.Withoutthiskey,itwouldbeverydifficult
torecreate
master_secret
.Inaddition,the
SignedPreKey
isrotatedonaperiodic
basis,andthe
OneTimePreKey
isremovedfromtheserverafteruse.Assuch,these
valueswouldbeverydifficulttoguessaftertheyhavealreadybeenused.

4.3ConfidentialityofMessagingProtocol
ForthesecurityoftheDoubleRatchetProtocol,theyarguethatitprovidesforwardsecrecyand
futuresecrecy.Bothofthesepropertiesensurestheconfidentialityofencryptedmessages,
evenifoneofthekeysarecompromised.

Forwardsecrecyisthepropertythatwhenanadversarycompromisesakey,he/shecannot
compromisepreviouskeys.ThispropertyisespeciallyimportantwithWhatsAppprotocol,
becausealthoughtheMessageKeysareephemeral,ifcompromisingonecanresultinto
compromisingmanypreviousones,anadversarycangainaccesstoallpreviousMessageKeys
anddecryptpreviouslysentmessages.TheDoubleRatchetProtocolhandlesthisscenariowith
boththeratchetingactions.TheHashRatchetchangestheChainKeywithahashfunction,and
becauseofpropertiesofhashing,knowingthenewChainKeyprovidesnoextrainformation
abouttheoldChainKey.Inaddition,byupdatingtheChainKeyagainwiththeDHRatchet
makesitalsountraceabletotheoldChainKeyandRootKey.

Futuresecrecy,atermcoinedupbyOpenWhisperSystems,referstothepropertythatwhen
anadversarycompromisesakey,he/shecannotcompromisefuturekeys.Thispropertyalso
appliestoWhatsAppprotocol,sincewithjustaHashRatchet,itisfairlysimpleforanadversary
toperformtheratchetsteptogetthefuturekeys.Asaresult,compromisingonekeywillleadto

compromisingallfuturekeys,whichwouldalsobeproblematicfortheconfidentialityofausers
messages.However,becauseofthealgorithmsDHRatchet,whichusesephemeralkeysthat
cannotberederived,thefutureChainKeysareunretrievablegivenacurrentChainKey.An
adversarywouldhavetoknowthesharedephemeralsecret(seesection
2.3.2
)tocalculatefuture
ChainKeys.

4.4IntegrityofOverallSessionsandMessagingProtocol
Intermsofprovidingintegrityofthemessagesreceived,WhatsAppprovidesamethodforusers
toverifytheauthenticityofasessionbetweenauserbyscanningaQRcode.Ifauserscansthe
QRcodeofanother,itverifiesthatthe
IdentityKey
oneuserhasisindeedthecorrect
IdentityKey
ofthatuser.Thisprocedureprovidesameasureforexposingtheexistenceofa
ManIntheMiddle(MITM)attack.

However,theusermustactivelylooktoverifytheauthenticityofasessioninordertoguarantee
it.ThismethoddoesnotprovideapreventivemeasureofstoppingaMITMattack.Asaresult,
givenourthreatmodel,ausercannotguaranteetheintegrityofthemessagesreceived.An
adversarycanposeasthemiddlemanforasession,andthendecidetoendthesession.Afterthe
sessionisrecreated,theuserwillneverrealizethatanadversarywasinterceptingallofthe
messages.

Asaresult,WhatsAppcanfurtherthesecurityprotocolbyincludingapreventablemeasurefor
MITMattacks.Thisisanexampleofhowusersoftencantrustthesessiontheymakeatthe
beginning,alsoknownasTrustOnFirstUse(TOFU).Insteadoftrustingthatthesessionmadeis
indeedtheperson,thereshouldbeaverificationsteptoconfirmthatitisindeedthecorrectuser
someoneistryingtocommunicatewith.

5
FutureWork

5.1CodeAnalysis
AbigcontributorofWhatsAppsactualimplementationofthesecurityprotocolisavailable
onlineasopensourceviaOpenWhisperSystems.Foramoreholisticanalysisofthesecurity
implicationsoftheWhatsAppsproposedE2EE,wedliketotakeacloselookatthecodeand
examineifsessioninitializationandmessageencryptiondoindeedincorporatethetechniques
statedinthepaper.Thiswillalsogiveustheopportunitytodiscoveranypotentialvulnerabilities
thatthepapermighthavemissed.

Conclusion

WhatsAppisnowoneoftheworldsbiggestplatformsforonlinecommunication,andatatime
whensecurityrisksarescrutinizedmorethanever,possiblyexposingausersprivatemessages
orfilestoahackerorcybercriminalwouldbecatastrophic.Inresponsetotheseconcerns,
WhatsAppannouncedinAprilthattheapplicationhasincorporatedfullendtoendencryption,
offeringprotectionagainstanypotentialmaliciousentities,includingitself.

AfteranalyzingthetechnicalwhitepaperthatWhatsAppreleasedinconjunctionwithitsbig
securityannouncement,wehavecometoaconfidentconclusionthatitisimpossibleforany
adversaryto,incomputationallypolynomialtime,interceptanencryptedmessageand
subsequentlydecryptit.AlargefactorinprovidingthissecuritylayercomesfromWhatsApps
cleveruseofephemeralanddynamickeys,withspecialrecognitiontotheDoubleRatchet
algorithmthatguaranteesforwardandfuturesecrecy,sothatevenifaChainKeyis
compromised,itisimpossibletocalculatepastorfutureones.

However,onepotentialpointofconcernisWhatsAppssessionestablishment.Afterasessionis
firstinitializedbetweentwousers,thesamesessionisusedforallsubsequentinteractions
betweenthetwo,barringanexternalchangelikeappuninstallation/reinstallationoradevice
change.ThisleavesthesystemvulnerabletoManInTheMiddleattacks,whichareextremely
dangerous.WhatsAppdoesofferaKeyVerificationfeaturetomakesurethatthepersononthe
otherendofthechatiswhoyouthinkhe/sheis,butbecausethisisnotmandatory,userswillbe
putatriskiftheysimplyreplyontheTrustOnFirstUseprinciplethatisinherentinsession
establishment.Weproposetosimplyaddaverificationstepbeforesessioncreationtoconfirm
thattheconnectionisauthentic.

[1]

[2]

[3]

References
Statt,Nick.WhatsApphasgrownto1billionusers.TheVerge.
<http://www.theverge.com/2016/2/1/10889534/whatsapp1billionusersfacebookmarkzuckerberg>
Koum,Jan.endtoendencryptionWhatsAppBlog.
<https://blog.whatsapp.com/10000618/endtoendencryption>
WhatsAppEncryptionOverview:TechnicalWhitePaper.WhatsApp.
<
https://www.whatsapp.com/security/WhatsAppSecurityWhitepaper.pdf
>