WhatsApp snoopgate: How does end-to-end encryption work?
Last week, popular messaging platform WhatsApp’s admission that its encryption software had been bypassed by Israeli technology firm, NSO Group, sent ripples through the web and beyond, with many questioning whether their private messages were truly safe from prying eyes. WhatsApp, like most messaging apps in the market nowadays, uses end-to-end encryption to protect users’ privacy, and ensure that the content of messages is never compromised. While cyber-security experts have stated that the company has exaggerated the security that end-to-end encryption provides, the technology remains a benchmark, and is a crucial part of your digital security arsenal. Here, we break down how WhatsApp’s end-to-end encryption system works.
Encryption itself is simply a method by which a single user can make a message unreadable to everyone except his/her intended recipient. In very simple terms, a user acting as a sender of a message opts to encrypt a message, before sending it across a network, to a specific recipient. The recipient of the message then decrypts the message, to access its content. While that may sound simple, the real problems arise in preventing third parties from intercepting the encrypted message as it passes across the network, and accessing its content.
End-to-end encryption follows the principles of asymmetric encryption. To illustrate how asymmetric information works, it’s best to use a simple example of two office workers in individual cubicles, trying to communicate with each other. We’ll name them Pratik and Esha. Pratik wants to ask Esha to lunch but wants to do so privately. Unfortunately, their cubicles are separated by several others occupied by other workers. For Pratik and Esha to communicate privately while transferring notes across the many workers between them, they need to develop their own code or language, so that only they can understand the messages they send back and forth. This code or language is known as a cipher or a key that when applied to a message allows it to be translated and read. However, this still doesn’t solve the problem of securing communication as the key itself can be intercepted when it is originally shared between Pratik and Esha.
With end-to-end encryption or public-key cryptography, Pratik and Esha can get around this problem. The system involves both parties creating individual sets of two keys – a public and a private key. The two keys are very large numbers and share a mathematical relationship that is impossible to decipher knowing just one of them.
Pratik first sends his public key across to Esha, sharing it freely with other workers who may wish to view it as well. Using Pratik’s public key, Esha can then encrypt a message, and send it across the network of cubicles back to Pratik. Using his private key (which shares a relationship with his public key used by Esha to encrypt her message), Pratik can then decrypt Esha’s message. The same process applies when Pratik replies to Esha, with Esha first sharing her public key over the cubicle network.
It is important to note that although end-to-end encryption ensures that the content of the message remains private, the people within the cubicle network are still aware of certain details. They can know who the sender is and who the receiver is, they know whether the message is encrypted, they know the exact time when messages are sent and received, and they may even know what the subject line (if any) of the message is. This information is known as metadata. Parties with nefarious designs can analyse this metadata and orchestrate man-in-the-middle attacks, that involve tricking one of two parties into believing the attacker’s public key is the second party’s. Thankfully though, there are ways to get around these attacks as well, that involve “fingerprint” verification. Although tedious, this process is certainly worth implementing if you really want to reduce the risk of your online conversations being ‘overheard’.