Skip to main content

Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14084))

Included in the following conference series:

Abstract

WhatsApp is an end-to-end encrypted (E2EE) messaging service used by billions of people. In late 2021, WhatsApp rolled out a new protocol for backing up chat histories. The E2EE WhatsApp backup protocol (WBP) allows users to recover their chat history from passwords, leaving WhatsApp oblivious of the actual encryption keys. The WBP builds upon the OPAQUE framework for password-based key exchange, which is currently undergoing standardization.

While considerable efforts have gone into the design and auditing of the WBP, the complexity of the protocol’s design and shortcomings in the existing security analyses of its building blocks make it hard to understand the actual security guarantees that the WBP provides.

In this work, we provide the first formal security analysis of the WBP. Our analysis in the universal composability (UC) framework confirms that the WBP provides strong protection of users’ chat history and passwords. It also shows that a corrupted server can under certain conditions make more password guesses than what previous analysis suggests.

Gareth T. Davies, Tobias Handirk, and Tibor Jager have been supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823. Julia Hesse was supported by the Swiss National Science Foundation (SNSF) under the AMBIZIONE grant “Cryptographic Protocols for Human Authentication and the IoT”. Máté Horváth has been supported by the German Research Foundation (DFG), project JA2445/6-1.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper we will refer to the people using a device that runs the WhatsApp client software as users, to the device as a client, and to the servers that provide the WhatsApp chat and backup service as servers.

  2. 2.

    Note that WhatsApp refer to this phase as registration.

  3. 3.

    It is actually a “per-backup-secret”, which is determined during initialization. If a client were to re-register, a new “per-backup-secret” would be chosen.

  4. 4.

    The existing formal analysis of the OPAQUE protocol [23] assumes hash domain separation in 2HashDH and hence does not apply to the version of OPAQUE in the most recent Internet Draft [6].

  5. 5.

    The option to derive this additional key was originally not part of OPAQUE [23]. However, it exists in the OPAQUE Internet Draft version 03 [25], which is deployed by the WBP.

  6. 6.

    For example, we want a corruption of the WhatsApp server to model a malicious WhatsApp service provider, and therefore we want to consider the entire service as corrupted in this case, without a need to distinguish between the ChatD and the backup server.

  7. 7.

    We remark that this terminology is slightly misleading, as \(\textsf{aid} \) does not identify a client’s account but is rather a “backup identifier”. If the same client initializes many backups, possibly with different passwords, then each backup will be assigned a new \(\textsf{aid} \) and only the most recent backup is kept.

  8. 8.

    To this end, the HSM tries to retrieve a backup associated with \(\textsf{aid} _\textsf{new} \) from the secure storage. If \(\textsf{aid} _\textsf{new} \) is currently in use, this will succeed. If \(\textsf{aid} _\textsf{new} \) was previously used but corresponds to an already deleted backup, an empty “tombstoned” backup is returned to the HSM, showing that \(\textsf{aid} _\textsf{new} \) is not fresh.

  9. 9.

    Note that the WBP ’s envelope is not equivalent to an OPAQUE envelope.

  10. 10.

    We note that the abstract \(\textsf{CleanUp} \) instruction might be implemented without any explicit deletion, e.g., by keeping these ephemeral values only in volatile memory and never storing them persistently.

  11. 11.

    WhatsApp is for mobile devices, connection loss may happen leading to a failure. After an unsuccessful attempt, the user would most probably re-run initialization, likely with the same password.

  12. 12.

    We leave the concrete means of authentication to the application. In the case of the WBP, SMS-based authentication is used, creating a one-to-one correspondence between \(\mathsf {ID_C} \) and phone numbers of WhatsApp users. Other authentication methods such as biometrics (where \(\mathsf {ID_C} \) would correspond to, e.g., a fingerprint) or even device-bound strong authentication using signatures are possible as well.

  13. 13.

    We opted for a general treatment here, i.e., allowing client impersonation by the server. In fact, we could strengthen this (see Sect. 4.2 for more details) but this depends on which mechanisms on the server side are corruptible.

  14. 14.

    Note that the phrasing “any initialized” here reflects that the adversary can extend the number of admissible password guesses, as described in Sect. 3.6. This is necessary to model the security achieved by WhatsApp ’s protocol. We will discuss in Sect. 4.2 how the functionality can be strengthened.

  15. 15.

    Our proof considers the security of OPAQUE only against a malicious client, since the OPAQUE server is run on the incorruptible HSM.

  16. 16.

    One might be tempted to model this by giving the HSM’s public key as input to the client instead. However, that would mean that the UC environment machine can give public keys to clients for which the environment knows the corresponding secret key. For WBP the clients have a hard-coded public key for which only the HSM knows the secret key, so this would not adequately model WBP and make the already complex security analysis unreasonably more complex.

