End to End Encryption :- How WhatsApp keeps your Chats Secure.
In times where Data is the new Oil, security is indeed an integral part of our lives. Well not just that, we don’t want that Friend of ours to 👀 into our Personal Chats whenever they have a go to check the selfie 🤳 that you clicked of theirs isn’t it?
You name it, be it WhatsApp, Signal, Telegram or any other messaging app that is popular among the charts on Playstore and App store have this feature named “End to End Encryption” that we all once in our initial days of using these Apps were curious about. Today, we’ll be going into the Details of the same Cryptographic Security Barrier that keeps your messages secure, such that no 3rd Party Accesses it, be it even WhatsApp or its parent company, Facebook.
Before jumping into the main content, we’ll get familiarise with some common basic Cryptography in Layman’s terms.
- Public key.
The word “Public" itself clears what Public key is, available Publically. Public key in Cryptography is a text consisting of letters, numbers, special characters that is random in nature (but has a lot of mathematical Computations behind it). This key is basically available with 3rd Party access and converts the plain message to encrypted message(unreadable).
- Private Key.
Again just like the name itself, private keys are Secure keys that are available with the sender and receiver only. This means that only the receiver will be able to Decrypt the message and no one else.
- Symmetric key Cryptography.
In symmetric key Cryptography, the same key is used for both Encryption & Decryption.
- Asymmetric Key Cryptography.
In Asymmetric Key Cryptography, different keys are used for both Encryption & Decryption.
It is a temporary interactive duration where 2 or more communicating devices can exchange messages & multimedia information. Session information for each device is usually identified uniquely by a Session id.
Now let’s get into the Main Content.
Public keys :-
WhatsApp uses 3 Public Keys, namely Identity key pair, Signed-pre key & One-time pre key. These keys are used to Uniquely identify a user & are stored into the server. These public keys are constructed from Elliptic curve25519 function which is based on a very famous Cryptographic Function named Diffe-Hellman key exchange.
A master_secret key is used for maintaining a Session between sender and receiver. It is calculated using following formula.
master_secret = ECDH(Ii,Sr) || ECDH(Ei,Ir) || ECDH(Ei,Sr) || ECDH(Ei,Or)
where ECDH = Elliptic curve Diffe-Hellman, I = Identity Key,S = Signed pre Key, E = Ephermal curve25519 pair,O = One-time pre Key & I & r suffix denote Initiator(sender) & receiver.
One point to note that the above Public Keys are used solely for Uniquely Identifying a User. For 1-on-1 chats and Group chats, WhatsApp uses a set of different keys that we will be looking now.
Session keys :-
WhatsApp uses a set of 3 keys namely Root key, Chain key and a Message key.
- Root Key
It is a 32 byte value used to create Chain key.
- Chain Key
It is a 32 byte value used to create Message key.
- Message Key
It is a 80 byte value used to Encrypt messages (there it is, the secret to privacy 😎) well not yet. Out of 80 bytes, 32 bytes are passed to AES256 standard for Encryption, 32 bytes to HMAC SHA256 for Authentication & 16 bytes to an IV.
Message Key is Unique for each message, means no 2 messages will have the same Key. It is calculated as
Message Key = HMAC-SHA256 (Chain Key, 0x01)
The chain key after each message updated as follows
Chain Key = HMAC-SHA256 (Chain Key, 0x02)
The Chain Key……. , wait hold on🤔!!! Isn’t it derived from some other Key? Yes Root Key, which is calculated as
ephemeral_secret = ECDH[Ephemeral (sender),Ephemeral (receiver)]
Chain Key, Root Key = HKDF(Root Key, Ephemeral secret)
This process of updating is called “ratcheting forward” means no 2 messages will have the same Message Key and it becomes impossible for any Unauthorised user to construct the message from previous keys.
Transmitting Media Files :-
It’s not just limited to plain text messages. WhatsApp End to End Encryption also works on its Media Files as well. The process of Encryption is carried out as follows :-
- The sender side generates a 32 byte AES256 Key, followed by a 32 byte HMAC SHA256 Key, which is appended to an IV.
- This key generated is used to Encrypt Media Files.
- After Encryption, file is uploaded to a blob store with a pointer to the file.
- The receiver decrypts the file from the blob store after verifying SHA 256 and HMAC and then the file is converted back to plain text.
WhatsApp users additionally have the option to verify the keys of the other
users with whom they are communicating in end-to-end encrypted chats
so that they are able to confirm that an unauthorized third party (or WhatsApp)
has not initiated a man-in-the-middle attack. This can be done by scanning a QR code, or by comparing a 60-digit number which is displayed just below it.
The QR code contains:
- A version.
- The user identifier for both parties.
- The full 32-byte public Identity Key for both parties.
When either receiver or sender scans the other’s QR code, the keys are compared to ensure that Info in QR code matches the Identity Key as retrieved from
The 60-digit number is computed by concatenating the two 30-digit numeric
fingerprints for each user’s Identity Key. To calculate a 30-digit numeric
- Iteratively SHA-512 hash the public Identity Key and user identifier 5200 times.
- Take the first 30 bytes of the final hash output.
- Split the 30-byte result into six 5-byte chunks.
- Convert each 5-byte chunk into 5 digits by interpreting each 5-byte
chunk as a big-endian unsigned integer and reducing it modulo
- Concatenate the six groups of five digits into thirty digits.
Apart from above features, more such ones like WhatsApp Statuses, Live Location & Group Chats also use E2E.
So the next time when you’d chat and see the messages flow in real time, think of all the mathematics and complex Cryptography involved in keeping your 💬 Secure.
If you enjoyed reading this Story, do give it a Clap down below. Also follow for more such Tech Blogs ahead.