11

I'm curious if perfect forward secrecy could work in an app like WhatsApp where you want to see messages from before the last message or a multitude of messages at the same time like in a group chat.

As I understand perfect forward secrecy changes the key every time so that older messages that were not encrypted with that key are not susceptible to being decrypted if the last key is lost. If thats the case and I'm sure it is, you can only see last message

dwkd
  • 221
  • 1
  • 8

2 Answers2

9

I think you mean Perfect forward secrecy, which WhatsApp does support in its end-to-end encryption. PFS is difficult for chat apps, because of the uncertainty in the connection, and is the reason many chat apps just ignore it.

In normal PFS (like TLS or SSH) an ongoing connection is established and the keys are recalculated every so many bytes or minutes. Chat apps cannot acknowledge a message (or any data) was received. In fact, the other end of the channel may never have sent any data your way, or was just offline the whole time. In any case, you as the sender should be able to secure the messages that you sent, regardless of the other end.

To overcome this entire problem protocols such as OTR en Axolotl use prekeys. These prekeys are pre-calculated Diffie-Hellman (or EC like Curve25519) keys. It is common to calculate a few hundred keys in advance. All of the public keys from these pre-calculated keypairs are send to the relay (chat) server, and advertised together with your public identity key (the public identity key is really your 'name' towards others). Now that the public prekeys are on the relay server, anyone who want to send you a message can just pick one of your prekeys and calculate the shared secret.

The message is then encrypted and authenticated using the shared secret and send to the receiver together with the prekey id. Once the receiver pulls the message from server, it can decrypt the message with the corresponding private prekey. A new prekeypair is generated and send to the server to take its place. This system goes on forever.

Both sender and receiver have to keep track of all their prekeys still in use. This entire algorithm is known as the Double Ratchet.

Apps using Axolotl:

  • WhatsApp
  • Google Allo
  • Facebook Messenger
  • Signal
  • Viber (claimed)

Update

The protocol is self healing because every message is encrypted with another key. This key is no longer known when the message is decrypted, and the message itself is stored in the local app database. Here comes the trick: the messages are not chained in order, so at best one prekey (one message) is compromised. This has no effect on the other messages. Every message is encrypted with another key (Perfect secrecy). The messages itself do not depend on each other and thus an attack on the last message does not give the attacker control over future communication (Future secrecy). Note: The protocol has some disadvantages as well, like messages orders, or lost messages.

Update 2: Group chat

From the protocol point of view, there is no such thing as a 'group chat'. It is just the same message send multiple times to people, like emails can be send to multiple recipients as well. Each of these messages is encrypted with the receiver's prekey. For example, if the group contains a total of 4 people, including you, then the same message is send 3 times (technically only send once, containing 3 messages) to each of the group members. Therefore it is required that each message is signed and encrypted with the shared secret between you and the receiver. Note: The latest version of the TextSecure protocol can optimize this process somewhat by encrypting the message once, and sign it multiple times. There is a proposal to introduce temporary group keys for larger groups. To my knowledge this has not made its way into WhatsApp yet.

If a new user joins the chat, there is no history for that user since chat messages are kept on the local device (obviously). See this as an advantage, every user of the group is responsible for keeping the messages private. A synchronisation solution will; 1) increase the attack surface, 2) increase complexity of the cryptosystem and 3) move ownership of messages around.

Yorick de Wid
  • 3,346
  • 14
  • 22
  • I think you're saying there are multuple prekeys and they're sort of assigned per conversation. The way Signal protocol is advertised though is that if your device is compromised only the last message can be decrypted. This is what i don't understand. If your device is capable of decrypting only the last message then how can you still see the whole chat convo, since apparently that is available as a feature in Allo or Whatsapp. Btw i understand it's not the last message but the last # of bytes or bytes in the last x seconds. – dwkd Dec 18 '16 at 15:33
  • @dwkd See update – Yorick de Wid Dec 18 '16 at 15:50
  • ok i understand, PFE is just for securing messages from A to B. For some reason i thought that PFE also has something to do with local encryption once the message is on your phone but I think you're saying the message is decrypted and then stored open text in a local device db – dwkd Dec 19 '16 at 16:42
  • 1
    How does this work with group chats though? And what if someone new joins the group after several messages have already been sent, and you want them to be able to see chat history? I'm not really sure PFE is compatible with that goal. – Ajedi32 Dec 19 '16 at 17:29
  • @dwkd Watch your terminology; Perfect forward **Secrecy** does not automatically mean 'encryption'. About the local storage, you are correct. For more info see http://security.stackexchange.com/questions/136072/how-can-whatsapp-restore-local-or-google-drive-backups/145636. Update about group chat is coming up. – Yorick de Wid Dec 19 '16 at 18:26
  • encryption strategy is that i refer to ..not the actual algo – dwkd Dec 19 '16 at 19:07
0

In most E2E apps nowadays, PFS only applies to in-transit. Their at-rest is usually just symmetric encryption with encryption key stored in local device (fundamentally unencrypted). Searching for historical messages is then straightforward.

Some apps allow user to supply additional passphrase (stored in user's brain) to strengthen local encryption.