One of my Chinese learning partners posted on his WeChat 江姐:来,我告诉你一个大的秘密 coming with an image of two cats likely talking to each other. I had a chat with a Chinese friend a few minutes also about the privacy of WeChat. The word 秘密(secret) reminded me of the book about Ciphers & Cryptography. The idea of completing this dialogue suddenly came up in my mind.
江姐:来,我告诉你一个大的秘密
李哥:啥?你要告诉我啥秘密?
江姐:【小声音】
李哥:你说啥我听不懂啊
江姐:原因是秘密已被加密了
Jiang Jie: Come here, I wanna tell you a secret
Li Ge: What? What’s secret?
Jiang Jie: (whispering)
Li Ge: You said what I don’t understand
Jiang Jie: Because the secret is encrypted
The dialogue is just nothing rather than I wanted to practice my Chinese and added some new Chinese words in the context of cryptography.
Jiang Jie and Li Ge play the roles of Bob and Alice in comp sci class. If Li Ge wants to know the original meaning of the encrypted message (secret), Jiang Jie must provide him a knowledge (cipher) of how to decrypt it. The key is known by both friends as so called shared key and is used to encrypt and decrypt the encrypted message called symmetric encryption. This is a very typical encryption technique that started from the beginning of cryptography.
When Li Ge whispers to Jiang Jie about the shared key, what would happen if a 3rd person were able to hear both the secret and the shared key? The shared key again becomes a message that needs protecting and this addresses back the original problem of securing the secret.
HTTP over SSL/TLS securing the network connection is a useful analogy to deal with this problem. Before application data can be transmitted between client and server, a handshake including 3 main phases: Hello, Certificate Exchange, and Key Exchange must be done to establish a secure connection.
Once the client and server both hold the shared key, they can securely transfer application data back and forth. But, they do use asymmetric encryption, where the key to decrypt is different from the key used to encrypt the shared key. The server safely stores its private key and makes the public key visible to everyone. So if Jiang Jie wants to tell Li Ge how to understand the secret message securely, she may consider the same mechanism.
HTTP over SSL/TLS uses both symmetric and asymmetric encryption because symmetric encryption is way faster and more efficient than asymmetric encryption. Whenever there is a need for more secure transfer (confidentiality and integrity), the asymmetric is preferred.
Surprisingly WeChat does not offer end-to-end encryption. It only supports client-server encryption using the symmetric AES 256 algorithm. Since the mechanism is not end-to-end encryption, it always leaves there the possibility that a 3rd party or WeChat itself snoops or even makes a copy of messages through backdoor access. We never know what security measures are set in the middle of a transmission.
Text and media messages only live on WeChat servers for 72 and 120 hours respectively and no one even 3rd translation service providers can make use of them for analytical purposes or data mining.
WeChat only persists users’ messages on their devices. That’s why you need to transfer the entire SQLite DB to your new devices when you change your phone. I believe Zalo and LINE use the same technique but they also offer cloud backup.
Though WeChat claims that its protection mechanism is safe, it faces a security risk. It ranked last in Amnesty International 2016 for security measurement. LINE and Zalo are shipped with end-to-end encryption but are not enabled by default or limited to message types.