The nature of our digital communication today is that you rarely communicate directly with your colleagues. It looks like you and your friends are exchanging messages privately. But in reality, they are being recorded and stored in a central server.

You may not want your messages to be read by certain servers, although they are responsible for transferring messages between you and the recipient. In that case, end-to-end encryption (E2EE) might be the solution for you.

End-to-end encryption is a method for encrypting communications between the receiver and the sender so that they are the only party that can decrypt the data. Its origins can be traced back to the 1990s, when Phil Zimmerman released Pretty Good Privacy (known as PGP).

Before we get into why you want to use E2EE and how it works, let’s see how unencrypted messages work.

How does unencrypted messaging work?

Let’s talk about how a smartphone messaging platform might work. You install the app and create an account, allowing you to communicate with people who have done the same. You write a message and enter your friend’s username, then send it to a central server. The server sees that you have sent the message to your friend, so it will forward it to the destination.

Users A and B transmit data through the server WILL

You may know this as the client-server model. The client (your phone) doesn’t do much – the server does all the heavy lifting instead. But it also means that the service provider acts as an intermediary between you and the recipient.

Most of the time, the data between A <> S ​​and S <> B in the diagram is encrypted. An example of this is Transport Layer Security (TLS), which is widely used to secure connections between clients and servers.

TLS and similar security solutions prevent anyone from intercepting a message as it travels from client to server. While these measures may prevent outsiders from accessing the data, it is still readable by the server. This is where coding comes in. If data from A is encrypted with a cryptographic key belonging to B, the server cannot read or access it.

Without the E2EE methods, the server could store information in a database along with millions of others. As large-scale data breaches have been proven time and time again, this can have disastrous consequences for the end user.

How does end-to-end encryption work?

End-to-end encryption ensures that no one, including the server connecting you to others, can access your communications. The contact information in question could be anything from simple texts and emails to files and video calls.

Data is encrypted in apps like Whatsapp, Signal, or Google Duo so that only the sender and intended recipient can decrypt them. In end-to-end encryption schemes, you can initiate that process with something called key exchange.

What is Diffie-Hellman Key Exchange?

The idea of ​​a Diffie-Hellman key exchange was conceived by cryptographers Whitfield Diffie, Martin Hellman, and Ralph Merkle. It’s a powerful technique that allows parties to create a shared secret in a potentially hostile environment.

In other words, key generation can happen on insecure forums (even with viewers watching) without affecting subsequent messages. In the Information Age, this is especially valuable because parties do not need to exchange physical keys to communicate.

The exchange involved bulk and magic cryptography. We won’t get into the finer details. Instead, we will use the same universality of paint colors. Suppose Alice and Bob stay in separate hotel rooms at opposite ends of the hallway and they want to share a particular paint color. They don’t want anyone else to find out what it is.

Unfortunately, the floor is swarming with spies. Assume that Alice and Bob cannot enter each other’s rooms in this example, so they can only interact in the hallway. What they can do is agree on a common hallway paint – say, yellow. They get a box of this yellow paint, divide them up and return to their respective rooms.

In their room, they will mix in a secret coat of paint – something no one knows about. Alice uses blue and Bob uses red. Importantly, the spies cannot see what secret colors they are using. They will, however, see the resulting mixtures, because Alice and Bob are currently leaving their room with green yellow and red yellow concoctions.

They exchange these mixtures outdoors. It doesn’t matter if the spies see them now, because they won’t be able to determine the exact shade of the added colors. Remember this is just an analogy – the real math underlying this system makes guessing the secret color even harder.

Alice takes Bob’s mix, Bob takes Alice and they go back to their room again. Now, they blend their secret colors back.

• Alice combines the secret shade of blue with Bob’s red-yellow mixture, creating a red-yellow-green mixture
• Bob combines secret shades of red with Alice’s blue-yellow mixture, creating a blue-yellow-red mixture

Both combinations have the same color in them, so they will look exactly the same. Alice and Bob have successfully created a unique color that is unknown to the enemies.

