WhatsApp Encryption and policies.

WhatsApp Messenger or WhatsApp, is an American cross-platform messaging service presently owned by Facebook, Inc, since 2014. Most of us are aware that Whatsapp has been up to some new policy updates. Recently, in the early days of January, Whatsapp has updated its privacy policies which have jacked up a huge concern among the people who use this platform. WhatsApps top monthly users are from India, Brazil, and the USA with a combined user count of 573.6 million and increasing. 

WhatsApp has notified users that it will collect vast amounts of highly presumptuous and granular metadata from their chats with business accounts and share it with  its owner Facebook companies. After the updated Government of India  considered the policies as to be discrimination and wrote a letter  to  the Chief Executive Officer of WhatsApp, Will Cathcart, to respect the privacy and data security of Indian users like its European users. The government asked WhatsApp to withdraw its latest Terms of Service and Privacy Policy here.  The Ministry of Electronics and Information Technology has also sent a long list of questionnaires to Whatsapp requesting to show the details of how Whatsapp plans to share the data and use it for further business protocols.

 https://cdn.arstechnica.net/wp-content/uploads/2021/01/Image-from-iOS.png

Source: Image

Whatsapp responded to the Government's letter and said that they would coordinate accordingly and they are ready  to address the questions and  any false information about its latest updated policy. WhatsApp also said it is determined to safeguard personal messages with end-to-end encryption and stresses that neither WhatsApp nor Facebook can read or have access to them.

“WhatsApp will always protect personal messages with end-to-end encryption so that neither WhatsApp nor Facebook can see them. We are working to address misinformation and remain available to answer any questions,” -- A WhatsApp delegate said.It further added that  "the new policy doesn’t expand WhatsApp's ability to share data with Facebook".WhatsApp stresses that the updated Privacy Policy will only affect the business accounts. It would help to analyze the chats in business accounts to provide better-targeted advertisements for businesses.

 

Government of India passes new internet laws:-The Intermediary Guidelines and Digital Media Ethics Code,Rules 2021, force companies to remove content that the government says is illegal within three days of being notified, including content that threatens “the interests of the sovereignty and integrity of India,” public order, decency, morality, or incitement to an offense. The new IT laws, give the Indian government greater power to monitor online activity, including on encrypted apps such as WhatsApp and Signal.

 

Indian Government passed this law to stop the spreading of fake news through WhatsApp and other messaging apps. The rules were passed in February

 

However, after receiving a bash from millions of users around the world over its privacy policy, WhatsApp agreed to extend the deadline for accepting the policy, by three months to May 15. Until 15th May if users don't agree to Whatsapp's new terms and conditions, they won't be able to use Whatsapp to its full services. Furthermore, WhatsApp questioned the Indian government about their loosely held Information IT act .

On 25th May , WhatsApp sued the Indian government stating the new laws are invasive and go against their security and privacy policies . Under new laws, end-to-end encryption which keeps communications on the app inaccessible to outside parties – would have to be removed from WhatsApp in India so that it could be put into a “traceable” database. The government would then be able to identify and take action against the sender if any content was ruled “unlawful”.

The situation back then was totally messed up and people were intrigued by WhatApps ultimatum to "leave the application  if you don't agree to the terms"

For an average reader, many questions may arise in their mind.

How WhatsApp works and how it intends to read chats on business accounts? What about WhatsApp's End-to-end encryption ? What is encryption and how secure is it? How can WhatsApp even come to know what messages we are sending ?

To understand this we would need to understand some basic concepts of encryption and what it is.

What is Data Encryption?

In today's world, the most expensive possession is neither a 1963 Ferrari GTO nor  a billion dollar house. It's Data. Data of all kinds  are very integral.  What is Data? Any Transaction, connection over the internet is data. This includes your bank transactions, email id passwords , private messages made online, your browsing history and practically everything on the internet . Organizations all over the world collect this data. The most critical objective of data collection is ensuring that information-rich and reliable data is collected for statistical analysis so that data-driven decisions can be made for research. Data Science is a very important field of computer science.

All exchanges of data packets over the internet occur through standard protocols where cryptography plays a vital role. Cryptography is used in file encryption, databases and URL strings etc. The study of Encryption and decryption is called Cryptography. Cryptography ensures your secure user data transfers along with many other protocols . However, cryptography in itself is also very  brittle . Even the most secure cryptography could be broken in a matter of seconds due to some loopholes  in its coding. 

Encryption is the process of converting a plain text into machine language and decryption is the process to do the vice versa.

Here's a simple example of encryption called Caesar Cypher.  This technique was used by the famous Roman general Julius Caesar, to exchange important orders. The messages were reasonably secure to be used then, though it's not known how secure they proved to be then. This concept is used in further complex encryption techniques. 

This encryption technique  uses an integer value   to shift the alphabet  'integer' places to the right. Here, we take the shift to be 23.

