Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol

Gareth T. Davies; Sebastian Faller; Kai Gellert; Tobias Handirk; Julia Hesse; Máté Horváth; Tibor Jager

Paper 2023/843

Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol

Gareth T. Davies

, Bergische Universität Wuppertal

Sebastian Faller, ETH Zurich, IBM Research Europe - Zurich

Kai Gellert

, Bergische Universität Wuppertal

Tobias Handirk, Bergische Universität Wuppertal

Julia Hesse, IBM Research Europe - Zurich

Máté Horváth

, Bergische Universität Wuppertal

Tibor Jager, Bergische Universität Wuppertal

Abstract

WhatsApp is an end-to-end encrypted (E2EE) messaging service used by billions of people. In late 2021, WhatsApp rolled out a new protocol for backing up chat histories. The E2EE WhatsApp backup protocol (WBP) allows users to recover their chat history from passwords, leaving WhatsApp oblivious of the actual encryption keys. The WBP builds upon the OPAQUE framework for password-based key exchange, which is currently undergoing standardization. While considerable efforts have gone into the design and auditing of the WBP, the complexity of the protocol’s design and shortcomings in the existing security analyses of its building blocks make it hard to understand the actual security guarantees that the WBP provides. In this work, we provide the first formal security analysis of the WBP. Our analysis in the universal composability (UC) framework confirms that the WBP provides strong protection of users’ chat history and passwords. It also shows that a corrupted server can under certain conditions make more password guesses than what previous analysis suggests.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: A major revision of an IACR publication in CRYPTO 2023
Keywords: Password-Authenticated Key Exchange E2EE OPAQUE secure messaging
Contact author(s): davies @ uni-wuppertal de
sebastian faller @ ibm com
kai gellert @ uni-wuppertal de
tobias handirk @ uni-wuppertal de
juliahesse2 @ gmail com
horvath @ uni-wuppertal de
tibor jager @ uni-wuppertal de
History: 2023-06-07: revised; 2023-06-06: received; See all versions
Short URL: https://ia.cr/2023/843
License: CC BY

BibTeX

@misc{cryptoeprint:2023/843,
      author = {Gareth T. Davies and Sebastian Faller and Kai Gellert and Tobias Handirk and Julia Hesse and Máté Horváth and Tibor Jager},
      title = {Security Analysis of the {WhatsApp} End-to-End Encrypted Backup Protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/843},
      year = {2023},
      url = {https://eprint.iacr.org/2023/843}
}