Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CalvinLi,DanielSanchez,SeanHua
Introduction
WhatsApp,sinceitsinceptionsixyearsago,hasquicklygrownintoaglobalphenomenon,
becomingoneofthemostpopularmobilebasedcommunicationsapplicationsintheworld
today.WithauserbasethateclipsedonebillioninFebruary[1],WhatsAppprovidesaservice
thatpotentiallyendangerstheprivacyofover10%oftheentirehumanpopulation.Inorderto
addressthesesecurityconcerns,itwasannouncedinearlyAprilthattheapplicationnowoffers
full
endtoendencryption
(E2EE)[2],meaningallmessages,calls,andfiles,bothina
oneononeandgroupsetting,arecompletelysecurefromhackersorevenWhatsAppitself.
Inadditiontothisannouncement,WhatsAppreleasedatechnicalwhitepaper[3]detailingthe
newlyincorporatedsecurityprotocol,fromsessionestablishmenttoactualmessageencryption,
alltosupportitsclaimofachievingE2EE.Weareheretoexaminethelowleveltechnical
featuresofeachcomponentoftheproposedsecurityschemeaswellasthealgorithmsthatwere
utilized,ultimatelyanalyzingifthesystemasawholedoesindeedprovidethelevelofsecurity
thatittakescreditfor.
Lastly,wewanttocritiquethetechnicalwhitepaperitself,specificallyonitsclarityand
thoroughnessregardingpotentialthreatsandhowtheE2EEschemeprotectsagainstthem.
SecurityProtocolOverview
2.1EstablishingSessions
EstablishinganencryptedsessionisvitalintheSignalProtocol,notjustbecauseitallowstwo
partiestogetintouchandcommunicate,butalsobecausethedetailsofthesessionsetupallow
forthecommunicationbetweenthepartiestoremainsecure.
2.1.1SessionsTerminology
Thesearethethreekeysthatareusedtoestablishasessionbetweentwousers:
IdentityKey
AlongtermCurve25519keypair,generatedatinstalltime.
Purpose
:Signingthe
SignedPreKeys
,usedincreating
master_secret
SignedPreKey
AmediumtermCurve25519keypair,generatedatinstalltime,signedby
the
IdentityKey
,androtatedonaperiodictimedbasis.
Purpose
:Usedincreating
master_secret
OneTimePreKey
AonetimeusekeypairobtainedfromaqueueofCurve25519keypairs.Generatedat
installtime,andreplenishedasneeded.
Purpose
:Usedincreating
master_secret
whenavailable
Herearesomegeneraltermsthatwillbeusedlaterinthepaper:
Initiator
Startsthesessionestablishmentprocess.
Recipient
Theotheruserwithwhomthe
initiator
istryingtoestablishasessionwith.
EDCH
EllipticCurveDiffieHelman,ananonymouskeyagreementprotocolthatallowstwo
parties,eachhavinganellipticcurvepublicprivatekeypair,toestablishasharedsecret
overaninsecurechannel.
HKDF
HMACbasedExtractandExpandKeyDerivationFunction.Keyderivationfunction
usedtoderive
RootKey
and
ChainKey
(seesection
2.3.1
)from
master_secret
2.1.2SessionSetupProcess
Toestablishasession:
1. Initiatorrequests
IdentityKey
,
SignedPreKey
,and
OneTimePreKey
fromrecipient
2. Serverreturnstherequestedvalues.Ifthequeueof
OneTimePreKeys
isempty,
no
OneTimePreKey
isreturned.
3. Initiatorsavesthesevaluesas
I
r,S
r,O
r
4. InitiatorgeneratesephemeralCurve25519keypair
E
i
5. Initiatorloadsitsown
IdentityKey
as
I
i
6. Initiatorcalculates
master_secret
=ECDH(
I
E
E
E
i,S
r)||ECDH(
i,I
r)||ECDH(
i,S
r)||ECDH(
i,O
r)
7. InitiatorusesHKDFtocreate
RootKey
and
ChainKeys
from
master_secret
2.2ReceivingSessions
Aftertheinitialsessionsetupprocess,untiltherecipientresponds,allinformationnecessaryto
buildacorrespondingsessionissentintheheaderofallmessagesfromtheinitiator(
Ei
,Ii
).The
stepstocreateacorrespondingsessionarethen:
1. Recipientcalculatesthecorresponding
master_secret
usingit'sownkeysandthe
publickeysadvertisedintheheaderofthemessage.
2. Therecipientdeletesthe
OneTimePreKey
usedbytheinitiator.
