Mar 02, 2021, 11:40 PM

News:

Stay tuned as we migrate data from our old forum !


What is End to End Encryption – E2EE ?

Started by trilight, Feb 08, 2021, 02:16 PM

Previous topic - Next topic

trilight

What is End to End Encryption – E2EE ?

Quick Introduction to End-to-End Encryption

As the digital ecosystem continues on its path of exponential growth, secure communication solutions are necessary to keep data private from snooping third parties. Achieving secure means of communication in cyberspace is relatively complicated, but end-to-end encryption (E2EE) provides a viable solution when done right. The following is an introduction and helps to understand the difference between being in full control of your E2EE communication or hybrid solutions. The latter is a so called "middleman" which must be trusted not to modify their software to read or modify sensitive data before it is encrypted.

How Does End-to-End Encryption Work ?

To keep things simple, E2EE leverages cryptographic key encryption principles to ensure that messaging data cannot be tampered with during transportation. In doing so, it is only the sender and the recipient that hold the required keys to display the contents of a message. From a technical standpoint, E2EE messaging services utilize public keys and private keys. Messaging participants hold public keys which are used to sign and encrypt outgoing messages. Once received, a private key corresponding to the previously-utilized public key is used to decrypt the message contents. As expected, decryption is only possible if one holds both keys consequently, internet service providers (ISPs), government agencies and cyber attackers cannot read or modify messages unless they get ahold of these keys. Fortunately, this is unlikely to happen, given the fact that cryptographic keys are only stored on the messaging endpoints. To put this better into perspective, Pretty Good Privacy (PGP), an advanced encryption framework, relies on a series of algorithms that handle data hashing, compression and encryption via cryptographic keys. Multiple messaging services utilize protocols that are similar in design to facilitate E2EE. Relevant examples include Signal and Telegram's secret chat. To be clear – many messaging providers that fail to employ E2EE can and will likely read outgoing and incoming messages if they are the middleman. Nowadays modern machine learning software programs engage in data farming to build profiles of messaging parties. The information can then be used for marketing, commercial, law enforcement, malicious purposes.

Real End-to-End Encryption

It is imperative to bear in mind that real E2EE only happens when middlemen and third parties are unable to read data while in transit. Despite that some email providers advertise "E2EE", they always retain the ability to make software modifications to their protocol, hence rerouting email prior to being encrypted. If encryption happens on the email server, messaging data can be read and stored. Furthermore, messaging providers may rely on opportunistic or forced encryption protocols that only secure data whilst in transit. Or even if part of the encryption code is deployed on the client side browser, it originates from the mail server provider, thereby exposing user data and making securitization efforts futile. In such cases, the encryption protocol is not real end-to-end, leading to plenty of security risks. End-to-end encryption also entails that users commit to the same messaging software or protocol. There are to this day still many email providers who do not encrypt email while in transit when receiving or delivering email. Not even touching the surface of hybrid E2EE or E2EE as in PGP usage between parties without a middleman.

The Limitations of End-to-End Encryption

Albeit secure by design, E2EE is not free of limitations. Here are a number of potential security risks worth keeping in mind:

Spoofing Public Keys

When engaging in E2EE communication, it is quintessential to verify public key authenticity. From a theoretical standpoint, an attacker can spoof either one or both of the public keys belonging to the messaging parties. Described as a 'man-in-the-middle attack', messaging contents can be revealed if the correct public keys are not utilized.

Compromising Messaging Devices

E2EE is trivial if a user's device has been compromised. For example a desktop computer has been infected with a keylogger. In this case, E2EE encryption fulfills no goals since the attacker can already see everything that's typed on the infected computer. Similarly, if an ill-willed third-party gains access to a smartphone that's used for E2EE messaging, all encryption efforts will be in vain. The key takeaway here is that adequate device security is mandatory to assure the success of E2EE efforts.
Smartphones may not always be the best devices for E2EE as not only the "closed" operating system but also the hardware components are an attack vector. It is strongly advised to research which brands and models have a good track-record concerning security updates, hardware vulnerabilities and how fast fixes are provided. There are currently a few alternative smartphones which have an open-source approach towards privacy and security. Think of Linux or the open-source Android version without depending on Google for it to function. We will write about this a separate article as it deserves a better review of what is available on the market.

Behavioral tracking

Indeed, an ISP or forensics law enforcement department will have no luck in deciphering the contents of an E2EE message. However, they can still engage in behavioral tracking. For instance, a suspect may consistently log into an E2EE email service provider at specific times of the day, a behavior that's easily track-able. Additionally, some platforms may track IPs to determine the whereabouts of their clients. When combined, behavioral tracking resources will aid tracking efforts, undeterred by end-to-end encryption.

Wrapping It Up

Based on these aspects, real E2EE encryption represents a viable means of securing online communication, but only when done right. At this time, supplementary efforts are paramount to completely obscuring online communication. We do not live in a perfect world where good is always good and bad is always bad.