Knowing the key used to *encrypt* a message does not necessarily imply knowing the key used to *de*crypt the message.

WhatsApp uses the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol), which is one of many mathematical ways for two people to agree on a key over an insecure connection **without anyone sniffing the connection being able to get the key**. The mathematical details are mildly complicated, but if you want some reading, the [Diffie-Hellman algorithm](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) is relatively easy to understand.

It relies on the fact that large numbers are hard to factor: basically, you come up with a number *a*, and I come up with a number *b*, and we compute the product *ab* without actually communicating either *a* or *b*. Since you know both *ab* and *a*, you can compute *b*, and similarly, I can compute *a*. That is, we’ve exchanged keys with each other. The attacker between us only sees *ab*, and if they can’t factor *ab*, they don’t know what *a* or *b* are. Now we can use *ab* as an encryption key, as long as decrypting *ab* requires knowledge of *a* and *b*. (The full details are more complex than this, but this is the basic underlying idea.)

I assume you are talking about the *code* shown below a contact because the question doesn’t make it clear.

WhatsApp is not showing you the code used to encrypt your messages. That code is used to verify the person on the other side is who they say they are. It is way to confirm the device.

It is not WhatsApp’s proprietary implementation. It is based on the Signal protocol, Signal has that as an option to verify the device used by the person you text with as well.

What really is happening with Signal (and any app that uses their implementation in their apps like WhatsApp, the incognito mode in the now dead Google Allo etc) is

Bob and Alice are texting with each other. Bob’s WhatsApp installation has a code. Bob can see that. Alice’s WhatsApp installation has a code, she can see that. If Bob scans the code shown by Alice’s device, his WhatsApp confirms that yes this is Alice’s device. When you do that you get a ‘device verified’ tag in front of the contact. When Alice reinstalls WhatsApp or changes her device, it causes a new code to be generated. Then Bob will see Alice has an unverified device at that point. That is why you see notifications in group chats whenever someone you are texting changes phones or reinstalls their app.

This is one of the great accomplishments of modern cryptography. The ability to show you exactly how the encryption happen. Modern encryption uses one way functions. Mathematical functions that are trivial in one direction, but we know of no way to reverse them in any kind of reasonable timeframe. Since you don’t know which random numbers (generating these in an unpredictable way isn’t particularly hard) we’re used in any specific case(ie. for any given message), you’re left with having to reverse an irreversible function to get the “secret”≈key.

(Authentication then works through proving that you know that solution, by giving what are essentially “examples/transpositions” without ever passing over the actual solution.)

Public keys and asymmetrical encryption to exchange a symmetrical encryption key. When I want to send you a message, my devices generates 2 encryption keys. A (private) and B (public). Messages (plaintext) encrypted with one key (ciphertext) can only be decrypted by the other key. You cannot decrypt using the same key it was encrypted with.

To simplify it we will use a substitution cipher. The most basic of all ciphers/encryption.

The “A” key will increment each letter by +1. So D -> E, E -> F, and so on. The “B” key will increment by -1, so P -> O.

A Key + BOOBS = CPPCT

If we try to decrypt using the A Key

A Key + CPPCT = DQQDU = wrong

Now the B Key

B Key + CPPCT = BOOBS = correct

It’s important here to point out that modern encryption algorithms are vastly more complex, and as of now the most complex of them have yet to be broken. The keys generated are complex enough to avoid collision, or when someone else’s key pair might accurately decrypt your message.

Ok, now that we have our keys, we always keep one secret and only known to us, the private key. Use encode the message we want to send using our Private key(A). Along with the encrypted ciphertext we will send our Public Key (B) in clear text. Our friend gets the encrypted message CPPCT and our B Key. They decrypt the message, B key + CPPCT = BOOBS. It makes them laugh. They want to send us back LOL. They use their B Key and at the end of the message they include their Public B key, but this time they encrypt their B key with our B Key.

Since my Private Key A is the only thing in existence that can decrypt messages encrypted with my public B key, the sender knows I’m the only person that can read the message they sent. I use my Private A key, decrypt their B key they sent, and use that to decrypt their message “LOL”.

Now that we have exchanged keys, and have a secure method to exchange messages, anytime I want to send my friend a message, I encrypt it with their Public B key, which ensures only they can decrypt it with their private A key. The problem is asymmetrical encryption like this is slow. Using the secure exchange we setup we mutually agree to start using a symmetrical encryption method and generate a key to use (Key C). Symmetrical encryption uses only one key for both encryption and decryption, and is much faster than asymmetrical. Going forward we can both just use Key C to encrypt our communications.

What’s cool is that even if someone got an exact copy of that first message, it doesn’t matter. When my friend returns the message, which includes their public key, the message is encrypted with my public key. Using my Private key is the only way to decrypt the public key they generated and sent for this session.

All modern day encryption algorithms are designed under the assumption that the underlying code will be known. They use sufficiently complex or strong mathematical operations such that, even knowing all the steps involved, unless you know the private/secret keys, you cannot determine anything about what has been encrypted.

Having the code doesn’t really help you, you need the data and the shared key, which is securely exchanged (Look up the Diffie-Helmam key exchange as an example), I explained it in another ELI5.

ELI5 explanation

You think of a very large number. There is a math function that given this number will give you two numbers that are connected in a special way. The special way is that messages encrypted with one number could be decrypted only with the other. There are many such functions. So you can keep one number as private and the other as public..does not matter which is which. You keep the private and you send me the public. When I send you a message I encrypt it with your public key. This message could only be decrypted with your private key. As you are the only one that knows it, only you can decrypte it.

This Ia what the phone does – thinks of a number, creates the private and public key, shares the public key with the contact and the other phone uses this public number to encrypt messages for you.

Would you like to know how the functions work? It is 6 grade math but it is not for 5 years old.

The miracle of cryptography is you can gather a room full of people, give them a lecture on the algorithm that is going to be used, and then have two people yell numbers back and forth across the room, while everyone else in the room carefully listens, and the two people are able to establish a secret that nobody else in the room can figure out.

Encryption works like this….

​

You and your friend decide to use a car as a password between the both of you, so both agree on a color, we’ll assume red.

You have the headlights, frame, seats, and electrical.

Your friend has everything else.

​

By knowing which parts are missing from the full car, you KNOW if someone gives you a list of parts, whether or not it’s your friend. Meanwhile, anyone who sees the full car put together would never be able to tell which parts came from you, or which from your friend, and either way, the only information shared over cleartext was the color.

Most answers focused on talking about encryption in general. The reality with whatsapp is different, because their servers are always in control of the communication and know and store the conversation, otherwise they wouldn’t be able to “link devices” if they trully implemented end-to-end encryption. That feature gives away their claim.