EncryptionHow WhatsApp encryption works – and why there shouldn’t be a backdoor

By Antonis Michalas

Published 28 March 2017

A battle between national security and privacy is brewing. Governments and secret services are asking encrypted messaging services such as WhatsApp to allow them access to users’ data, arguing that access to messages will allow authorities to thwart future terror attacks. Ultimately, though, if someone thinks that removing WhatsApp encryption would be the solution to the problem of terrorism or crime, then they don’t understand the actual problem. Even if you were to remove the end-to-end encryption from WhatsApp, criminals could create their own, similar, software that would allow them to communicate securely, while ordinary users would lose the ability to send genuinely private messages.

A battle between national security and privacy is brewing. Governments and secret services are asking encrypted messaging services such as WhatsApp to allow them access to users’ data. Most recently, in the wake of the March attack at Westminster, Amber Rudd, the U.K. home secretary, said it was unacceptable that the government couldn’t read the encrypted messages of suspected terrorists.

The main argument behind this request is that access to messages will allow authorities to thwart future terror attacks. On the other hand, there are many ordinary people who use messaging apps for daily communication and this request would be a direct breach of their privacy. But this isn’t the only problem – creating a way for the authorities to read encrypted messages would also make the system vulnerable to cyberattacks from criminals and other hackers, removing what makes it a secure way to communicate in the first place.

How does encryption work?
Encryption is simply a way for two or more users to exchange messages securely. Encryption algorithms are like a box with two locks. For example, if a user called Alice wants to send her friend Bob a secure message, she puts it in the box and locks it with her key. Then, she sends the locked box to her friend Bob, who can only open the box and read Alice’s message if he has a valid key of his own.

But to be able to communicate with new users, you need a way of sharing keys that is still secure. To get over this, each user has what’s called a public key that is available to anyone and proves the identity of the user, and a private key that stays with the user. Alice uses Bob’s public key to lock the box, but it can only be unlocked with Bob’s private key.

WhatsApp’s system adds a further level of encryption, known as “perfect forward secrecy.” This is like a second lock with a key that changes for every messaging session. When Alice wishes to send a message to Bob, she first generates a fresh session key, places it in the box and uses Bob’s public key to lock it. She then sends it to Bob, who uses his private key to access the session key. The two of them can then start communicating securely using that session key known only to them to encrypt their messages.