104
$\begingroup$

WhatsApp says even the photos shared on its platform are end-to-end encrypted. When WhatsApp says encrypted I assume the data is encrypted in my device and then sent across to the recipient.

When we are sending a photo for the first time we can see the actual upload happening (if you are in a slow network), but when we forward the same picture to someone else, the upload is not happening. It happens in an instant.

AFAIK the photo would have been again encrypted with the key pair for the second recipient and then again sent to the second recipient. Since the second upload is not happening is it that the encryption happens in the WhatsApp server? Is WhatsApp decrypting the media file and encrypting it with the new recipient's key when we forward it? Can it be called end-to-end encryption in that case?

Improve this question
$\endgroup$
1
  • 1
    $\begingroup$ It's worth noting that WhatsApp squashes images right down with some fairly crappy compression settings (thus it's a poor choice for the sharing of high res images). While your initial image might have been fat, the share will only be a fraction of the size. $\endgroup$
    – spender
    Commented Apr 19, 2018 at 0:53

3 Answers 3

Reset to default
129
$\begingroup$

Leaving aside the WhatsApp aspect fo the question: the effect described can be achieved with hybrid encryption, where the bulk of the data is encrypted under a random secret symmetric key, and the result uploaded once; revealing that data to a recipient is performed by encrypting that symmetric key towards the recipient (e.g. using his/her public key), and thus requires very little data transfer from the sender for each additional recipient.

Improve this answer
$\endgroup$
6
  • 75
    $\begingroup$ I think this line is worth emphasizing: "All practical implementations of public key cryptography today employ the use of a hybrid system." This isn't some weird method, it's ubiquitous. $\endgroup$
    – André Paramés
    Commented Apr 18, 2018 at 9:22
  • 9
    $\begingroup$ I think @AndréParamés's comment is misleading. While it's true, it's not the case that all public-key-based E2E encryption systems preserve and reuse a copy of the random secret symmetric key used to encrypt messages to later send the same message to different recipients. Doing so probably has additional risks that need to be assessed. $\endgroup$
    – R.. GitHub STOP HELPING ICE
    Commented Apr 18, 2018 at 23:40
  • 2
    $\begingroup$ @R..: Yes, I think the better question is: Does this key reuse feature nullify some of the security benefits that the Signal protocol provides? $\endgroup$
    – President James K. Polk
    Commented Apr 19, 2018 at 13:58
  • 2
    $\begingroup$ @allo: In theory you can, but I don't think the tools do this. In the context of WhatsApp, it at least leaks knowledge to the service (and anyone conducting surveillance through it) that you forwarded to recipient B the same content that you previously sent to recipient A. $\endgroup$
    – R.. GitHub STOP HELPING ICE
    Commented Apr 20, 2018 at 13:51
  • 1
    $\begingroup$ I think WhatsApp never claimed to protect metadata. I do not know exactly what encryption scheme they use for this and was just speaking about the theory of reusing symmetric encryption keys here. $\endgroup$
    – allo
    Commented Apr 21, 2018 at 14:16
53
$\begingroup$

That's also a problem with encrypted emails. If you have an email with a 5MB attachment, and the public keys of 1,000 recipients, how do you send it to all of them?

You create a key pair for encryption / decryption. You encrypt the email with this key. The message consists of the encrypted email (5 MB), plus the decryption key encrypted with each of your 1000 public keys (1000 times not very much). That's sent to every recipient. Anyone in possession of a matching private key can now decrypt the decryption key, then the original message.

So you create an encrypted message and transmit the encrypted message in the open. It doesn't matter if everyone can see the encrypted message. The decryption key, which is a lot smaller, must go through whatever secure channels you have.

Improve this answer
$\endgroup$
28
$\begingroup$

Attachments have their own AES-CBC ephemeral keys.

See page 6 in the paper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

The paper seems to forget to mention that the key is retained and reused, but this would explain why you see only one upload.

Improve this answer
$\endgroup$

Not the answer you're looking for? Browse other questions tagged or ask your own question.