End-To-End encryption(E2EE) - The first glance
ABSTRACT
Nowadays, we have many chats and video call applications. This application is a part of your life and you can not live without it. A billion messages, pictures, and video calls are made daily. The data was transferred around the world. This application was provided by 3rd party to help you and your friend, client, or co-worker… communicate. And, have you ever asked that somebody can read your messages without permission? Yes, they can. This is the main reason a new security method was released. That is End-To-End encryption aka E2EE. In this article, we will have a first glance at E2EE.
Source: [1]
WHAT IS E2EE
End-to-end encryption (E2EE) is a secure communication method that prevents third parties from accessing data while it's transferred from one end system or device to another. That means, only you and your partner can read messages to each other. As such, no one, including the communication system provider, telecom providers, Internet providers, or malicious actors, can access the cryptographic keys needed to converse. The messages are encrypted by the sender but the third party does not have a means to decrypt them and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Many popular messaging service providers use end-to-end encryption, including Facebook, WhatsApp, Zoom, Telegram, and Signal….
Source: [1]
HOW DOES E2EE WORK?
To have an overall E2EE mechanism, you can see the image above. The conversation participant will create a pair of keys (public and private keys) with support from the server. The participant will save our private key and other’s public key. The server’s responsibility is to save the participant's public key and forward it to others who join the conversation. When the conversation is created, the participants will share the public key through the server. The mechanism to create or save the key is very complex, so I will not mention it in this article. We will have more articles to discuss about the algorithm. Because the server only saves the public key, it can not decrypt the message, only participants can. The image below describes the mechanism of creating and sharing keys with each other with the Diffie-Hellman Key Exchange Algorithm.
Source: [5]
Alice and Bob agree to use two common prime numbers (g & n) provided by the server.
Now, these are combined using mathematical calculations with the Private keys of Alice and Bob => a + g = ag and b + g = bg.
We exchange these Public Keys ag and bg via server.
Combine the exchanged keys with the Private keys of Alice and Bob respectively to form a Shared Secret Key => ag+b = agb and bg+a = bga at both ends.
Now the attacker might be aware of g, n, ag & bg as these are being shared publicly, but not a & b since these are private keys only available to Alice and Bob.
It is too difficult for any intruder to split up the public components ag and bg.
Any attacker can combine ag+bg = abgg (extra bit) - too hard to figure out.
E2EE is not simple like that. It is very complex. It has many concepts and algorithms such as One-Time Prekeys, X3DH, Double Ratchet Mechanism…In this introduction article, I do not mention.
ADVANTAGES OF END-TO-END ENCRYPTION
More Security in transit: E2EE is one of newest security in transit. It seems to be the state of the art in the security domain. Only the partitioner can read their message. In case the private key leaks, only one message encrypted by this key can be read. And the other can not.
More Security in storage: Due to the server only saving encrypted data. So, in case the server is hacked or leaked, the hacker can not read this data. With E2EE, you always make sure that your data is very safe.
Compliance: The internet is most developed nowadays. The requirement for privacy and security is increasing too. Many users and companies are very focused on this problem. E2EE is the best method to adapt this requirement.
DISADVANTAGES OF END-TO-END ENCRYPTION
Complexity: More security is more complexity. E2EE is a new method with many complex concepts and algorithms. So, it is very difficult to understand.
Cost: Due to complexity, the cost to develop an E2EE system is very high. It is not only finance but also time and resources
Visible metadata: E2EE only encrypts the content of data. So, the metadata of the request is visible. But don't worry about that, you can apply the other method to protect it.
Data insight: Many company base on user’s data to make money. They mine the content of user’s data to affiliate marketing or sell. E2EE will make it impossible for them to do this.
E2EE APPLICATIONS
E2EE is new but it is used in many applications and many domains.
Secure communications: Messaging apps like Signal and a digital trunked mobile radio standard like TETRA use end-to-end encryption to keep conversations between its users private. Email systems can be figured out for E2EE, too, but it requires Pretty Good Privacy (PGP) encryption configuration. Users can also use a service like ProtonMail and Tutanota, which have PGP built-in
Password management: Password managers like 1Password, BitWarden, Dashlane, and LastPass use E2EE to protect a user's passwords. In this case, however, the user is on both endpoints and is the only person with a key.
Data storage: Storage devices often provide E2EE at rest. However, service providers can also offer E2EE in transit in a cloud storage setting, safeguarding users' data from anyone, including the cloud service provider.
REFERENCE
[1] https://blog.etesync.com/end-to-end-encryption-what-it-is-and-why-it-is-needed/
[2] https://en.wikipedia.org/wiki/End-to-end_encryption
[3] https://www.techtarget.com/searchsecurity/definition/end-to-end-encryption-E2EE
[4] https://www.ibm.com/topics/end-to-end-encryption
[5] https://simple.wikipedia.org/wiki/Diffie-Hellman_key_exchange
We are a software development company based in Vietnam.
We offer DevOps development remotely to support the growth of your business.
If there is anything we can help with, please feel free to consult us.