End-to-End encryption (E2EE) is an application of asymmetric encryption systems. This means that in a communication, only the recipient and the sender, its two ends, can decrypt and read the data.
That means to no party in the middle of a conversation could actually access it.
This system is very common and it is employed by major instant messaging providers to protect the coms and the privacy of users. E2EE leaves data encrypted in the servers and there is no way, even for servers’ owners themselves, to access the stored data. Theoretically, only the parties involved in the conversations could read them.
E2EE, and mathematicians behind it, have literally created an invincible box, then. Most E2EE protocols can also authenticate a communication.
However, should people rely on E2EE only to secure their communications?
Read more on our blog below!
How does E2EE work?
As mentioned above, EE2E is a specialized form of asymmetric encryption system also known as public-key cryptography.
The following instance outlines how EE2E works. Take a sender, Alice, and a recipient, Bob. When Alice sends a message to BoB, Alice uses the key stored in her device to encrypt it. Bob uses his to decrypt it. Bob’s decryption key is stored in his device.
This example well describes the main security feature of EE2E: it protects the conversation in its way from the sender to recipient. Thus, it secures its transit. No third party in the middle between Bob and Alice can read the conversation if unauthorized.
What are the security limitations of E2EE?
EE2E guarantees the protection of data transit – may it be a communication or an exchange of any data. However, it does not protect the actual device where the decryption keys are stored.
If an attacker manages to break into Bob’s device, he or she will gain access to Bob’s keys. Also, most devices such as smartphones keep data in plain text. Once in, an intruder may see them with no additional effort.
Unencrypted backups are another pitfall of E2EE. Most online backup services are unencrypted and storing their data means exposing them.
Thus, E2EE doesn’t protect communication on endpoints.
In conclusion, the reader is warned that E2EE -though useful – cannot guarantee full security.
E2EE only guarantees that the transit of data is safe. Current computational power does not allow the brute force of any encrypted communication in a reasonable time.
If devices, backups, and so on are not secured, attackers may have access to data.
Is there a point in doing efforts in securing the exchange of information if the actual ends of a communication or the storage itself are not safe?
In any case and regardless of the answer, full security cannot be achieved. Awareness then plays a critical role. Identifying threats and vulnerabilities and mitigate them may improve resilience.