{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"多年以來,WhatsApp的端對端加密服務一直是默認選項,旨在全力保護人們信息隱私,讓信息的交換不經手任何人,僅收件人和發件人可見。現在,WhatsApp計劃讓這項加密服務也應用到用戶們的備份上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google Drive和iCloud等諸多雲端備份服務讓人們可以隨時同步備份他們的消息記錄,雖然WhatsApp沒有這些記錄的訪問權限,但提供保護的各類雲存儲服務卻可以訪問到。如果未來用戶們選擇啓用"},{"type":"link","attrs":{"href":"https:\/\/engineering.fb.com\/2021\/04\/16\/security\/dit\/","title":null,"type":null},"content":[{"type":"text","text":"端對端加密(E2EE)"}]},{"type":"text","text":"的備份保護,那麼無論是WhatsApp還是第三方的存儲服務都將無法訪問到用戶們的備份數據和加密密鑰。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"E2EE備份的工作原理"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"加密密鑰和密碼的生成"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp爲E2EE的備份服務專門開發了一款可以兼容安卓和iOS平臺的全新系統來存儲加密的密鑰。E2EE備份選項一經啓用,備份將會由一個獨特且隨機生成的加密密鑰保護,而用戶則可以自行選擇使用存儲密鑰或使用自設置的密碼。如果選擇的手動輸入的密碼,那麼密鑰將會被保管在一個基於硬件安全模塊(HSM)組件開發的備份密鑰庫之中,HSM是專門爲這類需求開發的安全組件,可以用於存儲密鑰。當賬戶所有者需要訪問他們的備份數據時,無論是自設置密碼還是安全密鑰,都會從這個基於HSM的備份密鑰庫中檢索對應的加密密鑰,從而解密用戶的備份數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這款基於HSM的備份密鑰庫同時也提供密碼驗證嘗試次數的限制,在不成功訪問到達限制次數後,密鑰將被永久鎖定,有效地防止了暴力破解密鑰的企圖。至於這款密鑰庫的擁有者WhatsApp,它只會知道HSM密鑰庫中用戶密鑰的存在,但卻無法得知密鑰本身的信息。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"將密鑰存儲在備份密鑰庫中"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp的前端服務ChatD,將會負責處理客戶端鏈接和服務器端認證,通過協議將保管備份的密鑰發送到WhatsApp的服務器上,或者是從服務器上取回。客戶端與基於HSM的備份密鑰庫將會交換加密信息,其內容將不會被ChatD本身訪問。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於HSM的備份密鑰庫將會位於ChatD的後端,爲備份的加密密鑰提供高度可用和安全的存儲。備份操作將會生成連續的數據流,並通過生成的密鑰進行對稱加密。只要啓用E2EE備份形式,加密之後的備份數據將可以同步到iCloud或iGoogle Drive等設備外存儲設備。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp爲超過20億人提供服務,該產品的核心挑戰之一是確保基於HSM的備份密鑰庫能夠可靠地運行。爲了確係統能夠始終可用,基於HSM的備份密鑰庫服務將在地理上分佈於多個數據中心,以確保即使在其中一個數據中心故障時,服務也能持續在線。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c8\/c8a7de7bec571379f261ae9c5745c7a2.jpeg","alt":"此處輸入圖片的描述","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"備份可以由一個64位加密密鑰進行端對端的加密保護。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/72\/72d7a8a63c0171d794af3c1c69c8dbc5.jpeg","alt":"此處輸入圖片的描述","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"備份同樣可以由密碼保護,密鑰將會被存儲到一個基於HSM的備份密鑰庫中。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"基於HSM的備份密鑰庫以及加密\/解密流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果WhatsApp賬戶的所有者選擇使用輸入密碼來對端對端備份的數據進行保護,基於HSM的備份密鑰庫會將其存儲並保管。如果想要使用備份數據的話:"}]},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"首先需要輸入密碼,明文密碼在加密後會由備份密鑰庫進行驗證。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"密碼通過驗證之後,加密密鑰庫會將密鑰發送至WhatsApp客戶端。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"擁有密鑰後,WhatsApp客戶端纔可以將備份解密。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"或者,如果賬戶所有者選擇使用單獨的64位密鑰,那麼他們就需要手動將密鑰輸入客戶端以解密並訪問他們的備份數據。E2EE備份將在未來幾周內同時登陸iOS和安卓客戶端。更多技術細節請參考"},{"type":"link","attrs":{"href":"https:\/\/www.whatsapp.com\/security\/WhatsApp_Security_Encrypted_Backups_Whitepaper.pdf","title":null,"type":null},"content":[{"type":"text","text":"端對端加密備份白紙"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/engineering.fb.com\/2021\/09\/10\/security\/whatsapp-e2ee-backups\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/engineering.fb.com\/2021\/09\/10\/security\/whatsapp-e2ee-backups\/"}]}]}]}
WhatsApp是如何實現端到端加密備份的?
