WhatsApp and Cloudflare enhance security by auditing key transparency for end-to-end encrypted messages

WhatsApp and Cloudflare are collaborating to strengthen the security of end-to-end encrypted messages by implementing a robust auditing process for Key Transparency. This partnership introduces Plexi, an auditing tool that monitors and verifies the integrity of public keys, ensuring that user communication is secure.

In 2022, WhatsApp and Cloudflare announced Code Verify, a tool designed to enhance the security and privacy of WhatsApp web users. Code Verify allows users to confirm the integrity of their WhatsApp web client by verifying that it has not been tampered with. When users access WhatsApp Web, Code Verify generates a unique hash value that is checked against Cloudflare's servers. This ensures that the web application is genuine and has not been altered by malicious actors. The initiative aimed to build user trust and transparency by providing an additional layer of security in the messaging experience. It appears that WhatsApp and Cloudflare are now committed to further enhancing the security of messaging apps based on end-to-end encryption by introducing new technologies focused on Key Transparency audits.

The attached image provided by Cloudflare illustrates the auditing architecture behind the new Key Transparency framework, designed to ensure the integrity of public keys used in end-to-end encryption. Here's a step-by-step simplified explanation of how it works:

1. Client Interaction: The process begins with the client (a user of WhatsApp or another end-to-end encrypted messaging app), who initiates a message that relies on encryption. When this happens, the client's device requests or retrieves a public key from a log.
2. Log Storage: The log represents WhatsApp's Auditable Key Directory (AKD), constructed and maintained by WhatsApp, where the public keys associated with user devices are securely stored. This log holds the record of all the public keys used for encryption purposes. The client's request is sent to the log, where it accesses or updates key data. It is important to note that the proof verification and signatures stored do not contain any personally identifiable information, such as phone numbers or other metadata linked to specific WhatsApp accounts. Each child node in the tree holds contact and public key details for a user, but Cloudflare only sees a hashed version of each node, rather than the information in plaintext.
3. Signature Requests: The log sends a signature request to Cloudflare's Worker-rs component, which plays a crucial role in auditing and verifying the integrity of the log's entries. This ensures the public keys haven't been tampered with or altered maliciously.
4. Global Uniqueness Verification: Once the signature request is processed, Cloudflare's Durable Objects (marked as DO) verify the global uniqueness of the keys or data. This ensures that each key remains unique globally, preventing any duplicate or forged entries. The process guarantees that no malicious actors can insert false keys into the log.
5. Cloud Storage and Validation: The S3 (storage service) and R2 (Cloudflare's storage system) components store the log's key data. Once the keys and logs are updated or checked, the system moves the information into storage for further validation and historical tracking.
6. Compute and Validation: The validation process is continued by Cloudflare containers, where the stored data is further processed to ensure accuracy and integrity. These containers run compute-intensive validation tasks to ensure that each key update or signature is authentic and valid.
7. Epoch Generation and Final Validation: Each time the log is updated, a new version or epoch is created. The Durable Object assigns a timestamp and verifies that the epochs are consistent and correctly appended. The validation ensures that no epoch has been tampered with, ensuring a clear chain of trust from one point in time to the next.

This new initiative allows for the verification of the public keys used in end-to-end encryption, ensuring that user keys have not been altered or compromised. Key Transparency establishes a secure framework where users can trust that their messages are reaching the intended recipients without the risk of interception or manipulation by unauthorized parties. Plexi is the heart of this system, an auditing tool developed by Cloudflare that monitors and verifies the integrity of the Key Transparency infrastructure. Plexi acts as an independent auditor that checks the logs of public keys, ensuring that they are accurate and have not been tampered with during transmission.

This additional layer of auditing does not imply that WhatsApp's current security was lacking, as it builds upon the already robust end-to-end encryption in place, offering even greater transparency and reassurance for users concerned about the integrity of their communications. However, WhatsApp can now provide users with further assurance that their conversations are always secure by implementing Plexi. This means that when a user sends a message, they can be even more confident that the encryption keys being used are always legitimate, which significantly reduces the chances of a malicious actor impersonating a contact. It is worth noting that Plexi's audit also trails help build a consistent history of key changes, making it easier to identify any discrepancies or unauthorized alterations in the future.

With these advancements, WhatsApp and Cloudflare are setting a new standard in digital communication security, ensuring that privacy remains paramount in a rapidly evolving digital landscape. The new level of transparency provided by their technology sets a high standard for privacy in digital communication, as it not only protects users from potential threats but also empowers them with the tools to verify the security of their interactions. If you're interested in a deeper dive into how WhatsApp and Cloudflare are working together to improve security with Key Transparency, we recommend exploring their detailed technical blog for more insights.

Stay up-to-date on WhatsApp news by following WABetaInfo on X. You can also discover other new features for WhatsApp beta for Android, iOS, Web/Desktop, and Windows.

Do you like this news? Please, let us know on X: we love hearing your feedback! If you're curious to see where you can find WABetaInfo, there is a dedicated page where you can discover our services.
In addition, we have set up a Discord Server where you can chat with other people, get help and advice, and stay up to date with the latest announcements from WABetaInfo.