3. InitiatorusesHKDFtoderiveacorresponding
RootKey
and
ChainKeys
from
master_secret
2.3UsertoUserMessagingProtocol
Afterestablishingsessions,userscansecurelysendmessagestoeachotherusinga
doubleratchetimplementationtoprovideauniqueonetimekeyforeveryindividualmessage
sent.Thissystemclaimsthattheseephemeralkeyscannotbecompromisedevenifothersimilar
keysare.
2.3.1MessagingTerminology
Therearethreekeysthatareusedforencryptingmessagessentbetweentwousers:
RootKey
32bytekeyderivedfrom
master_secret
Purpose
:Deriving
ChainKeys
ChainKey
32bytekeyderivedfrom
RootKey
Purpose
:Deriving
MessageKeys
MessageKey
80bytekeyderivedfrom
ChainKey
32byteforAES256key(messageencryption)
32byteforHMACSHA256key(messageauthentication)
16byteforIV(randominitialization)
Purpose
:Encryptingandauthenticatingamessage(onetimeuse)
2.3.2DoubleRatchetAlgorithm
TheDoubleRatchetAlgorithmgetsitsnamefromitsratchetingmechanismonthe
Chain
Key
togetnew
ChainKeys
,occurringwhenausersendsamessageandwhenauserreceives
amessageafterwards.Whenausersendsamessage,ithashesthe
ChainKey
togetthenext
ChainKey
.Afterwards,whentheuserreceivesamessage,itwillalsoreceiveanephemeral
Curve25519keyusedforratchetingthe
ChainKey
and
RootKey
forward.
Thefirstratchetphaseisreferredtoasthe
HashRatchet
,sincethe
ChainKey
ishashedwith
HMACSHA256togetthenew
ChainKey
.Inthisphase,the
ChainKey
isusedtoderive
theonetimeuse
MessageKey
bythefollowing:
MessageKey=HMACSHA256(ChainKey,0x01)
Subsequently,theChainKeyisratchetedforwardbythefollowing:
ChainKey=HMACSHA256(ChainKey,0x02)
Thesecondphase,referredtoasthe
DHRatchet
(DiffieHellman),occurswhenauserreceives
themessage.Inadditiontoreceivingtheencryptedmessage,italsosendsapublicephemeral
Curve25519key.Usingthatephemeralkeyalongwithitsown(whichtheuseralsosends),they
bothcalculatethe
ChainKey
and
RootKey
asfollows:
ephemeral_secret=ECDH(Ephemeral
phemeral
sender,
E
recepient)
ChainKey,RootKey=HKDF(RootKey,ephemeral_secret)
Afterwards,itcanusethesenew
ChainKeys
createmoreonetimeuse
MessageKeys
to
encryptfuturemessages.
2.4GroupMessagingProtocol
Forthegroupmessagingprotocol,WhatsAppusessimilarratchetschemestoprovidesecurity
tothemessagestothegroup.Foranygroup,eachuserhasapairwiseencryptionschemeby
havinga
SenderKey
fromallusersinthegroup,usedforgenerating
MessageKeys
for
encryption.Wheneveragroupmemberdecidestoleave,theywilldeletethe
SenderKey
for
thatgivenmember.TheencryptedmessagesaresenttotheWhatsAppserver,whichwillthen
fanoutthemessages
N
timesforthe
N
othergroupmembers.
2.4.1
EstablishingSenderKey
Whenanewuserjoinsagroupandsendsitsfirstmessage,itwillfirstgeneratearandom32byte
ChainKey
andCurve25519
SignatureKey
keypair.Then,the
ChainKey
andpublic
SignatureKey
willbecombinedtogethertocreatethe
SenderKey
.This
SenderKey
willbedistributedamongthe
N
usersgroupusingthesameusertouserprotocolasmentioned
above.
2.4.2SendingMessagesinGroupChat
The
ChainKey
willcreatethe
MessageKey
tothenencryptthemessage.Following,itwill
ratchetforwardandupdatethe
ChainKey
.Theencryptedmessagewillthenbesignedbythe
senderusingthe
SignatureKey
fromthe
SenderKey
,andtheciphertextwillbesentto
theservertofanouttotheothermembersinthegroup.
PaperAnalysis
Overall,wethinkthepaperdoesagreatjobofdescribingtheprotocolusedforWhatsApp
encryption.Theyprovidedetailsabouttheencryptionschemesforestablishingsessionsand
creatingciphertext,alongwithsomeslightjustificationsonwhytheirimplementationensures
theconfidentialityandintegrityoftheirusersmessages.However,Ithinkthereareseveral
issuesthattheirpaperdoesnotexplicitlyoutline,someofwhicharecrucialtoprotectingthose
claims.