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"多年以來,WhatsApp的端對端加密服務一直是默認選項,旨在全力保護人們信息隱私,讓信息的交換不經手任何人,僅收件人和發件人可見。現在,WhatsApp計劃讓這項加密服務也應用到用戶們的備份上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google Drive和iCloud等諸多雲端備份服務讓人們可以隨時同步備份他們的消息記錄,雖然WhatsApp沒有這些記錄的訪問權限,但提供保護的各類雲存儲服務卻可以訪問到。如果未來用戶們選擇啓用"},{"type":"link","attrs":{"href":"https:\/\/engineering.fb.com\/2021\/04\/16\/security\/dit\/","title":null,"type":null},"content":[{"type":"text","text":"端對端加密(E2EE)"}]},{"type":"text","text":"的備份保護,那麼無論是WhatsApp還是第三方的存儲服務都將無法訪問到用戶們的備份數據和加密密鑰。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"E2EE備份的工作原理"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"加密密鑰和密碼的生成"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp爲E2EE的備份服務專門開發了一款可以兼容安卓和iOS平臺的全新系統來存儲加密的密鑰。E2EE備份選項一經啓用,備份將會由一個獨特且隨機生成的加密密鑰保護,而用戶則可以自行選擇使用存儲密鑰或使用自設置的密碼。如果選擇的手動輸入的密碼,那麼密鑰將會被保管在一個基於硬件安全模塊(HSM)組件開發的備份密鑰庫之中,HSM是專門爲這類需求開發的安全組件,可以用於存儲密鑰。當賬戶所有者需要訪問他們的備份數據時,無論是自設置密碼還是安全密鑰,都會從這個基於HSM的備份密鑰庫中檢索對應的加密密鑰,從而解密用戶的備份數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這款基於HSM的備份密鑰庫同時也提供密碼驗證嘗試次數的限制,在不成功訪問到達限制次數後,密鑰將被永久鎖定,有效地防止了暴力破解密鑰的企圖。至於這款密鑰庫的擁有者WhatsApp,它只會知道HSM密鑰庫中用戶密鑰的存在,但卻無法得知密鑰本身的信息。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"將密鑰存儲在備份密鑰庫中"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp的前端服務ChatD,將會負責處理客戶端鏈接和服務器端認證,通過協議將保管備份的密鑰發送到WhatsApp的服務器上,或者是從服務器上取回。客戶端與基於HSM的備份密鑰庫將會交換加密信息,其內容將不會被ChatD本身訪問。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於HSM的備份密鑰庫將會位於ChatD的後端,爲備份的加密密鑰提供高度可用和安全的存儲。備份操作將會生成連續的數據流,並通過生成的密鑰進行對稱加密。只要啓用E2EE備份形式,加密之後的備份數據將可以同步到iCloud或iGoogle Drive等設備外存儲設備。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WhatsApp爲超過20億人提供服務,該產品的核心挑戰之一是確保基於HSM的備份密鑰庫能夠可靠地運行。爲了確係統能夠始終可用,基於HSM的備份密鑰庫服務將在地理上分佈於多個數據中心,以確保即使在其中一個數據中心故障時,服務也能持續在線。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c8\/c8a7de7bec571379f261ae9c5745c7a2.jpeg","alt":"此處輸入圖片的描述","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"備份可以由一個64位加密密鑰進行端對端的加密保護。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/72\/72d7a8a63c0171d794af3c1c69c8dbc5.jpeg","alt":"此處輸入圖片的描述","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"備份同樣可以由密碼保護,密鑰將會被存儲到一個基於HSM的備份密鑰庫中。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"基於HSM的備份密鑰庫以及加密\/解密流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果WhatsApp賬戶的所有者選擇使用輸入密碼來對端對端備份的數據進行保護,基於HSM的備份密鑰庫會將其存儲並保管。如果想要使用備份數據的話:"}]},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"首先需要輸入密碼,明文密碼在加密後會由備份密鑰庫進行驗證。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"密碼通過驗證之後,加密密鑰庫會將密鑰發送至WhatsApp客戶端。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"擁有密鑰後,WhatsApp客戶端纔可以將備份解密。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"或者,如果賬戶所有者選擇使用單獨的64位密鑰,那麼他們就需要手動將密鑰輸入客戶端以解密並訪問他們的備份數據。E2EE備份將在未來幾周內同時登陸iOS和安卓客戶端。更多技術細節請參考"},{"type":"link","attrs":{"href":"https:\/\/www.whatsapp.com\/security\/WhatsApp_Security_Encrypted_Backups_Whitepaper.pdf","title":null,"type":null},"content":[{"type":"text","text":"端對端加密備份白紙"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/engineering.fb.com\/2021\/09\/10\/security\/whatsapp-e2ee-backups\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/engineering.fb.com\/2021\/09\/10\/security\/whatsapp-e2ee-backups\/"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章