Facebook-owned messaging platform WhatsApp has completed building end-to-end encrypted backups and will soon begin rolling out this extra layer of privacy and security protection to users.
The extra layer of privacy:
WhatsApp has released a big privacy update, which includes the addition of end-to-end encryption to chat backups. In recent months, one of the most provocative topics between WhatsApp and the Indian government has been using end-to-end encryption technology by WhatsApp to ensure that messages between two parties can be read-only by them.
The capacity to track messages, according to WhatsApp, would involve breaking end-to-end encryption of chats, jeopardising the privacy of billions of people who communicate digitally.
The Indian government, on the other hand, wants the messaging platform to track the origin of communications that could disrupt law and order. WhatsApp has recently revealed that chat backups would be encrypted as well.
WhatsApp announced on Friday that it would provide users with the option of encrypting their Whatsapp chat backup using end-to-end encryption technology. Users can currently back up their WhatsApp conversations using cloud-based services such as Google Drive and iCloud.
Respective cloud-based storage services then secure these backups, and WhatsApp does not have any access to these backups. The users who prefer to have their Whatsapp chat backup encrypted will have to remember a 64-digit encryption key or create a password related to the key.
Generating encryption keys and passwords:
WhatsApp created a new encryption key storage method that works with iOS and Android to enable E2EE (end-to-end encrypted ) backups. With E2EE backups enabled, the Whatsapp chat backup will hold encrypted with a unique, randomly generated encryption key.
People have the option of manually securing the key or using a user password. After choosing the password, Backup Key Vault stores the password, built based on a component known as a hardware security module (HSM) – specialised, secure hardware that may store encryption keys safely.
When the account owner wants access to their backup, they can use their encryption key to decode it or obtain their encryption key from the HSM-based Backup Key Vault using their password.
The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a specified number of unsuccessful attempts to access it.
These security features protect attempts to recover the key through brute force. WhatsApp will only be conscious of the presence of a code in the HSM. It will be oblivious to the key.
Storing keys in the HSM- based Backup Key Vault:
Chat, WhatsApp’s front-end service, will handle client connections and client-server authentication, as well as a protocol for sending backup keys to and from the company’s servers. The client and the HSM-based Backup Key Vault will send encrypted messages to each other, the contents of which will be inaccessible to chat.
The HSM-based Backup Key Vault will be installed behind chat and store the encryption keys for highly accessible and secure backups. The backups created will be a continuous stream of data encrypted with the generated key using symmetric encryption. When E2EE backups are enabled, a backup can be encrypted and stored off-device (e.g., to iCloud or Google Drive).
WhatsApp has a user base of over 2 billion individuals, and one of the most challenging aspects of this product was ensuring that the HSM-based Backup Key Vault functioned adequately.
The HSM-based Backup Key Vault service will be geographically distributed across multiple data centres to keep it up and run in case of a data centre outage to ensure continuous availability.
The encryption and decryption process:
The HSM-based Backup Key Vault will store and safeguard the account owner’s password to protect their end-to-end encrypted Whatsapp chat backup.
When someone needs to get a hold of their backup: They enter their password, which the Backup Key Vault encrypts and verifies. Once the password is validated, the Backup Key Vault will transfer the encryption key to the WhatsApp client. The WhatsApp client can then decrypt the backups with the key in hand.
If an account owner chooses to use the 64-digit key alone, they will have to decrypt and access their backups manually.
Official rollout:
WhatsApp was spotted initially taking end-to-end encrypted backups on its platform in July. Last month, the app also stretched end-to-end encryption to local backups, though there is no official word on its rollout.
However, the end-to-end encrypted backups feature will be available to beta testers on Android and iOS in the coming days before being made available to the general public.