So here is the principle we can use to create a shared secret. The difference is that we don’t deal with corridors and paint, but insecure channels, public keys and private keys.

Exchange messages

Once the parties have a shared secret, they can use it as the basis for an asymmetric encryption scheme – like the Advanced Encryption Standard (AES). Common implementations often incorporate additional techniques for stronger security, but all of these are abstracted away from the user. When you connect with a friend on the E2EE app, encryption and decryption can only happen on your device (blocking any major software vulnerabilities).

It doesn’t matter if you’re a hacker, a service provider, or even law enforcement. If the service is truly end-to-end encrypted, any messages you intercept will look like meaningless garbled.

The pros and cons of end-to-end encryption

Disadvantages of end-to-end encryption

There’s really only one downside to end-to-end encryption, and whether that’s a downside is entirely up to you. For some people, the very high value proposition of E2EE is problematic, precisely because no one can access your messages without the corresponding key.

Opponents argue that criminals can use E2EE, safe in the knowledge that governments and tech companies cannot decrypt their communications. They believe that law-abiding individuals should not need to keep their text messages and phone calls secret. This is a mentality echoed by many politicians, who support legislation that will support backdoor systems to allow them to access communications. Of course, this would defeat the purpose of end-to-end encryption.

It’s worth noting that applications that use E2EE are not 100% secure. Messages are scrambled as they are forwarded from one device to another, but they are displayed on the endpoints i.e. laptops or smartphones at each end. This isn’t a downside of end-to-end encryption, but it’s worth keeping in mind.

Messages are displayed before and after decoding

E2EE ensures that no one can read your data while in transit. But other threats persist:

• Your device can be stolen: if you don’t have a PIN or if an attacker bypasses it, they can get access to your messages.
• Your device may be compromised: your device may have malware that tracks information before and after you send it.

Another risk is that someone could get in between you and your colleagues by performing a man-in-the-middle attack. This will happen at the beginning of communication, if you are doing key exchange you don’t know for sure it is with your friend. You could accidentally set up a secret with an attacker. The attacker then receives your messages and has the key to decrypt them. They can trick your friend in a similar way, meaning they can forward messages and read or modify them as they see fit.

To work around this, many applications include some sort of security token feature. This is a string of numbers or QR codes that you can share with your contacts through a secure channel (ideally offline). If the numbers match, then you can be sure that a third party is not snooping on your communications.

Advantages of end-to-end encryption

In a setup free from any of the previously mentioned vulnerabilities, E2EE is undeniably a highly valuable resource for increased security and privacy. Like the tor network, it’s a technology spread by privacy activists around the world. It is also easily integrated into applications like the ones we are used to, which means that the technology is accessible to anyone with the ability to use a mobile phone.

To view E2EE as a mechanism useful only to criminals and whistleblowers would be a mistake. Even the most seemingly secure companies have proven vulnerable to cyberattacks that reveal unencrypted user information to malicious parties. Access to user data such as sensitive contact information or identity documents can have an impact on an individual’s life.

If a company whose users rely on E2EE is breached, a hacker cannot extract any meaningful information about the content of the message (as long as their encryption implementation is robust). At best, they can get the metadata. This is still related from a privacy point of view, but it’s an improvement on access to encrypted messages.

Stop thinking

In addition to the applications mentioned earlier, more and more E2EE tools are available for free. Apple’s IMessage and Google’s Duo come with iOS and Android operating systems, and more privacy and security-conscious software continues to roll out.

Let’s reiterate that end-to-end encryption is not a magic barrier against all forms of cyberattacks. However, with very little effort, you can actively use it to reduce your risk when you are exposed online. Besides Tor, VPNs, and cryptocurrencies, E2EE messengers can be a valuable addition to your digital security arsenal.

Follow the Twitter page | Subscribe to Telegram channel | Follow the Facebook page