End-to-end encryption (E2EE) secures two-way communication so that the messages are secure and unreadable by third parties. The third parties could be anyone ranging from governments, ISPs or hackers. With E2EE, not even the service providers will be able to access the messages. The encryption used by companies like Gmail and Hotmail doesn’t make the communication ports entirely secure, which means that the companies can access user messages. For E2E encrypted safe and secure communications, you can use services like ProtonMail for email or Signal for messaging.
E2EE is a type of asymmetrical encryption, where both public and private keys are necessary. This makes E2EE more powerful than ordinary encryption. Sighting the advantage of E2EE, many service providers, like the Facebook-owned Whatsapp began to use them.
How does end-to-end encryption work?
Consider a simple situation where A wants to securely communicate with B. In the communication that will follow, the following steps will occur.
- A’s message — let’s say, “Hello B” — will be translated to a ciphertext. Ciphertexts are scrambled messages of random characters. So, “Hello B” might look like OjfhysR473$$232@4hTh(dsf)du.
- This ciphertext is sent over the internet where it will pass through many servers before reaching the final destination. On the internet, if anyone tries to snoop the communication, they will see these jumbled alphabets, numerals and special characters, which are hard to decipher and will seem gibberish.
- The message will arrive at the destination, where B will again decrypt it. So, OjfhysR473$$232@4hTh(dsf)du will be displayed as “Hello B”.
Why E2EE is so secure?
End-to-end encryptions use both public as well as private keys. Public keys are large numerical values that are used in data encryption. A user can generate public keys with the help of software but mostly, a designated authority provides these keys.
On the other hand, private keys are not publicly available and only the key’s generator can access it. Private keys and public keys are mathematically linked.
In asymmetric encryption, both A and B have public as well as private keys. A and B share the public key before communication starts. However, A uses B’s public key for message encryption and now the encrypted message can only be decrypted using the combination of B’s public as well as private key. Unlike the public key, the private key is only with B, and thus no third party can access their communication. Thus, making the communication secure.
Benefits of end-to-end encryption
In this world, where snooping and spying is becoming a new norm, protecting communication is desirable. Since Edward Snowden’s revelation about NSA spying on US citizen as well as overseas targets, user privacy has become a paramount subject in tech circles as well as in common parlance. E2EE provides users with several benefits, which are as follows:
- End-to-end encryption is highly beneficial in financial transactions.
- It protects the data from hackers. Even in the worst-case scenario, where the hackers gain access to the servers, the data is safe.
- E2EE gives control to the user over the data and who has permission to read it. Service providers like Gmail can access the data through the servers. E2EE, on the other hand, snatches the snooping powers form the service providers.
- In a free world, unfettered data communication is a necessity. E2EE protects this and thus helps in protecting freedom of expression.
Challenges to E2EE
In spite of the enhanced level of privacy and security, end-to-end encryptions are not without potential challenges.
In backdoor, the encryption is deliberately weakened to let the hackers or the governments access to the data. There are several methods of encryption backdoor. One simple method is key escrow, where the third-party creates and sells the encryption keys to the companies while retaining the decryption keys.
In this attack, the hacker changes the public encryption key with an encryption key of their own. The messages that were meant to go to some other user, will now be sent to the hacker.
User’s device can be hacked and the private key can be stolen. The hacker could then use the key for man-in-the-middle attacks or can simply read the messages. E2EE does not guarantee endpoint security, only communications. Users have to protect the device themselves.
Of course, there are loopholes with end-to-end encryption, but that does not in any way demean its value or the role it plays in this era where we are striving for data security and privacy on the internet.