Imagine, you are messaging your business partner about a super secret idea, it is worth $ 1m, will you trust the messaging application not to read your super secret conversation? No, right. No one will, still people across the world use whatsapp for such sensitive messaging (although I prefer telegram for my secret conversations). Well, turns out, it is because most messaging apps(including whatsapp) use a technique called End to End Encryption, which doesn’t allow these messaging services or their employees to read your conversations with your contacts. But how does this works, well, that is what we will try to understand here.
End to End Encryption (E2EE) is defined as communication flow where apart from the two parties interacting, no one else can read the messages exchanged and data shared between them. Not even the third party providing the said service or platform.
Here is an overview of how the whole process happens:
Now we will go deeper into 3 major parts:
Key Generation & Sharing:
Bob and Alice generate their key pairs and exchange their respective public keys with each other, so Alice gets pub_key_bob and Bob gets pub_key_alice. For key generation we will be using Elliptic Curve Cryptography(ECC). Elliptic curves are curves which obey this equation:
y² = x³ + ax² + b.
Curve25519 is a specific implementation with a = 486662 & b = 1 over prime field defined by number 2⁵⁵ — 19. It is one of the fastest and most secure way of using ECC. Each one then shares their public keys with each other. Along with public keys, they also share random nonce with each other, which will be further used in key derivation function.
Secret Key Generation:
Now comes one of the important point of whole process, both Alice and Bob generate a secret key using their private key and other person’s public key. So Alice will calculate secret using priv_key_alice, pub_key_bob, and bob will use priv_key_bob, pub_key_alice.
ECC, has a property such that
secret = pub_key_alice*priv_key_bob = pub_key_bob*priv_key_alice
In ECC, there is a base point for each curve configuration, like for Curve25519, base point is 9, and private key is a very large number, we get public key when base point is added to itself private key times.
pub_key = priv_key*G
where G is base point, hence we get same secret by using this property
secret=priv_key_alice*priv_key_bob*G = priv_key_bob*priv_key_alice*G
One thing to note here is that to calculate a private key from a public key given base point G is very hard, and is called the trap door function in Cryptography, this property makes it impossible for any third party listening to their message exchange to calculate private key and hence decrypt and read messages.
Now, using random nonce generated by Alice and Bob, and secret key generated using above case, we can derive session key using Hmac Key Derivation Function. That is the session key which we will use to encrypt and decrypt messages.
To understand more about ECC, you can read in detail here
Encryption & Decryption:
Every message then sent between these two parties is encrypted with session secret key calculated above, and is decrypted also using the same secret.
For encryption data we use AES-GCM technique to encrypt messages. It provides a strong and secure encryption with integrity. For this, we first generate a random iv salt which we embed in the cipher text, so it can be used while decrypting as well.
So now we know, how end to end encryption works, but where can it be used. Well, with recent privacy based scandals popping out every now and then, it becomes important that every platform we are using has certain safeguards to protect user data as well as platforms, which we chose to use to share very personal things like personal chat messages, health data or financial data.
This is a wonderful example where we can leverage tech to make human lives safer and better.
I hope you had fun reading this article. Please feel free to comment your thoughts. Thanks for reading.
I can be reached on twitter here.
Previously published at https://medium.com/@ankitparashar/end-to-end-encryption-explained-23f1ab1ed000