At this point when he says it is encrypted in a certain way, I believe he referred from HTTPS/SSL to encrypt the traffic, correct?
No, it speaks of TCP, HTTP or other protocol as shown in the diagram. It could even be HTTPS but it probably isn’t. What you need to understand is that this is an application that might use some web technologies but it’s not made for the web. And security/privacy is given in the application layer. So the transport does not need to be encrypted, the application takes care of doing this.
As I explained earlier in other answers on the subject using the application layer is the only way to do "end-to-end".
1 - Header is encrypted together with network transmissions?
From what I understand in the diagram, no, and I probably wouldn’t have been able to do this.
2 - What are these added keys for, what will they decrypt?
I would have to study the protocol more deeply. I will be indebted. But the more information that helps verify authenticity, the better.
It’s kind of confusing to me, he used the user key (I think it’s the user identifier) and the message key...? I didn’t understand.
If you cannot understand the whole diagram and the explanations you will have difficulty doing the right thing if you want to reproduce the same mechanism. I will repeat something I said a few times. Doing something safe is complex saddlebag and requires specific experience in the area. Will doesn’t get results. I even hope that a security expert can give correct and easy to understand answers but even with this information it will not be easy to do correct without a deep understanding of how cryptography works, key exchange, etc. Actually with this understanding, it will probably be simple to understand this protocol.
He meant that what was encrypted contains variable data (session, message ID, sequence number, server salt) What is server salt?
According to the definition that he provided just below the diagram is a server that provides keys to salt which are exchanged periodically. These keys are used to prevent certain types of attack such as Replay Attack. If I’m not mistaken the mgibsonbr gave an example of this in one of his answers on the subject.
The amount of possible attacks is large and something new always comes up. Something is safe until the day it ceases to be. Have to be attentive to everything that happens because security requires very experienced experts.
and why these variant data influence the message key (the message key is what the decryption correct?)
With varying data becomes more difficult attackers have managed to solve the puzzle. Mobile targets are harder to hit than fixed targets. This is one of the security bases.
The message key is one of the components to achieve the decrepitation.
End-to-End encryption
I have not read all and do not know if what they provide is or may be called end-to-end. I don’t know how much they don’t inject back-door in this. They have control over much of the process, I do not know if this is reliable. In theory it is possible.
They say they can use it on the web. How does this happen between points directly? Are there intermediaries in this case? If there is, does it affect anything? Just studying his whole operation to understand if he really can.
Reliance
Putting all the eggs in the same basket, or letting one person have control over the whole process will hardly guarantee the much-sought-after safety end-to-end. It’s even possible but you have to trust the supplier.
When you use parts necessary for the security of completely different suppliers, with different interests, and mainly that are publicly audited, which does not seem to be the case with this service, it is already easier to trust.
Hence give a single, easy and ready-to-use solution and say that this is end-to-end seems like a fallacy to me. Not that I’ve seen them bring it up except me chats specific that I have doubts whether it can be done by the web or whether they fulfill everything they say.
Criticism of the service description
There are descriptions that show that this is not absolutely true. In the FAQ it shows that they rely on the application, at the tip to give certain guarantees, which is naive. I even understand that you can’t guarantee complete security, someone might even put a gun to someone’s head on the other side and violate security. But they try to give the impression that there is no way the information can be passed on to third parties even after reaching the tip. I know they understand this but they publish it in a way that the layman buys something - on his own - which is not exactly how it looks in the description.
Even the definition of end-to-end does not ensure that third parties have access to the information if one of the two ends involved in the secure communication end-to-end provide access. You can’t talk to someone and ensure that no one else will have access to what you write to the other side. This is physically impossible. The idea of information destroying itself borders on ridicule. Only the bytes that generated it will be destroyed, not the information.
Complete secret only what doesn’t come out of a person’s brain, and look there :)
Completion
There is provided useful information for your studies on the subject which is the algorithm Diffie-Hellman key exchange. Ali must show how to exchange keys without interference from third parties, which is essential to the goal. Still I doubt that can be done by the web. There are indications on FAQ that does not give.
Anyway, it seems to be more a case of marketing trying to make a common product pass as if it were something revolutionary. Perhaps the only innovation is a greater ease to achieve privacy end-to-end in certain circumstances. But I do not know if this does not produce some disadvantages or loopholes.
Hi, after studying a little what you provided me I got some technical doubts about this FAQ, I can update or post new question ?
– Elaine
Yes, new question. If you keep changing a question becomes a forum. Here the questions should be self-contained and with closed scope.
– Maniero
I will lead a new question, thank you again
– Elaine
A question about this same, still confused about what is the salt server, I read your question but I could not make the connections
– Elaine
I also don’t know exactly what it is, it seems to be something specific to their architecture. From what I understand the salt codes are modified frequently and to get an updated code must resort to the server.
– Maniero