Sign up for our 2nd Annual Virtual CMMC Summit for Defense Companies & Higher Education on November 3rd with Karlton Johnson,
Robert Metzger, Brian Kelly and other leaders from the defense and higher education sectors.
Our CMMC compliance whitepaper has helped over 1500 defense contractors jumpstart their compliance journey.
Over the past few years, the vulnerability of social networks like Facebook or messaging apps like Chat has given rise to using end-to-end encrypted platforms to protect communications. Today, platforms like WhatsApp, Signal and PreVeil use end-to-end encryption to protect the exchanges of users’ data. Yet what is end-to-end encryption and how does it work? How does it differ from other forms of data protection and how does end-to-end encryption ensure the protection of data?
This piece will focus on providing answers to these questions.
End-to-end encryption provides the gold-standard for protecting communication. In an end-to-end encrypted system, the only people who can access the data are the sender and the intended recipient(s) – and no one else. Neither hackers nor unwanted third parties can access the encrypted data on the server.
In true end-to-end encryption, encryption occurs at the device level. That is, messages and files are encrypted before they leave the phone or computer and isn’t decrypted until it reaches its destination. As a result, hackers cannot access data on the server because they do not have the private keys to decrypt the data. Instead, secret keys are stored with the individual user on their device which makes it much harder to access an individual’s data.
The security behind end-to-end encryption is enabled by the creation of a public-private key pair. This process, also known as asymmetric cryptography, employs separate cryptographic keys for securing and decrypting the message. Public keys are widely disseminated and are used to lock or encrypt a message. Private keys are only known by the owner and are used to unlock or decrypt the message.
In end-to-end encryption, the system creates public and private cryptographic keys for each person who joins.
Let’s say Alice and Bob create accounts on the system. The end-to-end encrypted system provides each with a public-private key pair, whereby their public keys are stored on the server and their private keys are stored on their device.
Alice wants to send Bob an encrypted message. She uses Bob’s public key to encrypt her message to him. Then, when Bob receives the message, he uses his private key on his device to decrypt the message from Alice.
When Bob wants to reply, he simply repeats the process, encrypting his message to Alice using Alice’s public key.
Security practitioners often point out that security is a chain that is only as strong as the weakest link. Bad guys will attack the weakest parts of your system because they are the parts most likely to be easily broken. Given that data is most vulnerable when stored on a server, hackers’ techniques are focused on gaining access to servers.
As the Department of Homeland Security has written:
Given that attackers will go after low hanging fruit like where the data is stored, a solution that does not protect stored data will leave information extremely vulnerable.
When practitioners use end-to-end encryption however the data that is stored on the server is encrypted. Even if a hacker were to access it, all they would get is jibberish.
As the DHS goes on to state in its report:
Attacking the data while encrypted is just too much work [for attackers].
End-to-end encryption is important because it provides users and recipients security for their email and files from the moment the data is sent by the user until the moment it is received by the recipient. It also ensures that no third party can read the exchanged messages.
Services like Gmail, Yahoo or Microsoft enable the provider to access the content of users’ data on its servers because these providers hold copies to the decryption keys. As such, these providers can read users’ email and files. In Google’s case, its possession of decryption keys has enabled them in the past to provide the Google account holder with targeted ads.
By contrast, in well-constructed end-to-end encrypted systems, the system providers never have access to the decryption keys.
The NSA recently issued guidelines for using collaboration services. At the top of the NSA’s list was the recommendation that collaboration services employ end-to-end encryption.End-to-end’s inclusion in the NSA’s list highlights its shift to the mainstream by an organization known to seek the highest levels of security for themselves and their technologies. The NSA notes that by following the guidelines it defines, users can reduce their risk exposure and become harder targets for bad actors.
The U.S. State Department has also wised up to the benefits of end-to-end encryption with their ITAR Carve out for Encrypted Technical data . The carve out establishes that defense companies can now share unclassified technical data outside the U.S. with authorized persons. This exchange can be done without requiring an export license so long as the data is properly secured with end-to-end encryption. If the data is end-to-end encrypted, the exchange is not considered an export.
The NSA’s and State Department’s statements acknowledge that end-to-end encryption provides a significant advantage to users over traditional forms of encryption. End-to-end encryption secures data on the user’s device and only ever decrypts it on the recipient’s device. This means, the data can never be decrypted on the server nor in transit nor on the user’s device.
At PreVeil, end-to-end encryption is at the core of how we protect users’ email and files. Today, hundreds of defense companies and small businesses rely on PreVeil to protect their customers’ most sensitive data.
Learn more about how PreVeil uses end-to-end encryption to protect your data. Download our architectural whitepaper today.