Authentication Overview (WA 2.0)

mgp25 edited this page Mar 30, 2016 · 1 revision

Each client has a static keypair which is created at the beginning and it shouldn't create them anymore. In each connection a temporary keypair is created.

The client sends its temporary key to server. With the client's temporary key and the server's temporary key, a shared key is created and used by the client to get server's static key. With the client's temporary key and the server's static key it can extract the certificate and the payload is encrypted with the client's static key and the server's temporary key.

With the last key created, it derivates and expands in 2 different keys which are used for the write and read in WhatsApp communication.

(C,c)   : client's public key C and private key c
(S,s)   : server's public key S and private key s
(C',c') : client's ephemeral public key C' and private key c'
(S',s') : server's ephemeral public key S' and private key s'

Client->Server: C'

Client<-Server: noise_box((S',s'), (S,s), C', pad_len, app_data, 2)
# outputs cv_h1

Client->Server: noise_box((C',c'), (C,c), S', pad_len, app_data, 4, cv_h1)[DH_LEN:]
# outputs cv_h2 
# NOTE: C' is omitted since it was already sent

cc_client || cc_server = KDF(cv_h2, zeros[CV_LEN], SUITE_NAME || (byte)6, CC_LEN*2)

# After this, the following messages can be sent repeatedly in any order:

Client->Server: noise_body(cc_client, pad_len, app_data)
# updates cc_client

Client<-Server: noise_body(cc_server, pad_len, app_data) 
# updates cc_server

Static keys are stored (base64 encoded) in settings-number.dat.

Technical info here.

See Login.php for the implementation.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.