Jump to content
  • WhatsApp now encrypts contact databases for privacy-preserving synching


    Karlston

    • 225 views
    • 3 minutes
     Share


    • 225 views
    • 3 minutes

    The WhatsApp messenger platform has introduced Identity Proof Linked Storage (IPLS), a new privacy-preserving encrypted storage system designed for contact management.

     

    The new system solves two long-standing problems WhatsApp users have been dealing with for years, namely the risk of losing their contact lists if they lose their phone and the inability to sync contacts between different devices.

     

    With IPLS, WhatsApp contact lists will now bind to the account rather than the device, allowing users to easily manage them between device changes or replacements.

     

    Additionally, IPLS makes it possible to maintain different contact lists for multiple accounts on the same device, each securely managed and isolated from the rest.

    A secure, encrypted system

    IPLS achieves security through a combination of encryption, key transparency, and the use of Hardware Security Modules (HSMs).

     

    When a new contact is added, the name is encrypted using a symmetric encryption key generated on the user's device and stored in WhatsApp's HSM-based tamper-resistant Key Vault.

     

    When the user logs in on a new device, a secure session with the HSM-based Key Vault is established to retrieve the new contact by performing an authentication action using the cryptographic keypair linked to the user's account (created upon registration).

     

    How data exchange happens within the context of IPLS
    How data exchange happens within the context of IPLS
    Source: Meta

    IPLS ensures that all contacts are encrypted end-to-end, meaning that contact data is encrypted on the user's device and remains encrypted as it moves through WhatsApp's systems, preventing interceptions at transit or access from rogue Meta employees.

     

    WhatsApp also partners with Cloudflare for independent third-party auditing of its cryptographic operations, specifically, to act as a guarantor of updates to the Auditable Key Directory (AKD), signing each epoch and validating it hasn't been tampered with.

     

    WhatsApp publishes auditable proofs of consistency for the key directory's updates (transitions between epochs) to a publicly accessible Amazon S3 instance, allowing users, researchers, and auditors to independently verify AKD's integrity.

     

    Overview of IPLS security
    Overview of IPLS security
    Source: Meta

    Before IPLS and the underlying mechanisms were even presented to the public, WhatsApp contracted NCC Group to perform a security audit on the new system.

     

    The most critical discovery of that audit was a flaw that allowed impersonation of the Marvell HSMs and decryption of the users' secret key material, potentially exposing private contact metadata.

     

    This problem, along with 12 flaws rated low to medium severity, were addressed by WhatsApp in September 2024, so they're not present in the final release of IPLS.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

     

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...