3.1LackofThreatModel
Onemajorflawofthepaperisthelackofathreatmodelpresentedtothereader.Athreatmodel
providesanoverviewofwhatreaderscanexpectanadversarytodotonegatetheconfidentiality
andintegrityofthemessagesbeingsent.Withoutthepaperexplicitlymentioningone,thereader
cannotbecertainhowsafetheprotocolactuallyis.Perhaps,withasimpleadversarywhoonly
eavesdropsintothenetwork,theremaynotbeanysecurityflaws.However,withamore
aggressiveadversarywhomaytrytoposeasanimposter(e.g.ManIntheMiddleAttack)and
interceptmessages,WhatsAppprotocolmaynotbeabletoprovidethatsamesecurity.
Granted,thepaperdoesmentionoccasionallyhowcomponentsoftheirprotocolprovidesecurity
againstcertaintypesofadversaries.Forinstance,theyclaimtheDoubleRatchetAlgorithmfor
usertousermessagingpreventsevenWhatsAppfromdecipheringthemessages.However,we
believethatthethreatmodelshouldbethefoundationofthepaper,andtheirdescriptionsand
analysisoftheprotocolshouldbedependentonthisthreatmodel.
SecurityAnalysis
4.1EstablishingaThreatModel
Forourthreatmodel,webelievethattheadversariescanbeaggressiveandwanttobreakthe
protocolbyeither(1)decryptingtheciphertextofmanymessagesor(2)imposteringasanother
user.WearefocusingontheconfidentialityandintegrityofWhatsAppsecurityprotocoland
wanttoseeifanyadversary,includingWhatsApp,caninterferewiththemessagingbetween
users.Weassumethatallattackscanbedoneincomputationallypolynomialtime.
4.2SecurityofSessions
Establishingthesessionsisthebasisofthesecurityofthemessagingprotocol,sincethe
Root
Key
and
ChainKeys
arederivedfrom
master_secret
,and
master_secret
canonly
bederivedbyusingthecorrespondingsessionkeysofthetwouserscommunicating.Whilethe
IdentityKey
,
SignedPreKey
,and
OneTimePreKey
arepublic,theephemeral
keypair
E
isgeneratedwhen
master_secret
isgenerated,andisonlypassedintotheECDH
i
function,andneversentacrossthechannelbyitself.Withoutthiskey,itwouldbeverydifficult
torecreate
master_secret
.Inaddition,the
SignedPreKey
isrotatedonaperiodic
basis,andthe
OneTimePreKey
isremovedfromtheserverafteruse.Assuch,these
valueswouldbeverydifficulttoguessaftertheyhavealreadybeenused.
4.3ConfidentialityofMessagingProtocol
ForthesecurityoftheDoubleRatchetProtocol,theyarguethatitprovidesforwardsecrecyand
futuresecrecy.Bothofthesepropertiesensurestheconfidentialityofencryptedmessages,
evenifoneofthekeysarecompromised.
Forwardsecrecyisthepropertythatwhenanadversarycompromisesakey,he/shecannot
compromisepreviouskeys.ThispropertyisespeciallyimportantwithWhatsAppprotocol,
becausealthoughtheMessageKeysareephemeral,ifcompromisingonecanresultinto
compromisingmanypreviousones,anadversarycangainaccesstoallpreviousMessageKeys
anddecryptpreviouslysentmessages.TheDoubleRatchetProtocolhandlesthisscenariowith
boththeratchetingactions.TheHashRatchetchangestheChainKeywithahashfunction,and
becauseofpropertiesofhashing,knowingthenewChainKeyprovidesnoextrainformation
abouttheoldChainKey.Inaddition,byupdatingtheChainKeyagainwiththeDHRatchet
makesitalsountraceabletotheoldChainKeyandRootKey.
Futuresecrecy,atermcoinedupbyOpenWhisperSystems,referstothepropertythatwhen
anadversarycompromisesakey,he/shecannotcompromisefuturekeys.Thispropertyalso
appliestoWhatsAppprotocol,sincewithjustaHashRatchet,itisfairlysimpleforanadversary
toperformtheratchetsteptogetthefuturekeys.Asaresult,compromisingonekeywillleadto
compromisingallfuturekeys,whichwouldalsobeproblematicfortheconfidentialityofausers
messages.However,becauseofthealgorithmsDHRatchet,whichusesephemeralkeysthat
cannotberederived,thefutureChainKeysareunretrievablegivenacurrentChainKey.An
adversarywouldhavetoknowthesharedephemeralsecret(seesection
2.3.2
)tocalculatefuture
ChainKeys.
