WhatsApp’s encryption: a more in-depth look into what it really means

By: Siobhan Wood on
6 minutes to read
Blog Image

WhatsApp users received a message informing them that communications between themselves and their recipients are now covered by ‘end-to-end encryption’. Our developer explains what it’s all about…

Anyone with a rudimentary understanding of communications technology will know that some of the fears expressed online such as “Has my phone been hacked?!” or “Are people reading my messages?!” are in the main unnecessary. In fact, quite the opposite. In its most basic form, this feature means that the messages and media you send and receive can only be understood by your device and the recipient device.

Data privacy is a huge issue in the world of communication, developers have to use the most up to date technologies to ensure their data is never compromised – not just by cyber criminals but from undetected flaws in third party applications and services (Heartbleed bug anyone?)

It’s clear that a huge number of people who use messaging services, such as WhatsApp, generally have no idea how their messages are transferred from their device to their recipient’s device.

There are many approaches currently in practice but a typical, simplified flow is:

  1. User A types out a message to their recipient and hits ‘Send’.
  2. Message is (first encrypted – but we’ll come to that later), fired off across your local network to your router.
  3. The message is then posted out to the World Wide Web, the internet, cyberspace, the information highway, the wild wild west – call it what you will – with the destination of the app provider’s servers.
  4. The message is received and processed by the application provider and then pushed out to the recipient.
  5. The message is typically received by the recipient’s network, probably a network router, and finally delivered to the recipient’s device.

As you can see, the message spends a huge amount of time out in the ether. Now imagine that message was sent out in plain text, exactly how it was typed out. Anyone with sufficient access to your local network (IT administrators, your big brother who set the router up at home…) could theoretically ‘snoop’ on the network, revealing your exact message.

Enter Encryption. To encrypt a message is to convert said message into a form that can only be converted back by authorized parties. Therefore, if the messaging application we are utilizing encrypts our messages before sending them, then only the authorized parties (the sender and receiver) will be able to read the message. Hackers, authorities, big brothers and the application creators themselves will not be able to read our message, but they may still be able to get hold of our message.

It is a legitimate concern to worry about criminals cracking your encrypted data. If encryption is weak then it may very well be cracked and your data could potentially be exposed. So let’s dig a little deeper and talk about how encryption works. Encryption uses mathematical algorithms to mask data. The length of the algorithm key dictates the strength of the encryption. The higher the number of bits (1s and 0s) in the key, the more secure the encryption and the more difficult it will be to crack.

One method of cracking encryption is a brute force attack – a rapid trial and error process of ‘guessing’ the encryption key. Let’s take a small example. If we were to encrypt our data using a 2-bit key (a key containing 2 bits which can either be a 0 or a 1), there are only 2 different combinations of the key – 01 or 10. Now I’m sure the mathematicians among you are already starting to see that as we increase the length of our encryption key, we also exponentially increase the possible combinations of the key.

Now we have some context around encryption key sizes we can talk about WhatsApp’s encryption method. WhatsApp have opted for 256-bit encryption. The number of possible combinations for a 256-bit encryption key is truly mind boggling - 1.1x1078 (1.1 with 78 0s after it).

If we assume a hacker is using a high end processor (and has access to an infinite power source), we could calculate the number of ‘guesses’ a year the computer could take in a brute force attack by multiplying the number of operations our computer can make every second multiplied by the number of seconds a year. We can assume a good quality processor can perform approximately 2 billion operations every second.

So with: (Number of possible combinations / (2 billion * the number of seconds in a year)) it would take a computer 1.74x1061 years to get through every possible combination. As our universe is only 1.3x1010 years old, I think it’s safe to say that a 256-bit encryption key is safe from such attacks. It has been calculated that even using the world’s most powerful super computer the number of years barely even shifts.

With such secure encryption comes the inevitable issue. One user stated:

“Does this mean if people commit crime and evidence is documented in their WhatsApp conversation, the data cannot be retrieved by the police intelligence? If that is the case, this app could be fatal.”

This question has been at the epicenter of technical controversy for a number of years now. There are many legal, ethical, political and philosophical arguments for and against the secure encryption of data and whether or not providers should build a ‘back door’ into their applications. This in itself is an entirely different blog post, but one thing is for sure - if other companies follow in WhatsApp’s footsteps, it could cause huge headaches for national security agencies all over the world – rightfully so, some might say.

In summary, WhatsApp have integrated a highly secure encryption algorithm into their messaging protocol and are rolling it out seamlessly to their 1 billion users to keep your data as safe as possible from intruders. Possibly too safe?