Abstract
WhatsApp is an end-to-end encrypted (E2EE) messaging service used by billions of people. In late 2021, WhatsApp rolled out a new protocol for backing up chat histories. The E2EE WhatsApp backup protocol (WBP) allows users to recover their chat history from passwords, leaving WhatsApp oblivious of the actual encryption keys. The WBP builds upon the OPAQUE framework for password-based key exchange, which is currently undergoing standardization.
While considerable efforts have gone into the design and auditing of the WBP, the complexity of the protocol’s design and shortcomings in the existing security analyses of its building blocks make it hard to understand the actual security guarantees that the WBP provides.
In this work, we provide the first formal security analysis of the WBP. Our analysis in the universal composability (UC) framework confirms that the WBP provides strong protection of users’ chat history and passwords. It also shows that a corrupted server can under certain conditions make more password guesses than what previous analysis suggests.
Gareth T. Davies, Tobias Handirk, and Tibor Jager have been supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823. Julia Hesse was supported by the Swiss National Science Foundation (SNSF) under the AMBIZIONE grant “Cryptographic Protocols for Human Authentication and the IoT”. Máté Horváth has been supported by the German Research Foundation (DFG), project JA2445/6-1.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper we will refer to the people using a device that runs the WhatsApp client software as users, to the device as a client, and to the servers that provide the WhatsApp chat and backup service as servers.
- 2.
Note that WhatsApp refer to this phase as registration.
- 3.
It is actually a “per-backup-secret”, which is determined during initialization. If a client were to re-register, a new “per-backup-secret” would be chosen.
- 4.
- 5.
- 6.
For example, we want a corruption of the WhatsApp server to model a malicious WhatsApp service provider, and therefore we want to consider the entire service as corrupted in this case, without a need to distinguish between the ChatD and the backup server.
- 7.
We remark that this terminology is slightly misleading, as \(\textsf{aid} \) does not identify a client’s account but is rather a “backup identifier”. If the same client initializes many backups, possibly with different passwords, then each backup will be assigned a new \(\textsf{aid} \) and only the most recent backup is kept.
- 8.
To this end, the HSM tries to retrieve a backup associated with \(\textsf{aid} _\textsf{new} \) from the secure storage. If \(\textsf{aid} _\textsf{new} \) is currently in use, this will succeed. If \(\textsf{aid} _\textsf{new} \) was previously used but corresponds to an already deleted backup, an empty “tombstoned” backup is returned to the HSM, showing that \(\textsf{aid} _\textsf{new} \) is not fresh.
- 9.
Note that the WBP ’s envelope is not equivalent to an OPAQUE envelope.
- 10.
We note that the abstract \(\textsf{CleanUp} \) instruction might be implemented without any explicit deletion, e.g., by keeping these ephemeral values only in volatile memory and never storing them persistently.
- 11.
WhatsApp is for mobile devices, connection loss may happen leading to a failure. After an unsuccessful attempt, the user would most probably re-run initialization, likely with the same password.
- 12.
We leave the concrete means of authentication to the application. In the case of the WBP, SMS-based authentication is used, creating a one-to-one correspondence between \(\mathsf {ID_C} \) and phone numbers of WhatsApp users. Other authentication methods such as biometrics (where \(\mathsf {ID_C} \) would correspond to, e.g., a fingerprint) or even device-bound strong authentication using signatures are possible as well.
- 13.
We opted for a general treatment here, i.e., allowing client impersonation by the server. In fact, we could strengthen this (see Sect. 4.2 for more details) but this depends on which mechanisms on the server side are corruptible.
- 14.
Note that the phrasing “any initialized” here reflects that the adversary can extend the number of admissible password guesses, as described in Sect. 3.6. This is necessary to model the security achieved by WhatsApp ’s protocol. We will discuss in Sect. 4.2 how the functionality can be strengthened.
- 15.
Our proof considers the security of OPAQUE only against a malicious client, since the OPAQUE server is run on the incorruptible HSM.
- 16.
One might be tempted to model this by giving the HSM’s public key as input to the client instead. However, that would mean that the UC environment machine can give public keys to clients for which the environment knows the corresponding secret key. For WBP the clients have a hard-coded public key for which only the HSM knows the secret key, so this would not adequately model WBP and make the already complex security analysis unreasonably more complex.
