How does the WhatsA...
 
Notifications
Clear all

How does the WhatsApp's crypt8 encryption work?

10 Posts
3 Users
0 Likes
877 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I mean, if I get the key located in the /data/data/com.whatsapp/files directory and the cyphered database located in the public WhatsApp directory, I can decrypt the messages, that's it.

But, would it be possible to generate a false SQLite db file and cypher it with the key to get a crypt8 file? If the cyphering is public/private it couldn't be possible to use the same key to cypher the database, so I would like to know if the cyphering is simple or if it is public/private and, in such case, I would like to know how the public key is generated and where it is located.

Thank you guys!

 
Posted : 26/08/2015 3:05 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I have been researching and I am able to say the WhatsApp way to cypher messages in a database is by using AES algorithym. So it uses symmetric cryptography.

Has anybody try to create a SQLite messages database, generate a key, cypher the database with the key, put the key in the root reserved area of the operating system (iOS, Android, Win Mobile) and put the database in the WhatsApp directory? After doing this, an unroot operation might be necessary in order to avoid leaving any sleuth.

This is a very important problem when you try to prove in a Court of Law that some WhatsApp messages have not been maliciously altered.

 
Posted : 28/08/2015 1:15 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I have been researching and I am able to say the WhatsApp way to cypher messages in a database is by using AES algorithym. So it uses symmetric cryptography.

Has anybody try to create a SQLite messages database, generate a key, cypher the database with the key, put the key in the root reserved area of the operating system (iOS, Android, Win Mobile) and put the database in the WhatsApp directory? After doing this, an unroot operation might be necessary in order to avoid leaving any sleuth.

This is a very important problem when you try to prove in a Court of Law that some WhatsApp messages have not been maliciously altered.

Nobody?

 
Posted : 12/09/2015 3:44 am
(@zergling)
Posts: 38
Eminent Member
 

I think the problem is, that we're entering a very specific scenario that is almost impossible (in my opinion) to "prove" without opening another doubt scenario.

So i would probably start from the most basic (and easiest to check) assumption

Check if the standard Whatsapp application does allow changing the key file at all. I would do that before even attempt to fabricate a crypt8 database myself.

Then i would go from there
replace the key file and observe if it gets replaced (md5 check ? server request ?)

if it gets replaced/repaired - the "fabrication of crypt8 archives" theory becomes more and more difficult and could involve a modified whatsapp application -> but that would lead to a bunch of further questions. (assuming that this app would not be allowed by the whatsapp servers)

But a more obvious way is

you can easily edit your messages in the msgstore.db file inside the application folder (that is the file that will be saved in the backup) once youve got access to it (backup, root etc.)
So if you modify the data from there - it will be on the backup files too. You can even force a backup from inside the app (check timestamps for investigating this theory - default backup is at 0400 am)
Use whatsapp logfiles to reconstruct a chain of events and see if it matches the data inside the database.

But as always
Most of the time you can only tell what the data is presenting you.
Determine if the data is fabricated in the first place (which is always possible with digital data) is probably outside of the scope of YOUR investigation.

So that would be my attempt in dealing with this theory. Hope that helps.

 
Posted : 15/09/2015 12:42 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Thanks for your response Zergling!

I have understood the first part of your post and I'm going to try it, but I have not understood the second part. I mean, you cannot edit WhatsApp messages directly in the stored database because it is cyphered because you need first to decrypt it and my doubt is about re-crypting it after having opened and modified it with a SQLite editor.

If you mean that there is an intermediate database which is used to save the messages before making the 4 o'clock back-up… I cannot find it. Did you mean that? Where is the file in such case?

In the other hand, when you are in front of a Court of Law and someone can be condemned for your testification, the magistrate or the lawyers want you to be sure the data has not been fabricated D

 
Posted : 16/09/2015 5:09 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Now I have understood your second paragraph, I've taken the non-cyphered database which is in /data/data/com.whatsapp/databases/ folder and I will try to do what you say. I will modify it by using a SQLite editor, copy the modified database in the folder and force a back-up.

I will post my conclusions.

Thanks!

 
Posted : 16/09/2015 8:44 am
(@zergling)
Posts: 38
Eminent Member
 

Sorry if it wasnt clear enough. Yes i was talking about the unencrypted database inside /data/data/.com.whatsapp/… which contains the "current" state of the database.

Since iam using rooted phones myself (private) with installed root explorer, hexeditor and sqlite editor for live analysis i can confirm that i was possible (at least with all the apps i tried so far)
to modify the data on a running phone. The modified data (changed timestamps and message contents) was displayed in the app (e.g. Whatsapp). So i didnt find any kind of validation at this point.

But iam looking forward to your results in combination with the backup process since i didnt test it this far - but i expect the modified data to be backed up as it is in the msgstore.db - you would then only find out by comparing older backups and see if the same message IDs contain different data.

 
Posted : 16/09/2015 12:11 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Hello Zergling,

I can confirm your suspects… it is possible to modify "live" or current data and it is also possible to back-up it. It appears like original content in the app and in the back-up, so it is so easy to falsify a conversation…

Of course you can check after another things like timestamps, dates, another back-ups… but the main research is about the database.

What I have noticed is the key maybe change when you modify the live database, I mean, it seems to be re-generated. It is not already confirmed but it is just a suspect. I will confirm it.

Thanks Zergling, your comment helped me! D

 
Posted : 16/09/2015 6:47 pm
(@badgerau)
Posts: 96
Trusted Member
 

I would be interested in your findings too.

 
Posted : 17/09/2015 2:07 am
(@zergling)
Posts: 38
Eminent Member
 

Iam glad it helped )

 
Posted : 17/09/2015 2:35 pm
Share: