End-to-End Encryption - How It Works, and Why We Need It?

End-to-end encryption (E2EE) is a form of secure communication to prevent snooping or unauthorized access of third parties during data transfer from one end system to another. In E2EE, the data going through the sender's system is encrypted and can only be decrypted by the recipient. During the transfer phase, no one can access or tamper with the data, including the Internet service provider (ISP), application service provider, third parties, or hackers.

The E2EE method is seen in various messaging services, including WhatsApp, Facebook Messenger, and zoom.

Basics about Encryption

Before we learn about end-to-end encryption, let's know about the basics.

In simple words, encryption is like scrambling data so that no one can read it. Only the person with authority to decrypt the data can read it. Even if the data fall into the wrong hands, without the decryption key, they cannot read, copy, share, delete or modify it.

Encryption is a topic that has been discussed previously. Your devices use the encryption process several times daily, especially when sending a message, email, or opening a website. For instance, whenever you make a transaction or log in to a website, the communication between you and the website is encrypted. Your network operator, ISP, or anyone else cannot see it. This is how no one can access your password, banking or credit card details, or any other sensitive details.

Even the Wi-Fi you use comes with encryption, and your neighbors cannot use your internet. Modern devices such as Android phones, iPhones, iPods, Chromebooks, and Windows PC or laptops store the encrypted form of password in the local drive that only gets decrypted by entering the actual PIN or password.

How does End-to-End Encryption Work?

As discussed above, only the receiver and the sender can see the messages exchanged. Specific cryptographic keys are used to encrypt and decrypt the messages.

In encryption, both public (can be shared with others) and private keys. When transmitted, anyone with the public key can encrypt a message and send it to the owner, and the message can only be decrypted by the owner of the decryption key (private key).

Let's Understand it Better with an Example

Let's assume Alex wants to say "Hello" to "Cathy" in a message. Cathy has public and private keys, part of encryption keys in this context. You can share the public key with anyone, but you cannot share the private key of Catchy.

When sending "hello" or any other message, first, Alex will use his public key of Cathy to encrypt the message. This will turn "hello" into a ciphertext, which means scrambling or turning the text into random characters.

Now the encrypted message will go over the public internet. While it transfers from Alex to Cathy, it will pass through multiple servers, including ISP, email service provider, etc.

If companies or parties try to read or share the text with others, they can't do so. This is because they have to convert the ciphertext into plain readable text, but only Cathy can decrypt the key when it lands in her inbox.

Cathy is the only person having the private key. If Cathy wants to reply, she has to repeat the same process, i.e., encrypting the message using Alex's public key.

When two parties exchange communication in online communications, it always goes through an intermediary. The intermediary could be anyone, the ISP provider, a Telecommunication Company, or any other organizations such as Google, Meta, Apple,etc.

The critical public infrastructure in end-to-end encryption ensures that the intermediary cannot snoop or eavesdrop on the messages you send to someone.

However, not all apps claim E2EE is that safe. This is because when you use messages from service providers like WhatsApp, Facebook Messenger, and iMessenger, they have the decryption key.

For instance, if you use a Google messenger app, Google holds the keys. That means Google can see your data, including emails, files, calendars, etc.; if some rogue Google employee wants to snoop on it, they could.

However, Google claims they have implemented better protection against rogue engineers accessing users' data. Not only Google but even iMessage and WhatsApp also are only partially secure. When you have backup enabled in your phone, your messages are encrypted and backed up to iCloud or WhatsApp servers, and these companies receive a copy of the key used to encrypt the backup.

Why End-to-End Encryption Matters?

End-to-end encryption is not only about communications and offers much more than privacy. It gives you confidence while communicating your personal and sensitive information as financial details, medical documents, business documents, intimate conversations, legal proceedings, etc.

It's not all about chat apps. E2EE can be applied to other services with the key to decrypt the data. For example, you can also encrypt your email; however, you need to configure it with PGP encrypting or using a built-in service like ProtonMail. Similarly, many password manager apps are secured by the E2EE protocol. This means you can store your passwords safely in the password vault without letting third parties or companies snoop through your data.

Another excellent example of E2EE is the file storage system via the cloud. No one can read or access if you store or sync sensitive files in the cloud. This is far safer than simply dragging and dumping them in conventional cloud storage like google drive, MS OneDrive, Dropbox, etc.

End-to-end Protects Against

Lurking eyes − E2EE keeps your data safe from prying eyes so that only the sender and the recipient can decrypt the message.

Tampering − E2EE protects against message tampering by encrypting the messages. No one can alter the message. The messages without the decryption keys look like jumbled and scrambled letters.

Conclusion

E2EE does not conceal the date and time of the message, so one can try to intercept the information using metadata. Hackers can execute man-in-the-middle attacks and hack one endpoint to access the message. There are various ways to identify potential weaknesses in the encryption scheme. You must remain alert and take extra precautions while communicating sensitive information.