In recent years, we’ve become increasingly aware of the hidden costs of the convenience we get from Big Tech. From Google’s shady data mining practices, to Colonial Pipeline’s infrastructure fail, to peeping toms in our inboxes, it’s clear that it’s up to consumers and businesses to protect ourselves from overreaching Big Tech.
Today, many popular messaging technologies have adopted end-to-end encryption with the goal of ensuring the secure communications of their users. For example, WhatsApp, Telegram and Signal all rely on the use of encryption-to-end encryption (e2ee) to ensure no one but the sender and the recipient can read the communications.
The National Security Agency calls for the defense industrial base (DIB) in particular to use end-to-end encryption to secure data. Other industries, as well as individuals, should follow suit. But what is end-to-end encryption? How does end-to-end encryption differ from other forms of data protection and why is it more secure?
This piece will focus on providing answers to these questions.
Encryption in transit and encryption at rest are standard these days, but they aren’t enough to protect your data and ensure secure communications. When your data is at rest on the server, it is vulnerable. Once a hacker infiltrates the server, they can camp out there indefinitely, reading your messages.
With end-to-end encryption by contrast, the only people who can access the data are the sender and the intended recipient(s) – no one else. Neither hackers nor unwanted third parties can access the encrypted data on the server.
In end-to-end, encryption occurs at the device level. Messages and files are encrypted before they leave the phone or computer by a public key which is available to everyone but are only decrypted by the recipient’s private key when they reach their destination. Hackers can’t access data on the server because they don’t have the private keys required to decrypt the data. Instead, secret keys are stored on the individual user’s device and are only available to the recipient.
This process of creating a public-private key pair is known as asymmetric cryptography. Separate cryptographic keys secure and decrypt the message. Public keys are widely disseminated and are used to lock or encrypt a message. Private keys are only known by the owner and are used to unlock or decrypt the message.
In end-to-end encryption, the system creates public and private cryptographic keys for each person who joins.
In order to better understand how end-to-end encryption works, let’s provide an example.
Let’s say Alice and Bob create accounts on the system. The end-to-end encrypted system provides each with a public-private key pair, whereby their public keys are stored on the server and their private keys are stored on their device.
Alice wants to send Bob an encrypted message. She uses Bob’s public key to encrypt her message to him. Then, when Bob receives the message, he uses his private key on his device to decrypt the message from Alice.
When Bob wants to reply, he simply repeats the process, encrypting his message to Alice using Alice’s public key.
As noted above, end-to-end encryption is a type of asymmetric encryption. Asymmetric means that different keys are used to encrypt and decrypt data. End-to-end encryption typically relies on the use of public and private keys to ensure data security and privacy.
By contrast, symmetric encryption uses only one key such as a password or string of numbers to encrypt data. The same key is used to both encrypt and decrypt data. Symmetric keys are much faster at performing encryption and decryption operations than asymmetric encryption. However, if used as the only source of data protection, symmetric encryption isn’t very scalable. As a system grows and more information and users are added, it becomes increasingly difficult to distribute and update the symmetric keys.
Another encryption solution that is frequently used is encrypting data in transit and at rest.
With encryption in transit – frequently TLS – data is encrypted from the endpoint to the server. However, that data is vulnerable because it can easily be sniffed by hackers who control a malicious server and use that control to steal data.
With encryption at rest, data might be encrypted on the server but the decryption keys for that data are often nearby, on the same server or centrally managed. The weak key protection represents a single point of vulnerability and attack for the server . Attackers frequently take advantage of this vulnerability for ransomware or to read and steal data.
You don’t want someone camped out in your network, reading your messages. End-to-end encryption keeps your data secure. This not only protects your data from hackers, but also protects your privacy from Big Tech.
Service providers like Google (Gmail), Yahoo, or Microsoft hold copies to the decryption keys. This means these providers can read users’ email and files. Google has used this access to profit off of users’ private communications via targeted ads.
By contrast, in well-constructed end-to-end encrypted systems system providers never have access to the decryption keys.
The NSA recently issued guidelines for using collaboration services. The NSA’s number one recommendation is that collaboration services employ end-to-end encryption. The NSA notes that by following the guidelines it defines, users can reduce their risk exposure and become harder targets for bad actors.
At PreVeil, end-to-end encryption is at the core of how we protect users’ email and files. Today, hundreds of defense companies and small businesses rely on PreVeil to protect their customers’ most sensitive data.
Learn more about how PreVeil uses end-to-end encryption to protect your data. Download our architectural whitepaper today.