References
Direct correspondences with Kevin Lewi and other members of the WhatsApp engineering team, 2022–2023
Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM CCS 2011, pp. 433–444. ACM Press (2011)
Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21
Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the signal double ratchet algorithm. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 784–813. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_27
Bourdrez, D., Krawczyk, D.H., Lewi, K., Wood, C.A.: The OPAQUE Asymmetric PAKE Protocol. Internet-Draft draft-irtf-cfrg-opaque-09, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/09/. Work in Progress
Brost, J., Egger, C., Lai, R.W.F., Schmid, F., Schröder, D., Zoppelt, M.: Threshold password-hardened encryption services. In: ACM CCS 2020, pp. 409–424. ACM Press (2020)
Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing. In: ACM CCS 2012, pp. 525–536. ACM Press (2012)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001)
Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 3–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_1
Casacuberta, S., Hesse, J., Lehmann, A.: SoK: oblivious pseudorandom functions. In: IEEE EuroS &P 2022. IEEE (2022)
Cathcart, W.: (2022). https://twitter.com/wcathcart/status/1600603826477617152
Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption. In: ACM CCS 2020, pp. 1445–1459. ACM Press (2020)
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: EuroS &P, pp. 451–466. IEEE (2017)
Das, P., Hesse, J., Lehmann, A.: DPaSE: distributed password-authenticated symmetric-key encryption, or how to get many keys from one password. In: ASIACCS 2022, pp. 682–696. ACM Press (2022)
Davidson, A., Faz-Hernandez, A., Sullivan, N., Wood, C.A.: Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups. Internet-Draft draft-irtf-cfrg-voprf-17, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/17/. Work in Progress
Davies, G.T., et al.: Security analysis of the whatsapp end-to-end encrypted backup protocol. Cryptology ePrint Archive, Paper 2023/843 (2023). https://eprint.iacr.org/2023/843
Doussot, G., Lacharité, M.S., Schorn, E.: End-to-End Encrypted Backups Security Assessment (2021). https://research.nccgroup.com/wp-content/uploads/2021/10/NCC_Group_WhatsApp_E001000M_Report_2021-10-27_v1.2.pdf
Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_9
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_13
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your bitcoin wallet online). In: IEEE European Symposium on Security and Privacy, EuroS &P 2016, Saarbrücken, Germany, 21–24 March 2016, pp. 276–291. IEEE (2016)
Jarecki, S., Krawczyk, H., Resch, J.K.: Updatable oblivious key management for storage systems. In: ACM CCS 2019, pp. 379–393. ACM Press (2019)
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7
Krawczyk, D.H., Lewi, K., Wood, C.A.: The OPAQUE Asymmetric PAKE Protocol. Internet-Draft draft-irtf-cfrg-opaque-03, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/03/. Work in Progress
Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S.M., Maffei, M., Schröder, D.: Simple password-hardened encryption services. In: USENIX Security 2018, pp. 1405–1421. USENIX Association (2018)
Novak, M.: Paul Manafort Learns That Encrypting Messages Doesn’t Matter If the Feds Have a Warrant to Search Your iCloud Account (2018). https://gizmodo.com/paul-manafort-learns-that-encrypting-messages-doesnt-ma-1826561511
Perrin, T.: The noise protocol framework. http://noiseprotocol.org/noise.html
Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, whatsapp, and threema. In: EuroS &P, pp. 415–429. IEEE (2018)
Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H.: On the cryptographic deniability of the signal protocol. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020, Part II. LNCS, vol. 12147, pp. 188–209. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_10
WhatsApp: Security of End-to-End Encrypted Backups (2021). https://www.whatsapp.com/security/WhatsApp_Security_Encrypted_Backups_Whitepaper.pdf
WhatsApp: WhatsApp Encryption Overview (2021). https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Davies, G.T. et al. (2023). Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14084. Springer, Cham. https://doi.org/10.1007/978-3-031-38551-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-38551-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38550-6
Online ISBN: 978-3-031-38551-3
eBook Packages: Computer ScienceComputer Science (R0)