Let 

A B C D E F G H I   J  K  L   M   N  O  P  Q   R  S   T  U   V  W  X   Y    Z

1 2 3 4  5  6 7 8 9  10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

A+23=X

B+23=Y

C+23= Z

Thus,

Plain A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Cipher X Y Z A B C D E F G H I J K L M N O P Q R S T U V W 

 

PLAIN TEXT-   GET THE ARMS READY BRING SOUTH

ENCRYPTED TEXT- DBQ QEB OXOJ PBXAV YOFKD PLRQE

This encryption technique is very old and is easily decrypted. Today , with the fast computation power of computers, encryption has also improved tremendously. We use Hashing. Hashing is a technique of mapping keys, values into the hash table by using a mathematical hash function. It is done for faster access to elements. Nowadays, we use keyless hash functions  to encrypt data , which we can say are nearly impossible to crack. To give a small example of why it's near to unbreakable, we may take the help of the most widely used hashing algorithm called SHA which is short for Secure Hashing  Algorithm. The SHA-256 function which hashes long messages to 256 bits. For example, SHA-256 uses a 256-bit IV whose value in hexadecimal  is IV := 6A09E667 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C 1F83D9AB 5BE0CD19. 

Cryptocurrencies such as Bitcoin use SHA-256 for verifying transactions. In linux SHA-256 is used to secure passwords by hashing.

 

SHA 256: Compute a SHA 256 hash using C# for effective security - .Net Core  | MVC | HTML Agility Pack | SQL | Technology Crowds

source: Image

 

HOW END-TO-END-ENCRYPTION WORKS IN WHATSAPP?

To understand this question, first, we have to delve into how messages are sent over the internet and how some more complex algorithms work . 

Diffie Hellman Algorithm

Whitfield Diffie and Martin Hellman constructed the first public key Algorithm 1976. It was named , Diffie–Hellman algorithm , which is used for key exchange and it is still in use today. The security of the algorithm comes from the difficulty of computing discrete logarithms of long, very long prime numbers . The Diffie Hellman algorithm is an algorithm that helps to create a secure communication channel that enables two parties communicating over a public channel to establish a mutual secret without it being transmitted over the Internet by a public-private shared key method.  When you came to read this article on your browser, most probably your PC or Smartphone just used this algorithm to establish a secure connection with the server also. 

Diffie–Hellman key exchange - Wikipedia

Source: Image

Let's understand it in a better way.

Suppose, two parties Alice and Bob are communicating. Alice has a private key "a" which is never shared either with the public or with Bob. Similarly, Bob has a private key "b" which is never shared. "g" is a small prime number and "n" is a large number (and it's a very big number, often 2000 bits long) which has to be for the security of this algorithm to work. Public is the area where hackers are waiting to get hold of our keys and break into our communication. Now, begins the fun part. 

When Alice sends a message it is encrypted as  gamod n and when Bob sends a message it is encrypted as gb mod b . These encrypted messages are shared with the public. Then this public encrypted message is exchanged by them. Alice and Bob get gaband gab respectively which is exactly the same. But, what the hackers see is the essentially 4 numbers g ,n ga,gb. When they try to mix the numbers they get ga+b which is not accurate. In the encryption business, if  we are by even a single bit we get inaccurate results.

Thus, in this way Alice and Bob can communicate securely. The difficulty of decrypting this algorithm is its modulo arithmetic being performed on large numbers. Thus the only way to decrypt the message is by brute force, i.e. checking each value of ga and gbto match them with the encrypted message. 

C:UsersAdminPicturesDH.png

Technically its not impossible, but the computation time for this complex arithmetic is huge thus, we don't have to bother about it being decrypted, as the key changes every time when used with the Rachet algorithm.(explained below) 

 

Double Ratchet Algorithm

In the Ratchet algorithm, a new message key is generated every time a message is sent, and even if someone breaks the key, they will only be able to access the last message or the messages before them since every time a new key is generated to encrypt the message.

 

C:UsersAdminPicturesRachetAlgo.png

When we use this algorithm in combination with the Diffie Hellman Algorithm, this provides us with a more secure way of encrypting the message. This combined algorithm is what we called a double ratchet algorithm. Now, you may further question, what if someone breaks the kdf and reaches our messages? 

But, here comes the Double ratchet algorithm to save the day. Every time, when a message is sent the DH algorithm resets the basic key, which is then further encrypted with the ratchet function. So, even if third parties are able to crack the intermediate keys , the DH algorithm resets the basic key, so that the communication channel remains secure again. 

WhatsApp uses the ‘signal’ protocol for encryption, which uses a combination of asymmetric and symmetric key cryptographic algorithms. The symmetric key and asymmetric  key ensure different functions.  The first one ensures confidentiality and integrity whereas the second one helps to achieve other security goals namely authentication and non-repudiation. Whatsapp uses primitives like  Double Ratchet Algorithm, prekeys, Triple Diffie Hellman, Curve25519, AES, and HMAC_SHA256 algorithm.

So by now, I hope we understand how encryption works on WhatsApp and how secure it is. If you want to know more about WhatsApp's  encryption:

here's the link- https://www.whatsapp.com/security/?lang=en (read the pdf in the "Get the details" section present at the bottom of the article )

WhatsApp says this encryption remains unchanged in personal chats. 

WhatsApp chats with businesses that use the WhatsApp Business app or manage and store customer messages continue to be end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices.

Businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. WhatsApp can decrypt these messages and use them for further business protocols. But, as they say these messages may not be directly used by Facebook to inform the ads that we see, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook.  

 

WhatsApp Basically blames us for getting into misinformation-

 

After a humongous  PR disaster,  WhatsApp tried to do damage control by pushing back the implementation of the new privacy policy and terms of use. Facebook-owned WhatsApp stated  clearly in an official statement that it is as good as puts the blame on us as users—apparently millions of users around the world were confused and misinformed about the update, and hence the confusion and tension arose. Apparently, there was nothing ever to be worried about.