2

Ok So I posted this question by mistake on StackOverFlow, and I was suggested that I should re-post it on Information Security.

I am pretty sure I am asking a very stupid question. I am a developer but don't know anything about the latest encryption technologies. I've read on many websites that it took WhatsApp many years to come up with this 'technology' and that our messages and everything is now safe.

I have a few questions that really puzzle me all the time.

If there is an encryption Key that is needed to decrypt the messages, how is that Key transferred to the receiving party? Using WhatsApp servers of course? How do we know they haven't kept it to decrypt the chats? Just because we trust them? If a message was encrypted on my phone, the receiver needs to know that encryption key to be able to decrypt it, how do they get that key? Using WhatsApp servers? Why would it be considered so difficult for WhatsApp to not keep that key?

If I send a video to one of my friends, it takes sometime to upload, it shows a progress bar while uploading.. if I forward the same video to a few other friends of mine, it gets sent within a second, immediately. How? was it not encrypted? How come it got sent if it didn't encrypt again?

Finally how does WhatsApp web still work? If WhatsApp's website can show me all of my messages (regardless of how I login) why can the server guys not see it? How is it that they cannot emulate my login and be able to see everything I am doing? I just sent an image to a friend of mine using WhatsApp web, it got sent, he saw it.. everything was fine. I turned off my WiFi before opening WhatsApp and the image hasn't even downloaded!! Its not even in my phone.. how did WhatsApp web use my 'phone' to send that image when it doesn't even exist in my phone? (Note: My settings don't allow immediate downloading of images). Clearly WhatsApp wasn't talking to my phone it just sent it because its on the server..

Can someone please help me understand this?

Muhammad bin Yusrat
  • 121
  • 3
  • 2
    I think this requirement: "Scan the QR Code on your computer screen from your phone" means that your phone must be on and online. So your phone shares decryption keys and allows the web client to decrypt the conversation. Does it mean that whatsapp (the company) see the cleartext of the conversation if you opened it on the web client? I think yes. – Z.T. Oct 20 '16 at 07:03
  • re: the upload. The file is uploaded to a server hosted by whatsapp. The file is encrypted before upload. Only the uploader has the decryption key. Each time the uploader shares the attachment/upload with a contact, what is sent to the contact is a link to the file and the decryption key. The message sent to the contact is end-to-end encrypted, but is short. – Z.T. Oct 20 '16 at 07:04
  • if the decryption key is sent with the message, why can anyone else not decrypt it then? Whats the whole point if the decryption key is attached with the message itself. – Muhammad bin Yusrat Oct 20 '16 at 07:33
  • If you have a file, then you used `head -c32 /dev/urandom` to generate key, then used `openssl enc` to encrypt the file using the key, then uploaded the encrypted file to AWS S3 with ACL public, then wrote a message with the link to S3 and the key, then encrypted the message using gpg and someone's public key, then emailed the message to that someone. Who can decrypt the file then? How can you cheaply share the file with someone else without reuploading the file? – Z.T. Oct 20 '16 at 07:46
  • 6
    Possible duplicate of [How does end to end encryption work with whatsapp web?](http://security.stackexchange.com/questions/119552/how-does-end-to-end-encryption-work-with-whatsapp-web) for your last question, and http://security.stackexchange.com/questions/119636/whatsapp-encryption-keys for your first question. Consider narrowing your question. – Michael Oct 20 '16 at 08:27
  • @Z.T. End to end encryption is not about sending the key with the message. My question is.. when the encryption key is 'sent' over whatever medium it is sent.. how can we say that WhatsApp has deleted it? If they don't delete it, whats the point of the entire end to end encryption when they can decrypt it whenever they want? – Muhammad bin Yusrat Oct 20 '16 at 09:02
  • @Michael I read those questions before. However my question is pretty straightforward: when encryption keys are sent via WhatsApp servers over to the receiver, how can whatsapp not know those and not keep those? There is a different in saying "WhatsApp won't read your chats" and saying "WhatsApp cannot read your chats" obviously second statement is what WhatsApp is making. – Muhammad bin Yusrat Oct 20 '16 at 09:04
  • You might have read the question, but did you read the answers? ;). The accepted answer mentions: "The keys are generated client-side, or so they say..." So, we assume that the keys are not generated by Whatsapp servers, but by the Whatsapp client.. As Whatsapp is a closed-source, one can never be sure, but that is the general assumption. – Michael Oct 20 '16 at 09:10
  • 2
    Do you understand public key crypto? The key to decrypt the file is itself encrypted using the recipient's public key. That is sent to the recipient. Only the recipient has their private key. As long as you believe the WhatsApp client does not leak the private key it generates locally on the phone, WhatsApp can't decrypt the file they host. – Z.T. Oct 20 '16 at 09:12
  • @Z.T. yes whatsapp can't decrypt the file sent to one recipient, that is fine. but when a user forwards the same file to another user, how the other user can again decrypt the file. is it file stored on the server is plain without encryption, and when it is being forwarded to another user it uses `public key` for that user and send the link, – Ankit Balyan Mar 20 '17 at 07:23

0 Answers0