Explorando o Sistema de Criptografia Signal no WhatsApp
Abstract
In 2016, WhatsApp implemented the end-to-end encryption system Signal Protocol to protect all data transmitted in order to prevent any unauthorized third-party access to that information. However, although the cryptographic system is open source, its implementation has been little published by the company. The purpose of this work is to study the implementation of this system to ensure that WhatsApp uses this encryption system and is unable to access the content of the messages from its users. For this, a code injection was used on an Android device to capture messages and keys, and forward it to a third-party system based on Signal Protocol. The results show that the company uses the system properly, without access to the private keys of users and messages content.
References
FRIDA. Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. [link]. (Acessado em: 29/06/2018).
Nadim Kobessi, Karthikeyan Bhargavan, and Bruno Blanchet. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In 2nd IEEE European Symposium on Security and Privacy, pages 435–450, 2017.
Hugo Krawczyk and Pasi Eronen. Hmac-based extract-and-expand key derivation function (hkdf). 2010.
Rogerio Albertoni Miranda et al. Criptossistemas baseados em curvas elipticas. 2002.
Signal Org. The Double Ratchet algorithm. [link]. (Acessado em: 29/06/2018).
Signal Org. The X3DH key agreement protocol. [link]. (Acessado em: 29/06/2018).
Paul Rösler, Christian Mainka, and Jörg Schwenk. More is less: On the end-to-end security of group chats in signal, whatsapp, and threema. In 2nd IEEE European Symposium on Security and Privacy, pages 415–429, 2018.
Peter Saint-Andre. Extensible messaging and presence protocol (XMPP): Core. 2011.
WhatsApp. Sobre o WhatsApp. [link]. (Acessado em: 29/06/2018).
WhatsApp. Whatsapp Encryption Overview. [link]. (Acessado em: 29/06/2018).
