WhatsApp does it, Telegram does it, ProtonMail does it, and now also Twitter joins the party: Using end-to-end encryption (E2EE) for communication. In this blog post we'll introduce you to this concept and explain why it's important.
What is end-to-end encryption?
End-to-end encryption, abbreviated as E2EE, is used in communication technologies to secure messages sent to each other. The goal is that only the sender and the receiver of a message can read it. If the message gets intercepted during transmission, it should not be readable. Even the service that is used to send and receive the messages, won't be able to read it. Even if some employee wants to.
So, E2EE helps keeping your digital conversations private. When used, your internet provider, the communication services, mobile carrier, etc. won't be able to eavesdrop into your conversations.
End-to-end encryption is typically used in the instant messaging and e-mail services world.
How does E2EE work?
The basic principle of end-to-end encryption
Say John wants to send the chat message Hello there to Jane. Without E2EE, the text gets sent over the line as is.
This means that the chat service can read the contents of the message. When enabling E2EE, the message gets "scrambled"
before leaving Johns device. So, on the communication line, there is some weird text going over it. The chat service
can't understand the message now. After the message gets received by Janes device, it gets unscrambled back to the
original Hello there message.
The process of "scrambling" and "un-scrambling" the message, is called encrypting and decrypting. Encryption and
decryption basically are converting a piece of plain text, in our example Hello there, to a so-called ciphertext. A
ciphertext cannot be read unless you know the encryption/decryption algorithm.
Encryption algorithms
Based on the algorithm used, you get a different ciphertext for the same input. There are a variety of different encryption algorithms available. Some safe, some not so.
Given our example conversation between John and Jane. Let's say their chat service uses the algorithm aes256 to
encrypt
and decrypt messages. If we input Hello there into the algorithm, we get back vn3KVjdxdNYU9jzDO6m0VQ==. That is the
piece of text that leaves Johns device and enters Janes'. Janes device should then decrypt it back to Hello there.
However, it isn't safe if all inputs resolve to the same output, is it? That's why these encryption algorithms also take in a secret key. This is like a password that only the sender and the received of the message should know. Only using that key, the message can be decrypted successfully.
For example, if you encrypt Hello there using aes256 and secret key test1, you get: nqS9vnWeQNTR1lv1nDEb6Q==. But
if you encrypt Hello there with secret key test2, you get: xXOdKNvgJRKjZDt6OjX1Aw==. As you can see, the outputs
are different. If you try to decrypt a message with the wrong secret key, it won't work.
As you can imagine, it is important that only the sender and receiver know this secret and that it doesn't leave their device. If the chat service also knows the secret, they can read along. Which isn't what you want.
Public-key cryptography
So, the challenge that remains is, how do the sender and receiver exchange the secret? Luckily there's a solution for that: public-key cryptography. This is the process of exchanging encryption keys securely. So, how does this work then?
Both Johns and Janes device must generate two keys: a so-called public and private key. It is important that their own private keys remain on their device, no one else can know it. The public key, on the other hand, can be exchanged freely, thus John and Jane can get each other's public key. When John and Jane send a message to each other, the public key of the recipient must be used to encrypt the message. That message can then only be decrypted using the private key of the recipient. Since the private key isn't shared, the recipient is the only one that can decrypt and read the message.
How safe is end-to-end encryption really?
Weaknesses
So, in general, when implemented properly, E2EE is extremely safe. However, there remain some weaknesses, for example when:
- Using an unsafe encryption algorithm: As slightly mentioned earlier, not all algorithms are safe. If the algorithm that is used has flaws or vulnerabilities, the security gets weakened.
- Device of sender or receiver gets compromised: The devices of the recipient and sender contain unencrypted messages. Unauthorized access would then compromise your private messages, like malware on your device.
- Private keys get compromised: As stated earlier, your private keys need to remain private, as the name implies. If your private keys get leaked, your encrypted messages can be decrypted.
- Metadata gets leaked: When sending a message, the message itself is not the only thing that's being sent. The service needs to know who the message comes from and where it goes. And usually, it also adds a timestamp. Information like this is metadata and isn't always encrypted. For example, the receivers address cannot be encrypted because the service won't know where the message must go to. If metadata gets leaked, one might find out who's messaging who.
Open-source vs. closed-source
But how can you be sure that the service that you use doesn't fall for these weaknesses? If a service claims to use end-to-end encryption, can you blindly trust it? This is a concern a lot of people have.
That's why some people prefer to use open-source software when looking for a E2EE messaging service. That way, the source-code can be reviewed. This is a huge advantage.
But not all services are open source. In that case you must build on trust. However, some services have their code audited and assessed by third parties auditors. This increases the extent to which you can trust the service.
What services use it?
Here are some notables services that use end-to-end encryption:
- Signal ( messaging app)
- WhatsApp (messaging app)
- Telegram (messaging app)
- ProtonMail (e-mail service)
At the moment of writing this, Twitter is rolling out its end-to-end encryption support for direct messages.
With this feature, direct messages can be encrypted: "when it comes to Direct Messages, the standard should be, if someone puts a gun to our heads, we still can't access your messages". Unfortunately, it isn't available to all users ( yet).
Conclusion
End-to-end encryption (E2EE) is a security measure that makes sure that messages between the sender and recipient can only be read by them. This is done using encryption techniques. The main benefit is that it protects against unauthorized access, interception, and surveillance. Thus, it increases your privacy.
