Whatsapp for a long time, to protect the privacy of the users on the messaging app, has provided default end-to-end encryption. This means messages can only be read by the recipient and sender of the messages, and no one in between.
However, the loophole in the encryption system was that a user could not encrypt their backup messages, on their iCloud for Apple and Google Drive for Android users. This kept a back door into private messages of a user from the messaging app.
Solving this problem, Facebook the parent company of Whatsapp announced on Friday, that they would now also provide an option for the users to encrypt their backed-up messages. This would mean neither Whatsapp nor a service provider will have access to backed-up messages or the backup encryption key.
People as of now can already backup their message history via cloud-based services like Google Drive or iCloud, which the company does not have access to, said the press releases introducing the new privacy feature.
Additionally now, a user can select to enable end-to-end encrypted (E2EE) backups once available, to further protect their backed-up messages.
To enable E2EE backups, the company has developed an all-new system for storing encryption keys that work both for Android and iOS-based devices. With the new feature enabled, backups will be encrypted with a unique key, which is randomly generated. A user can then choose to secure the key manually, or through password protection, which would then store the unique encryption key in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys.
When a user requires access to their stored backups, they can decrypt the messages with the encryption key, which can be again accessed via a password set by them, from the Backup Key Vault.
Whatsapp has also taken measures to assure that keys stored in the Backup vault cannot be accessed through brute-force attempts. The HSM-based Backup Key Vault is responsible for enforcing password verification attempts and would render the key permanently inaccessible after a limited number of unsuccessful attempts to access it. Whatsapp in its post also said, “WhatsApp will know only that a key exists in the HSM. It will not know the key itself.”
Whatsapp’s front-end service ChatD is responsible for handling client connections and client-server authentication. It shall implement a protocol that sends the key to and from Whatsapp servers. The messages exchanged between the client and HSM-based Backup key vault, will also be encrypted and not visible to ChatD itself.
The backup will be generated as a continuous stream of data that is encrypted using systematic encryption, with a generated key. With E2EE, backups can also be stored off-device.
Whatsapp’s clientele is of about 2 million people, spread across the globe. To make the HSM-based Backup Key Vault always readily available, for this huge user base, the company has decided to distribute the HSM-Based Backup Key Vault service geographically across multiple servers.
The process of accessing seems rather simple on paper. Users who have chosen to safeguard their encryption key in the Backup Key Vault would have to enter the password, which would then be verified by the Backup Key Vault. Once the verification is done the Backup Key Vault will send the encryption key back to the WhatsApp client. Once the client receives the key they can then use it to decrypt the backup messages. Alternatively, the users who have chosen to manually store their 64-digit key would have to manually enter the key themselves to decrypt the messages.
According to the post made by Facebook CEO Mark Zuckerberg, introducing the new feature, “Whatsapp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups.”
The E2EE backups are supposed to roll out by the end of the month, for both Apple and Android users.
Supratik Mitra is a student of political science at the University of Delhi.
While completing college, he continues to work as a reporter, working with many
media houses previously. He is interested in Indian politics and Science and
Technology and is also an avid policy researcher. He reports and writes articles
on national news, science and tech news, and health news.
Office Address: D-16/116, Sector-3, Rohini Delhi - 110085 India.