WhatsApp automates cryptographic verification of user accounts

Spread the love

WhatsApp will automate the end-user cryptographic verification process. At the moment, users can still verify the integrity of their interlocutors via a qr code, but this process will soon also be possible automatically via the open source Auditable Key Directory.

Parent company Meta say that this feature is now being rolled out to users. WhatsApp calls the function the Auditable Key Directory, a public and therefore verifiable list of changes to the public keys that users exchange to verify their identity. The function revolves around the qr codes that WhatsApp has been using since 2014 for messages that are end-to-end encrypted.

WhatsApp’s encryption works on the basis of a private key that remains on the device and a public key that can be shared with other users to set up an encrypted connection. This public key is sent from the sender to the recipient via WhatsApp. To check whether a sender is talking to the correct recipient, WhatsApp hashes that public key. That hash of sixty characters can be compared by two users. This can also be done in the form of a qr code. If those hashes match on both devices, no man-in-the-middle attack has occurred.

However, that process is cumbersome, WhatsApp acknowledges. For example, two users must be physically together to scan the QR code, or they must set up a remote connection to compare the hashes. In group conversations, this is completely complicated. In practice, therefore, few people use the feature. WhatsApp is now going to automate exactly that process.

The company does this via a new protocol. With that protocol, a public database is created on WhatsApp’s servers, the Auditable Key Directory. That directory contains mappings between user accounts and their public keys. If they are somehow modified without user intervention, a recipient will see that the public key cannot be verified. In that case, WhatsApp recommends that you still do that process manually.

WhatsApp creates the code behind that directory open source available. It is a Rust library that uses various key transparency protocols such as Coniks. According to WhatsApp, the library processes ‘tens of thousands of key changes per day’ and is therefore an append-only database.

You might also like