There was a time when a hacker, anyone in fact, could get into a smartphone or computer and read all the logs of the chats that the person owning the device had engaged in. Some very well-known software packages like Live Messenger even created unencrypted folders and files that contained not only the messages but also the photos and movies shared between friends, with no form of protection whatsoever.
In the wake of the “Datagate” scandal and all the other issues surrounding digital privacy, the leading developers of messaging platforms have been working hard to make their ecosystems secure. These days, nearly all of them use so-called end-to-end encryption, which makes it hard for third parties to spy on conversations and thus minimizes the risk of a remote hack. There’s still the danger of being intercepted“physically,” but that’s another story.
The crucial moment
In their early days, popular apps like WhatsApp and Facebook Messenger didn’t have any genuinely secure structures underpinning their communications technology. When end-to-end encryption came along, however, the game changed. The technology first became popular with the rapid rise of Telegram, the first true privacy-friendly chat app.
End-to-end encryption is a highly powerful feature that encodes the messages sent and received between two users of the same service at a fundamental level. When you send a text to a friend, it is encoded (i.e. encrypted) and can only be read on the recipient’s device. And, precisely because it is an information sequence that makes logs illegible, the same algorithm is used to share files and make VoIP calls via the Internet. The advantage of this kind of technology is that it keeps chats and phone calls safe from prying eyes, whether these belong to hackers, the police, or government spies. The technology ensures that the type of conversation being held can only be read on the smartphones that sent and received the message. There is no chance of it being intercepted from outside, not even by the provider responsible, such as WhatsApp.
It’s all about the keys
End-to-end encryption is designed to encode the sender’s information. To this end, the only things provided to the recipient’s device are the keys that enable a specific message – the one sent by the person at the other end of the conversation – to be encoded. There are two kinds of keys that come into play here: public and private.
When you sign up to WhatsApp for the first time by installing it on your smartphone, groups of public keys that are unique to your cell are generated and stored on the company’s server. It is these keys that are then used to encrypt the messages, photos, and movies that you send. Every app that supports end-to-end encryption might employ a different number of public keys. WhatsApp, for example, has three: the identity key, the signed key, and the one-time key, which is only used the first time a new message is read.
This is how the sequence of keys works: George sends a message to Laura. George’s cell uses the public keys from Laura’s to encrypt and dispatch the message. However, the system needs to make sure that only Laura, the intended recipient, can read it, and nobody else – not even the server transmitting the conversation. And this is where the private key comes in.
Every device has a unique private key that is stored on the smartphone and nowhere else. In other words, when George sends his message to Laura, it is encrypted and transmitted using her public keys but can only be read using the private key that she owns.
Just like mailing a letter
Here’s a simple analogy: Think about how the drop boxes work that you find next to post offices and scattered around cities, and now imagine that they are servers. Although anyone can put letters or postcards inside by sliding them through the slot (the public key), only the postal worker, who has access (the private key), is able to open the box, retrieve all the letters and send them on to their recipient. The difference is that, while human beings can be late or make mistakes, encryption can’t.
This post first appeared on the Avira Blog