Well Done To WhatsApp — In Taking Security Seriously: Key Transparency

In the UK, we could be progressing towards an unhappy band of countries who restrict end-to-end encryption. So just as the UK is moving…
Photo by Alexander Shatov on Unsplash

Well Done To WhatsApp — In Taking Security Seriously: Key Transparency

The UK is debating the Online Safety Bill, and which focuses on the removal of harmful content and the breaking of end-to-end encryption (E2E). Why break E2E? Well, if you want to detect and remove harmful content, you must look into encrypted messaging and detect its contents. This would enact on UK citizens and also for all of the software and services that are provided to them. Internet Service Providers, such as Meta, Instagram and WhatsApp would then be responsible for the content they host.

Some dub it as a mass surveillance system, and where E2E messages will require a backdoor into the encryption process. With fines of up to 10% of global revenue, many messaging providers have said that they would rather ban their apps in the UK than break their encryption. This would put the UK in a strange league of those countries that ban messaging apps.

As a worst case, it could (perhaps) turn the security of the Internet back many decades in the UK, and see the UK move to being one of the most backward countries in the World in their control of the Internet. But, on the other hand, we must protect our citizens. Perhaps the worry is that politicians and lawmakers do not really understand the technology that are playing with, and why we have advanced our application of E2E.

Key Transparency

WhatsApp is one of the applications which says it will withdraw from the UK if the Online Safety Bill applies, and has just annouced a new feature which increases the trust in its infrastructure: Key Transparency. For E2E, we depend on public keys to be handed by the WhatsApp server, where the private key exists on the device and public keys are on the server. When Bob and Alice connect, they each use public keys to encrypt the data to the other person, and their private keys to decrypt.

But, Eve could compromise the WhatsApp server, and send the wrong public key for Alice to Bob. This is an Eve-in-the-Middle attack (aka Man-in-the-Middle — MITM). In TLS, this is addressed by using a digital certificate to carry the public key of the Web site.

With a compromised WhatsApp server, Eve sends a fake public key for Alice (AliceFake) to Bob (Figure 1). Eve then has the private key to decrypt the data encrypted with AliceFake. Eve will then send the data to Alice using Alice’s real public key. When Alice replies, she will use the fake Bob key (BobFake), and again Eve will decrypt and forward to Bob using Bob’s real public key.

Figure 1

Currently, it is possible to check if there is a compromised channel as there is a unique safety number. This can be continually checked by a user to identify if there is a MITM. With this, Bob and Alice generate a safety number, and then call each other, and compare the values. If they differ, they will know that Eve is in the middle. Unfortunately, few people use this solution, so Key Transparency aims to automate this process. With this, Bob and Alice publish their public key through a hash value. They can then continually check these hash values for any changes. When Eve changes the keys, she will not be able to replicate the same hash, and so these keys will be rejected.

Merkle Trees

With this approach we use Merkle hash trees, and which can verify that a user’s key pair/identity is used within a tree. WhatsApp then take all the public key/identity pairs, and hash them. In Figure 2, Alices’s public key/identity pair is hashed as H8, and Bob’s as H11. H8 and H7 are then hashed to produce H3 and then hashed with H4, of which these are used to produce H1. Finally H1 and H2 are hashed to produce a root hash (Root). If we publish the Root, it will provide that we know all of the key/identity pairs, and that we cannot prove another key/identity pair that is not contained in the tree.

Figure 2: Merkle tree for public key/identity pairs

Initially, Bob asks for a connection with Alice. For this, he asks the server for Alice’s public key and identity. The server then provides proof that her key/identity is contained in a Merkle Tree, and that it has been publicly committed. In Figure 3, we have a root hash and can prove H8 (which contains Alice’s public key/identity), by showing the route to the root hash. Eve will not able to provide a valid hash that matches the tree.

Figure 3: Proof of Alice’s Public Key/Identity

The magic of the root hash is key to providing trust, and where WhatsApp can create a root hash for every user on the system, and where it will not be possible to add new public keys/identity that don’t make the root.

Conclusions

Well done to WhatsApp. It is a great step forward, and one that many other systems would look to implement in highly trusted environments.

There are many state actors that have used advanced MITM attacks on E2E, and WhatsApp aim to close the door on server compromises. Breaking the encryption is not the only method to breaking E2E communication, and where GCHQ proposed the “Ghost proposal”, where law enforcement is added as a ghost user on the connection. But, this method would require the Service Provider to allow access to the connection. Key Transparency does not address this type of hack but is useful in increasing trust levels against server hacks.