4.4IntegrityofOverallSessionsandMessagingProtocol
Intermsofprovidingintegrityofthemessagesreceived,WhatsAppprovidesamethodforusers
toverifytheauthenticityofasessionbetweenauserbyscanningaQRcode.Ifauserscansthe
QRcodeofanother,itverifiesthatthe
IdentityKey
oneuserhasisindeedthecorrect
IdentityKey
ofthatuser.Thisprocedureprovidesameasureforexposingtheexistenceofa
ManIntheMiddle(MITM)attack.
However,theusermustactivelylooktoverifytheauthenticityofasessioninordertoguarantee
it.ThismethoddoesnotprovideapreventivemeasureofstoppingaMITMattack.Asaresult,
givenourthreatmodel,ausercannotguaranteetheintegrityofthemessagesreceived.An
adversarycanposeasthemiddlemanforasession,andthendecidetoendthesession.Afterthe
sessionisrecreated,theuserwillneverrealizethatanadversarywasinterceptingallofthe
messages.
Asaresult,WhatsAppcanfurtherthesecurityprotocolbyincludingapreventablemeasurefor
MITMattacks.Thisisanexampleofhowusersoftencantrustthesessiontheymakeatthe
beginning,alsoknownasTrustOnFirstUse(TOFU).Insteadoftrustingthatthesessionmadeis
indeedtheperson,thereshouldbeaverificationsteptoconfirmthatitisindeedthecorrectuser
someoneistryingtocommunicatewith.
5
FutureWork
5.1CodeAnalysis
AbigcontributorofWhatsAppsactualimplementationofthesecurityprotocolisavailable
onlineasopensourceviaOpenWhisperSystems.Foramoreholisticanalysisofthesecurity
implicationsoftheWhatsAppsproposedE2EE,wedliketotakeacloselookatthecodeand
examineifsessioninitializationandmessageencryptiondoindeedincorporatethetechniques
statedinthepaper.Thiswillalsogiveustheopportunitytodiscoveranypotentialvulnerabilities
thatthepapermighthavemissed.
Conclusion
WhatsAppisnowoneoftheworldsbiggestplatformsforonlinecommunication,andatatime
whensecurityrisksarescrutinizedmorethanever,possiblyexposingausersprivatemessages
orfilestoahackerorcybercriminalwouldbecatastrophic.Inresponsetotheseconcerns,
WhatsAppannouncedinAprilthattheapplicationhasincorporatedfullendtoendencryption,
offeringprotectionagainstanypotentialmaliciousentities,includingitself.
AfteranalyzingthetechnicalwhitepaperthatWhatsAppreleasedinconjunctionwithitsbig
securityannouncement,wehavecometoaconfidentconclusionthatitisimpossibleforany
adversaryto,incomputationallypolynomialtime,interceptanencryptedmessageand
subsequentlydecryptit.AlargefactorinprovidingthissecuritylayercomesfromWhatsApps
cleveruseofephemeralanddynamickeys,withspecialrecognitiontotheDoubleRatchet
algorithmthatguaranteesforwardandfuturesecrecy,sothatevenifaChainKeyis
compromised,itisimpossibletocalculatepastorfutureones.
However,onepotentialpointofconcernisWhatsAppssessionestablishment.Afterasessionis
firstinitializedbetweentwousers,thesamesessionisusedforallsubsequentinteractions
betweenthetwo,barringanexternalchangelikeappuninstallation/reinstallationoradevice
change.ThisleavesthesystemvulnerabletoManInTheMiddleattacks,whichareextremely
dangerous.WhatsAppdoesofferaKeyVerificationfeaturetomakesurethatthepersononthe
otherendofthechatiswhoyouthinkhe/sheis,butbecausethisisnotmandatory,userswillbe
putatriskiftheysimplyreplyontheTrustOnFirstUseprinciplethatisinherentinsession
establishment.Weproposetosimplyaddaverificationstepbeforesessioncreationtoconfirm
thattheconnectionisauthentic.
[1]
[2]
[3]
References
Statt,Nick.WhatsApphasgrownto1billionusers.TheVerge.
<http://www.theverge.com/2016/2/1/10889534/whatsapp1billionusersfacebookmarkzuckerberg>
Koum,Jan.endtoendencryptionWhatsAppBlog.
<https://blog.whatsapp.com/10000618/endtoendencryption>
WhatsAppEncryptionOverview:TechnicalWhitePaper.WhatsApp.
<
https://www.whatsapp.com/security/WhatsAppSecurityWhitepaper.pdf
>