Explaining Whatsapp end-to-end encryption

Published by admin on

Author: Sumair Ijaz Hashmi (currently a junior and Research Assistant at SIA LUMS, and summer intern at CISPA)

Society today is highly dependent on digital communication platforms as a means to connect with people from across the world. Whatsapp is one such platform that is widely popular because of its convenient usability and functionality in providing a way to connect with coworkers, friends, family, and colleagues. However, in this era of over-reliance on instant messaging applications and social media, security and privacy are paramount concerns that have attracted significant attention in the news and political discourse [1, 2]. While such issues are important problems for researchers and policymakers, the understanding of such topics amongst the ordinary public may be misunderstood. In this article, we uncover one such security-related feature on Whatsapp: end-to-end encryption and the QR code verification process. We want to intuitively explain the security issue and how the average user can protect themselves on Whatsapp.

End-to-end encryption

Whatsapp implements end-to-end encryption: a security feature that protects users from getting their private messages from being understood when they may be intercepted in a data breach. At a high level, both the sender and the recipient have a set of keys that can be used to encode and decode any data that is transferred between them. The sender sends an encoded message to the recipient, who then decodes it to understand its meaning. Therefore, if anyone else ever intercepts these messages, they only see gibberish. This feature guarantees that only the sender and the intended recipient can comprehend the transferred messages. No one else, not even the developers and operators at Whatsapp, can have access to the true meaning and content of these messages.

Let’s look at end-to-end encryption with an example: imagine we have two friends, Mobin and Sumair, who wish to plan a surprise for their third friend, Nida, whose birthday is next week. Sumair wants to talk to Mobin about planning the event; therefore, he aims to send an encrypted message to Mobin that only she can understand. When Sumair types his message on Whatsapp and hits send, the message is first encrypted by Whatsapp using a key that is unique to Sumair. This encrypted message is sent across the Whatsapp servers to Mobin’s device. When we say that the message is ‘encrypted’, it just undergoes some mathematical operations that transform it into a random combination of letters, symbols, and numbers. Hence, if someone like Nida looks at the encrypted message, it will appear gibberish and cannot be meaningfully understood. When Mobin receives the message, her app decrypts the incoming message into the original text that Sumair wrote. Since no one else can access the keys used to encrypt and decrypt these messages, no one else can understand what messages are being transferred between them. This procedure guarantees a secure channel of communication between Mobin and Sumair.

QR code scanning

The developers at Whatsapp have also implemented a QR code verification process aimed at further enhancing the security between two people’s conversation. This procedure is a reliable way that enables users to verify the person they are communicating with. Each user in a Whatsapp chat has a unique QR code that can be scanned to confirm that the intended recipient is not an impostor seeking to intercept the conversation. Not only does this QR code scan prevent impersonation, but it also allows both parties to exchange their encryption keys securely. This process then guarantees that the two parties are trusted and that any conversation between them cannot be decrypted in the case of a breach.

The QR code verification process works as follows. Figure 1 visualizes this process as well

  • Both users open Whatsapp on their mobile devices and go to each other’s chat screen.
  • They tap on the other user’s name to view their profile (this is the screen where you can see their phone number, Whatsapp status, and look at any media messages shared between the two of you).
  • Then click the “Encryption” button that can be seen on their profile. Alternatively, you can also click the three dots to go to additional options and click the “Verify security code” button.
  • You can view the other user’s QR code and a 60-digit code on this screen. Both users can either scan each other’s QR code or manually check this 60-digit number to verify the other user’s contact.
Figure 1: Visualization of how to do QR code verification of any user

For more details on the end-to-end encryption process that Whatsapp deploys, you can take a look at their article as well, which is also a source for our write-up: https://faq.whatsapp.com/820124435853543

References:

[1]https://www.theguardian.com/technology/2018/apr/11/mark-zuckerbergs-testimony-to-congress-the-key-moments

[2]https://www.theguardian.com/technology/2023/mar/23/key-takeaways-tiktok-hearing-congress-shou-zi-chew

Categories: NewsOnline privacy and securityRESEARCH

Related Posts

News Simulation

Capture the Flag Event Highlights

Capture the Flag Event Highlights The Recypher team in collaboration with LUMS Women in Computing (LWiC) organized a “Capture The Flag (CTF)” event at LUMS on July 15, 2023. This was a one-day boot-camp event Read more…

News Simulation

Cybersecurity Awareness Center Set Up at LUMS

Cybersecurity Awareness Center Set Up at LUMS The Cyber Security Awareness Centre at LUMS is established to promote cybersecurity awareness and to educate students and professionals about security vulnerabilities, cyber-attacks, and defense mechanisms. The center Read more…

News

CYBERSECURITY

CYBERSECURITY Capture the Flag by LUMS Women in Computing (LWiC) LUMS Women in Computing (LWiC) is excited to announce that the first-ever Cybersecurity Capture the Flag (CTF) event is now on the 15th of July 2023, at the Lahore University of Read more…