Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Authentication Overview (WA 2.0)
Each client has a static keypair which is created at the beginning and it shouldn't create them anymore. In each connection a temporary keypair is created.
The client sends its temporary key to server. With the client's temporary key and the server's temporary key, a shared key is created and used by the client to get server's static key. With the client's temporary key and the server's static key it can extract the certificate and the payload is encrypted with the client's static key and the server's temporary key.
With the last key created, it derivates and expands in 2 different keys which are used for the write and read in WhatsApp communication.
(C,c) : client's public key C and private key c (S,s) : server's public key S and private key s (C',c') : client's ephemeral public key C' and private key c' (S',s') : server's ephemeral public key S' and private key s' Client->Server: C' Client<-Server: noise_box((S',s'), (S,s), C', pad_len, app_data, 2) # outputs cv_h1 Client->Server: noise_box((C',c'), (C,c), S', pad_len, app_data, 4, cv_h1)[DH_LEN:] # outputs cv_h2 # NOTE: C' is omitted since it was already sent cc_client || cc_server = KDF(cv_h2, zeros[CV_LEN], SUITE_NAME || (byte)6, CC_LEN*2) # After this, the following messages can be sent repeatedly in any order: Client->Server: noise_body(cc_client, pad_len, app_data) # updates cc_client Client<-Server: noise_body(cc_server, pad_len, app_data) # updates cc_server
Static keys are stored (base64 encoded) in
Technical info here.
See Login.php for the implementation.