19

By now everybody has noticed that WhatsApp rolled out full end-to-end encryption recently, for direct communication, for media attachments and for group chats.

I've read their white-paper (PDF) and noticed a difference from Signal's group chats, where Signal sends the group message to all members itself (with a special flag in the encrypted header) and WhatsApp sends the message to the server who distributes it.

Now I'm confused how WhatsApp's group chat protocol works, because it can't use the simple person-to-person protocol (as Signal does) and rather uses a somewhat complicated "ratchet" based key derivation (I think) and what favorable security properties get sacrificed by WhatsApp.

So what security properties does the group chat protocol feature and how does it work (at a high level)?


Because "security properties" is a bit generic, here's a list of the security properties I'm asking for:

  • Passive security (an eavesdropper can't break the encryption)
  • Active security (a man-in-the-middle can't break the encryption unnnoticed after the first setup)
  • Forward secrecy (a compromise of today's secret encryption keys doesn't break the security of past, attacker-recorded messages)
  • Plausible Deniability (there's no hard proof that a specific message was sent by me as soon as time X went by)
  • Transcript consistency (there's a "hard" proof that everybody in the group saw / sees the same messages)
SEJPM
  • 9,500
  • 5
  • 35
  • 66

2 Answers2

11

Firstly, from their paper

Messages to WhatsApp groups build on the pairwise encrypted sessions outlined above to achieve efficient server-side fan-out for most messages sent to groups. This is accomplished using the “Sender Keys” component of the Signal Messaging Protocol.

The first time a WhatsApp group member sends a message to a group:

  1. The sender generates a random 32-byte Chain Key.
  2. The sender generates a random Curve25519 Signature Key key pair.
  3. The sender combines the 32-byte Chain Key and the public key from the Signature Key into a Sender Key message.
  4. The sender individually encrypts the Sender Key to each member of the group, using the pairwise messaging protocol explained previously. For all subsequent messages to the group:
  5. The sender derives a Message Key from the Chain Key, and updates the Chain Key.
  6. The sender encrypts the message using AES256 in CBC mode.
  7. The sender signs the ciphertext using the Signature Key.
  8. The sender transmits the single ciphertext message to the server, which does server-side fan-out to all group participants. The “hash ratchet” of the message sender’s Chain Key provides forward secrecy. Whenever a group member leaves, all group participants clear their Sender Key and start over.

I would say the key point here is number 4: The sender individually encrypts the Sender Key to each member of the group, using the pairwise messaging protocol explained previously

It's a clever adaptation which builds on top of the one-to-one protocol: use it to distribute a shared key to each individual member of the group, so then the group can use the server in order to provide efficient "fan-out" (as well as blob storage) without the server being privy to the required private keys.

"So what security properties does the group chat protocol feature and how does it work (at a high level)?"

As to how it works, I think that paper is as much detail as you'll find available for now until someone else does a full (applied) analysis.

As to the features it provides...

  • Forward secrecy: the ratchet mechanism described provides this (or so they claim)

  • Passive: the "Sender Key" distribution method in point 4 makes passive attacks nigh-on impossible: bear in mind that a passive party would have to get through the noise pipes encryption layer (to the WhatsApp servers) for each of the parties in the group and would probably require multiple points of presence which facilitated access to the traffic for each party in the group.... so you can pretty much rule out anybody there unless they're a major backbone provider or NSA.

  • Active attack: I'd say a side channel attack on one of the devices in the group would be feasible, but if you have that level of invasive access to the device (and therefore most likely its owner!), a pair of pliers and 5 mins with the device owner is likely to be far more fruitful.

  • Transcript consistency: all the messages use HMAC to ensure integrity (step 7)

  • Plausible Deniability: if anything, all the extra security provided by their new implementation makes it very difficult to deny that a particular user sent a message....

Nathan
  • 812
  • 6
  • 12
1

From what I can gather in the whitepaper, group message are encrypted within the group. The same Sender Key is distributed and used by each participant, which makes the message unauthenticated by construction.

How does the ratchet synchronises between senders, no clue.

Properties:

  • Passive security: Yes (an eavesdropper can't break the encryption)
  • Active security (a man-in-the-middle can't break the encryption unnnoticed after the first setup): Yes even if he tries to impersonates the server, as the server never gets hold of any key.
  • Forward secrecy : yes by the mean of the ratchet function.
  • Plausible Deniability: Yes, everyone signs and encrypt with the same symetrical key (as far as I can tell).
  • Transcript consistency: Yes since they have to be notified of the Chain Key changes.

The whitepaper is far from a technical description of the protocol. So I would take this with extreme caution.

M'vy
  • 13,033
  • 3
  • 47
  • 69