End-to-end encryption? What happens in it?
In this world that is very busy in a constant exchange of data and information of different forms, it is very important for companies that provide communication and any form of data exchange services to maintain user’s personal privacy. All the information is expected to be kept safe and not accessible to anyone except the sender and the receiver.
End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages and is intended to prevent data from being read or secretly modified, other than by the true sender and recipient. This idea has come into application about three decades back and has been evolving since then.
In an ideal E2EE system, the data transferred is encrypted before being sent and is decrypted only after it is received and nowhere in between, which obviously makes it a great way to ensure safety and privacy during data transit. The messages are encrypted by the sender but the third party does not have any means to decrypt them and keeps them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. It is so secure that the companies that use end-to-end encryption cannot get their own customer’s messages.
The cryptographic keys used in encryption are erased and regenerated constantly — can also be for every block of data exchange or at intervals of any specified period of time. This ensures that the communication cannot be decrypted in the future. Even if in some way any key(s) gets compromised, the past and future conversations are completely inaccessible.
What happens in E2EE?
The main aspect of end-to-end encryption is the possession of public-private key pairs at the endpoints of communication. The public key can be exchanged over an insecure channel and is used as a part of the encryption. It is really public and is available to both the communicating users and anyone else. The private key is never shared and is only with the communicating user, not even the other user who sends or receives messages from this user.
When a message is to be sent, it is encrypted first using the public key of the recipient (public key of the recipient can be directly obtained via the insecure channel). This encrypted message is then sent through the server to the receiver of the message. The encrypted message can only be decrypted using the public-private key pair of the recipient user and hence cannot be decrypted anywhere else during the relay of the message. The recipient user now can get the encrypted message, decrypt it using his key pair and read it.
In symmetric encryption, data encryption and decryption is performed using the same key. This requires both the communicating users to have the common key for encryption and decryption. This key must somehow be present with both the users just before they start communicating, i.e. just after a communication path is set. In order for this to be secure, the key must not be transferred through an insecure channel, but at the same time for the purpose to be served both the communicating users must have the same key. How is this achieved?
Diffie-Hellman key exchange — a method of securely exchanging cryptographic keys over a public channel, published in 1976, and is the earliest known work proposing the idea of a private key and a corresponding public key.
In the DH key exchange method both the users have a common public key that can be shared over an insecure channel and a unique private key restricted to their own user. The process involves the mutual exchange of intermediate keys formed by encrypting the public and private keys of the respective user. The intermediate key received from the other user along with the private key of the present user makes the common secret key used which is used for encryption and decryption. The public keys are also used to authenticate the shared intermediate keys.
The encryption logic used in making the intermediate key is so powerful that even knowing the public key and also the principle of encryption makes it impossible to extract the private key. One of the processes is — the common public key is usually a large prime number along with its primitive root, and the encryption logic involves exponentiation of the root raised to the private key which is then taken modulo with the prime number.
ASYMMETRIC v/s SYMMETRIC encryption
Asymmetric encryption is more secure as two keys are involved and is relatively slower compared to Symmetric method, where as the Symmetric method of encryption is relatively faster and can be termed relatively less secure as only one secret key is used in encryption and decryption
NOTE: This comparison is relative to one another.
Who use E2EE?
From the past few years, almost all the messaging apps have been adopting end-to-end encryption in order to make themselves the most secure platform for communicating. WhatsApp, Signal, Google Duo, Apple FaceTime, photos and videos shared through Snapchat (not the text messages), secret conversations in Facebook Messenger and Telegram — all these are end-to-end encrypted.
Many platforms have adopted the E2EE not until recently. WhatsApp announced that every form of communication through it is end-to-end encrypted in 2016. Signal became end-to-end encrypted in 2015. Gmail is still not truly end-to-end encrypted as it only works when the encrypted email is sent to a Gmail address. Zoom is not yet end-to-end encrypted and its current E2EE update is in technical preview. All the non-E2EE platforms use different kinds of encryption but are not as private and as secure as E2EE ones.
It is too safe that it causes a problem
When all the conversations are end-to-end encrypted, there is no way for the communications to be tracked. Hence, this does not allow for the possibility of monitoring criminal activities that happen through the E2EE system.
A BACKDOOR IS NOT THE SOLUTION, NOT AT ALL
A backdoor here is either a secret key or a way that gives the company (that provides the service) access to the user’s data, or it can be a secret mathematical algorithm which achieves the same purpose. This would help in case of any criminal cases and can be used to serve national security. But it is always a vulnerability for the entire system, which when falls into wrong hands leads to catastrophe. There is still a quest for a proper and secure way that ensures people’s privacy serving national security at the same time in situations of need.
Can E2EE be circumvented?
As E2EE works on the public-private key pair, a wrong person can get data if he is one of the communicating users or mimics a communicating user, which happens only when that person gets a valid public and private key pair. For this to happen, the communication must be established with the wrong user in the first place or the wrong user must get access to the public-private keys of the user that he/she is mimicking. The latter is possible by hacking the respective user’s device of communication (can be mobile, computer, etc.). As end-to-end encryption provides a secure way for data transit, there is no regulation or security that is provided by it at the endpoints. The security at the endpoints depends on various factors — such as the operating system and other apps present on a mobile device.
End-to-end encryption is a great and safe way to secure data and information during data exchange, keeping the user’s privacy protected during transmission of information.