References

  1. Direct correspondences with Kevin Lewi and other members of the WhatsApp engineering team, 2022–2023

    Google Scholar 

  2. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5

    Chapter  Google Scholar 

  3. Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM CCS 2011, pp. 433–444. ACM Press (2011)

    Google Scholar 

  4. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21

    Chapter  Google Scholar 

  5. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the signal double ratchet algorithm. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 784–813. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_27

    Chapter  Google Scholar 

  6. Bourdrez, D., Krawczyk, D.H., Lewi, K., Wood, C.A.: The OPAQUE Asymmetric PAKE Protocol. Internet-Draft draft-irtf-cfrg-opaque-09, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/09/. Work in Progress

  7. Brost, J., Egger, C., Lai, R.W.F., Schmid, F., Schröder, D., Zoppelt, M.: Threshold password-hardened encryption services. In: ACM CCS 2020, pp. 409–424. ACM Press (2020)

    Google Scholar 

  8. Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing. In: ACM CCS 2012, pp. 525–536. ACM Press (2012)

    Google Scholar 

  9. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001)

    Google Scholar 

  10. Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 3–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_1

    Chapter  Google Scholar 

  11. Casacuberta, S., Hesse, J., Lehmann, A.: SoK: oblivious pseudorandom functions. In: IEEE EuroS &P 2022. IEEE (2022)

    Google Scholar 

  12. Cathcart, W.: (2022). https://twitter.com/wcathcart/status/1600603826477617152

  13. Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption. In: ACM CCS 2020, pp. 1445–1459. ACM Press (2020)

    Google Scholar 

  14. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: EuroS &P, pp. 451–466. IEEE (2017)

    Google Scholar 

  15. Das, P., Hesse, J., Lehmann, A.: DPaSE: distributed password-authenticated symmetric-key encryption, or how to get many keys from one password. In: ASIACCS 2022, pp. 682–696. ACM Press (2022)

    Google Scholar 

  16. Davidson, A., Faz-Hernandez, A., Sullivan, N., Wood, C.A.: Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups. Internet-Draft draft-irtf-cfrg-voprf-17, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/17/. Work in Progress

  17. Davies, G.T., et al.: Security analysis of the whatsapp end-to-end encrypted backup protocol. Cryptology ePrint Archive, Paper 2023/843 (2023). https://eprint.iacr.org/2023/843

  18. Doussot, G., Lacharité, M.S., Schorn, E.: End-to-End Encrypted Backups Security Assessment (2021). https://research.nccgroup.com/wp-content/uploads/2021/10/NCC_Group_WhatsApp_E001000M_Report_2021-10-27_v1.2.pdf

  19. Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_9

    Chapter  Google Scholar 

  20. Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_13

    Chapter  MATH  Google Scholar 

  21. Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your bitcoin wallet online). In: IEEE European Symposium on Security and Privacy, EuroS &P 2016, Saarbrücken, Germany, 21–24 March 2016, pp. 276–291. IEEE (2016)

    Google Scholar 

  22. Jarecki, S., Krawczyk, H., Resch, J.K.: Updatable oblivious key management for storage systems. In: ACM CCS 2019, pp. 379–393. ACM Press (2019)

    Google Scholar 

  23. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15

    Chapter  Google Scholar 

  24. Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7

    Chapter  Google Scholar 

  25. Krawczyk, D.H., Lewi, K., Wood, C.A.: The OPAQUE Asymmetric PAKE Protocol. Internet-Draft draft-irtf-cfrg-opaque-03, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/03/. Work in Progress

  26. Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S.M., Maffei, M., Schröder, D.: Simple password-hardened encryption services. In: USENIX Security 2018, pp. 1405–1421. USENIX Association (2018)

    Google Scholar 

  27. Novak, M.: Paul Manafort Learns That Encrypting Messages Doesn’t Matter If the Feds Have a Warrant to Search Your iCloud Account (2018). https://gizmodo.com/paul-manafort-learns-that-encrypting-messages-doesnt-ma-1826561511

  28. Perrin, T.: The noise protocol framework. http://noiseprotocol.org/noise.html

  29. Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, whatsapp, and threema. In: EuroS &P, pp. 415–429. IEEE (2018)

    Google Scholar 

  30. Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H.: On the cryptographic deniability of the signal protocol. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020, Part II. LNCS, vol. 12147, pp. 188–209. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_10

    Chapter  Google Scholar 

  31. WhatsApp: Security of End-to-End Encrypted Backups (2021). https://www.whatsapp.com/security/WhatsApp_Security_Encrypted_Backups_Whitepaper.pdf

  32. WhatsApp: WhatsApp Encryption Overview (2021). https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Sebastian Faller or Tobias Handirk .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Davies, G.T. et al. (2023). Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14084. Springer, Cham. https://doi.org/10.1007/978-3-031-38551-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38551-3_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38550-6

  • Online ISBN: 978-3-031-38551-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics