2 August 2023
Nowadays, you hardly ever speak directly with your peers due to the nature of Internet communications. Despite the fact that your conversations with your friends appear to be private, they are actually being recorded and stored on a centralized server.
You might not want the server reading your messages as they are being passed between you and the recipient. End-to-end encryption, also known as E2EE, might be the answer in that situation.
End-to-end encryption is a technique for encrypting communications so that only the sender and receiver can decipher the data. In the 1990s, Phil Zimmerman released Pretty Good Privacy, also known as PGP, which is when it all started.
Before discussing the benefits of using E2EE and how it functions, let's take a closer look at how unencrypted communications operate.
Let's discuss how a standard smartphone texting system might function. You download the application and register for an account, which enables communication with those who have also done so. A message is written, the friend's username is entered, and it is subsequently posted to a central server. The server forwards the message to the intended recipient after noticing that you addressed it to your friend.
Users A and B are in conversation. To communicate with one another, data must be passed through the server (S).
This is referred to as a client-server model. The server does all of the labor-intensive tasks, leaving the client (your phone) with little to no responsibility. However, it also implies that the service provider serves as a go-between for you and the recipient.
In the diagram, the information between A > S and S > B is typically encrypted. Transport Layer Security (TLS), which is widely used to secure communications between clients and servers, is an example of this.
Nobody can intercept the communication as it travels from the client to the server thanks to TLS and other security measures. The server can still read the data despite the fact that these precautions may bar outside access to it. In this situation, encryption is useful. The server cannot read or access data from A that has been encrypted with a cryptographic key that belongs to B.
The server can store the data in a database among millions of other records without using E2EE techniques. This can have catastrophic effects on end users, as numerous large-scale data breaches have shown.
End-to-end encryption makes sure that nobody can access your messages, not even the server that connects you to other people. The communications under concern could be in the form of files, video calls, emails, or plain text.
In programs like WhatsApp, Signal, or Google Duo, data is encrypted so that only the sender and intended receiver can decrypt it. You might start that procedure with something called a key exchange in end-to-end encryption techniques.
Cryptologists Whitfield Diffie, Martin Hellman, and Ralph Merkle came up with the concept of the Diffie-Hellman key exchange. This effective method enables people to create a shared secret in a potentially hostile setting.
To put it another way, the production of the key can take place in an insecure forum (even with observers present) without endangering the communications that follow. This is particularly useful in the Information Age because parties can communicate without physically exchanging keys.
The exchange itself is based on complex mathematics and cryptographic tricks. The finer points won't be covered here. Instead, we'll take advantage of the widely used comparison to paint hues. Imagine Alice and Bob want to share a certain hue of paint but they are in separate hotel rooms at the opposite ends of a hallway. They do not want other people to learn what it is.
Unfortunately, there are many spies on the ground. Assume that in this scenario, Alice and Bob are unable to enter each other's rooms and can only communicate with one another in the hallway. They may decide on a common color for the hallway, like yellow. They each take a little of the yellow paint from the tin and go back to their different rooms.
They'll mix a secret paint that nobody else is aware of in their chambers. Bob utilizes a red hue, while Alice uses a blue hue. Importantly, the spies are unable to see the covert colors they are employing. But since Alice and Bob are now leaving their rooms with their blue-yellow and red-yellow concoctions, they will observe the final mixes.
These mixes are traded openly. Even if the spies catch a glimpse of them now, they won't be able to tell the exact hue of the new colors. It's important to keep in mind that this is simply an analogy and that the system's real mathematics makes it
far more difficult to determine the secret "color."
After Alice takes Bob's mix and Bob takes Alice's, they both head back to their rooms. They now incorporate their hidden colors once more.
Bob's red-yellow mixture and Alice's undiscovered blue shade are combined to create a red-yellow-blue mixture.
Therefore, we can build a shared secret in the open using this technique. The distinction is that we are dealing with unsecured channels, public keys, and private keys instead of hallways and paint.
Once the parties have established their shared secret, they can utilize it as the cornerstone of an encryption system. Popular implementations frequently include extra security measures, although the user is not directly aware of any of this. Encryption and decryption can only take place on your devices after you connect with a friend using an E2EE application (barring any significant software flaws).
Whether you're a hacker, a service provider, or even police enforcement, it makes no difference. Any message you intercept if the service is truly end-to-end encrypted would appear to be jumbled gibberish.
End-to-end encryption has essentially just one drawback, and whether or not you consider it to be a drawback relies totally on your viewpoint. Some people find that the fundamental nature of E2EE's value proposition—that no one else can access your communications without the corresponding key—is problematic.
The argument put out by opponents is that criminals can utilize E2EE with confidence, knowing that neither governments nor tech corporations can decode their conversations. They contend that those who follow the law shouldn't be required to keep their phone calls and text messages a secret. Many politicians who support legislation that would backdoor systems to give them access to communications share this opinion. Naturally, this would be contrary to the intent of end-to-end encryption.
It's important to note that E2EE-based apps are not entirely secure. When relayed from one device to another, messages are obscured, but they are viewable on the endpoints, which are the computers or smartphones at either end. This isn't really a disadvantage to end-to-end encryption, but it's something to be aware of.
Before and after decryption, the message is viewable in plaintext.
Nobody may access your data while it is in transit, according to E2EE's promise. But there are still other dangers:
Your gadget may be stolen if you don't have a PIN number for it or if an attacker manages to circumvent it and access your messages. Your device might be infected with malware that intercepts information both before and after it is sent.
If you don't have a PIN number or if the attacker manages to get past it, they can access your messages and steal your device.
Your device might be infected with malware that intercepts information both before and after it is sent.
Another danger is that someone might launch a man-in-the-middle attack to place himself in the middle of you and your peer. This would happen at the beginning of the communication since if you're exchanging keys, you can't be sure you're doing it with your friend. You might unintentionally share information with an attacker. Your emails are then delivered to the assailant, who has access to the decryption key. By relaying communications and reading or altering them as desired, they might deceive your friend in the same way.
Many apps incorporate some sort of security code function to get around this. You can send your contacts this number string or QR code over a secure channel (preferably offline). If the numbers line up, you can be certain that no one is listening in on your conversations.
E2EE is without a doubt a very helpful tool for enhancing secrecy and security in a configuration free of any of the aforementioned flaws. It is a technology that privacy activists throughout the world are evangelizing, much like onion routing. The technology is also easily integrated into programs that look familiar to us, making it available to anybody who can use a cell phone.
It would be incorrect to think that criminals and whistleblowers would only benefit from E2EE. Even organizations that appear to be very secure have been shown to be vulnerable to assaults, exposing unencrypted customer data to nefarious parties. Access to user information, such as private communications or identity documents, may have disastrous effects on people's lives.
Hackers are unable to obtain any useful information about the content of communications if a corporation that uses E2EE is compromised (if their encryption implementation is strong). They might, at most, obtain metadata. Even while it's an improvement over access to the encrypted message, this is nonetheless troubling from a privacy perspective.
In addition to the aforementioned programs, a rising number of E2EE tools are available for free. With iOS and Android operating systems, respectively, Apple's iMessage and Google's Duo are pre-installed, and more privacy- and security-conscious software is constantly being released.
Let's stress once more that end-to-end encryption is not a foolproof defense against every type of cyberattack. However, you can actively use it to significantly lower the risk you expose yourself to online with comparatively little effort.