{"id":462,"date":"2021-09-20T10:06:17","date_gmt":"2021-09-20T10:06:17","guid":{"rendered":"https:\/\/fde.cat\/?p=462"},"modified":"2021-09-20T10:06:17","modified_gmt":"2021-09-20T10:06:17","slug":"how-whatsapp-is-enabling-end-to-end-encrypted-backups","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2021\/09\/20\/how-whatsapp-is-enabling-end-to-end-encrypted-backups\/","title":{"rendered":"How WhatsApp is enabling end-to-end encrypted backups"},"content":{"rendered":"

For years, in order to safeguard the privacy of people\u2019s messages, WhatsApp has provided end-to-end encryption<\/a> by default \u200b\u200bso messages can be seen only by the sender and recipient, and no one in between. Now, we\u2019re planning to give people the option to protect their WhatsApp backups using end-to-end encryption as well.<\/span><\/p>\n

People can already back up their WhatsApp message history via cloud-based services like Google Drive and iCloud. WhatsApp does not have access to these backups, and they are secured by the individual cloud-based storage services.\u00a0<\/span><\/p>\n

But now, if people choose to enable end-to-end encrypted (E2EE) backups once available, neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key.\u00a0<\/span><\/p>\n

How E2EE backups work<\/span><\/h2>\n

Generating encryption keys and passwords\u00a0<\/span><\/h3>\n

To enable E2EE backups, we developed an entirely new system for encryption key storage that works with both iOS and Android. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password. When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) <\/span>\u2014 specialized, secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.\u00a0<\/span><\/p>\n

The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a minimal number of unsuccessful attempts to access it. These security measures provide protection against brute-force attempts to retrieve the key. WhatsApp will know only that a key exists in the HSM. It will not know the key itself.<\/span><\/p>\n

Storing keys in the Backup Key Vault<\/span><\/h3>\n

WhatsApp\u2019s front-end service, ChatD, handles client connections and client-server authentication, and will implement a protocol that sends the keys to the backups to and from WhatsApp\u2019s servers. The client and HSM-based Backup Key Vault will exchange encrypted messages, the contents of which will not be accessible to ChatD itself.<\/span>
\n<\/span><\/p>\n

The HSM-based Backup Key Vault will sit behind ChatD and provide highly available and secure storage for the encryption keys to the backups. The backups themselves will be generated as a continuous stream of data that is encrypted using symmetric encryption with the generated key. With E2EE backups enabled, upon being encrypted, a backup can then be stored off device (e.g., to iCloud or Google Drive).\u00a0<\/span><\/p>\n

WhatsApp serves over 2 billion people, and one of the core challenges of this product was to make sure the HSM-based Backup Key Vault operates reliably. To help ensure that the system is always available, the HSM-based Backup Key Vault service will be geographically distributed across multiple data centers to keep it up and running in case of a data center outage<\/a>.<\/span><\/p>\n

Backups can be end-to-end encrypted using a 64-digit encryption key.
\nBackups can also be secured with a password, in which case the encryption key is saved to the HSM-based Backup Key Vault.<\/p>\n

The HSM-based Backup Key Vault and the encryption and decryption process<\/span><\/h3>\n

When the account owner uses a personal password to protect their end-to-end encrypted backup, the HSM-based Backup Key Vault will store the key and safeguard it by registering it with the Backup Key Vault.\u00a0<\/span><\/p>\n

When someone wants to retrieve their backup:<\/span><\/p>\n

They enter their password, which is encrypted and then verified by the Backup Key Vault.<\/span>
\nOnce the password is verified, the Backup Key Vault will send the encryption key back to the WhatsApp client.<\/span>
\nWith the key in hand, the WhatsApp client can then decrypt the backups.<\/span><\/p>\n

Alternatively, if an account owner has chosen to use the 64-digit key alone, they will have to manually enter the key themselves to decrypt and access their backups.\u00a0<\/span><\/p>\n

E2EE backups will be available on iOS and Android in the coming weeks. Check out the end-to-end encrypted backups white paper<\/a> to learn more about the technical details.\u00a0<\/span><\/p>\n

The post How WhatsApp is enabling end-to-end encrypted backups<\/a> appeared first on Facebook Engineering<\/a>.<\/p>\n

Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"

For years, in order to safeguard the privacy of people\u2019s messages, WhatsApp has provided end-to-end encryption by default \u200b\u200bso messages can be seen only by the sender and recipient, and no one in between. Now, we\u2019re planning to give people the option to protect their WhatsApp backups using end-to-end encryption as well. People can already… Continue reading How WhatsApp is enabling end-to-end encrypted backups<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-462","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":331,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/how-whatsapp-enables-multi-device-capability\/","url_meta":{"origin":462,"position":0},"title":"How WhatsApp enables multi-device capability","date":"August 31, 2021","format":false,"excerpt":"For years, people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection. Today, we\u2019re announcing the rollout of a limited public beta test for WhatsApp\u2019s updated multi-device capability.\u00a0 With this new capability, you can now\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":701,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/deploying-key-transparency-at-whatsapp\/","url_meta":{"origin":462,"position":1},"title":"Deploying key transparency at WhatsApp","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.\u00a0 The feature requires no additional actions or steps from users and helps ensure that a conversation is secure.\u00a0 Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":800,"url":"https:\/\/fde.cat\/index.php\/2023\/12\/07\/building-end-to-end-security-for-messenger\/","url_meta":{"origin":462,"position":2},"title":"Building end-to-end security for Messenger","date":"December 7, 2023","format":false,"excerpt":"We are beginning to upgrade people\u2019s personal conversations on Messenger to use end-to-end encryption (E2EE) by default Meta is publishing two technical white papers on end-to-end encryption: Our Messenger end-to-end encryption whitepaper describes the core cryptographic protocol for transmitting messages between clients. The Labyrinth encrypted storage protocol whitepaper explains our\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":833,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/06\/making-messaging-interoperability-with-third-parties-safe-for-users-in-europe\/","url_meta":{"origin":462,"position":3},"title":"Making messaging interoperability with third parties safe for users in Europe","date":"March 6, 2024","format":false,"excerpt":"To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we\u2019ve made major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services.\u00a0 We\u2019re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":551,"url":"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/","url_meta":{"origin":462,"position":4},"title":"Code Verify: An open source browser extension for verifying code authenticity on the web","date":"March 10, 2022","format":false,"excerpt":"Since WhatsApp introduced multi-device capability last year, we\u2019ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we\u2019ve been looking at ways to add additional layers of security to the WhatsApp Web experience. Starting today, you can now use\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":702,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/","url_meta":{"origin":462,"position":5},"title":"How Device Verification protects your WhatsApp account","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware. This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account. This feature is part of our broader work to increase security for our\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=462"}],"version-history":[{"count":1,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/462\/revisions"}],"predecessor-version":[{"id":472,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/462\/revisions\/472"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}