End-to-end encryption is a secure and private method of communication where the only people who can access the data are the sender and the intended recipient(s). Using end-to-end encryption prevents hackers or unwanted third parties from accessing messages or files on the server.
In true end-to-end encryption, encryption occurs at the device level. That is, every message or file is encrypted before it leaves the phone or computer and isn’t decrypted until it reaches its destination. As a result, hackers cannot access data on the server because they do not have the private keys to decrypt the data. Instead, keys are stored with the individual user on their device which makes it much harder to access an individual’s data.
The security behind end-to-end encryption is enabled by the creation of a public-private key pair. This process, also known as asymmetric cryptography, employs separate cryptographic keys for securing and decrypting the message. Public keys are widely disseminated and are used to lock or encrypt a message. Private keys are only known by the owner and are used to unlock or decrypt the message.
In end-to-end encryption, the system creates public and private cryptographic keys for each person who joins.
Let’s say Alice and Bob create accounts on the system. The math behind end-to-end encryption provides each with a public-private key pair.
Alice wants to send Bob an encrypted message. To do this in an end-to-end encrypted system, Alice digitally pulls down Bob’s public key from the server and encrypts her message to him with his public key. Then, when Bob receives the message, he takes the private key on his device to decrypt the message from Alice and reads it.
The message from Alice to Bob might go through several email servers along the way. Although the companies owning the server might try to read the message, they will be unable to because end-to-end encryption has ensured that they lack the private key to decrypt the message. Only Bob will be able to decrypt the message as he is the only one with the private key that can decrypt the message.
When Bob wants to reply, he simply repeats the process, encrypting his message to Alice using Alice’s public key.
End-to-end encryption is important because it provides users and recipients security for their email and files from the moment the data is created by the user until the moment it is received by the recipient. By providing users with an end-to-end encrypted platform for email and file sharing, no third party can read the exchanged messages.
Unlike most commercial email and file sharing services, services that use end-to-end encryption can never read your data because data is never decrypted on the server. Indeed, your data is most vulnerable place when stored on a disk, in memory or on some device in the cloud.
Services like Gmail, Yahoo or Microsoft enable the provider to access the content of users’ data on its servers because these providers hold copies to the decryption keys. As such, these providers can read users’ email and files. In Google’s case, its possession of decryption keys has enabled them in the past to provide the Google account holder with targeted ads.
End-to-end encryption securely transfers data between endpoints. However, an intruder can sit on the server and impersonate a recipient by substituting the intruder’s public key for the recipient’s. In this way, messages are encrypted with a key known to the attacker.
However, by using a system of authentication, this challenge can be minimized. This authenticity is provided by having Bob digitally sign the email to Alice using his private key. When Alice receives the message from Bob , she can verify the digital signature on the message came from Bob by using his public key. As the digital signature is based on Bob’s private key, Bob is the only one who could create the signature. As such, there is no way to spoof it.
Lest you think this example of tampering with messages is theoretical, you need to only look to the example of the eFail attack in 2018 in which it was shown that attackers could alter a message by injecting malicious code into the body of the email. This attack was enabled because the email messages sent through OpenPGP and s/MIME did not require checking if the message had been altered before the recipient opened the message.
Security practitioners often point out that security is a chain that is only as strong as the weakest link. Bad guys will attack the weakest parts of your system because they are the parts most likely to be easily broken. Given that data is most vulnerable when stored on a server, hackers’ techniques are focused on gaining access to servers.
As the Department of Homeland Security has written:
Given that attackers will go after low hanging fruit like where the data is stored, a solution that does not protect stored data will leave information extremely vulnerable.
End-to-end encryption however does protect stored data. In fact it secures and protects data throughout its journey. As such, end-to-end encryption is the safest option for data security available.
As the DHS goes on to state in its report,
Attacking the data while encrypted is just too much work [for attackers].
The movement of data storage to the cloud from on premise storage has made data management a much easier job for IT administrators. The cloud is scalable, cost-effective, easy to manage, and accessible to a wide range of devices. At the same time, the cloud is also vulnerable to attack because it represents a huge repository of information. Even a minor misconfiguration of a cloud server can make the stored data vulnerable.
Many security companies try to build ever taller walls to protect the data on the server. However, by using end-to-end encryption, data can still be secure even if the cloud is breached. This protection is ensured because end-to-end encrypted data can never be decrypted in the cloud since the keys for decryption are not stored there. If a attacker breaches a server, all they will get is gibberish.
The NSA recently issued guidelines for using collaboration services. At the top of the NSA’s list was the recommendation that collaboration services employ end-to-end encryption.End-to-end’s inclusion in the NSA’s list highlights its shift to the mainstream by an organization known to seek the highest levels of security for themselves and their technologies. The NSA notes that by following the guidelines it defines, users can reduce their risk exposure and become harder targets for bad actors.
The U.S. State Department has also wised up to the benefits of end-to-end encryption with their ITAR Carve out for Encrypted Technical data . The carve out establishes that defense companies can now share unclassified technical data outside the U.S. with authorized persons. This exchange can be done without requiring an export license so long as the data is properly secured with end-to-end encryption. If the data is end-to-end encrypted, the exchange is not considered an export.
The NSA’s and State Department’s statements acknowledge that end-to-end encryption provides a significant advantage to users over traditional forms of encryption. End-to-end encryption secures data on the user’s device and only ever decrypts it on the recipient’s device. This means, the data can never be decrypted on the server nor in transit nor on the user’s device.
The advantages of end-to-end encryption can be summarized as follows:
Learn more about how PreVeil uses end-to-end encryption to protect your data. Download
our architectural whitepaper today.