Introduction

The nature of our current digital communications is such that you rarely communicate directly with your peers. It appears that you and your friends are exchanging messages privately when, in reality, they are recorded and stored on a central server.

You may not want your messages to be read by the server that is responsible for transmitting them between you and the recipient. In this case, end-to-end encryption (or more simply, E2EE) may be the solution for you.

End-to-end encryption is a method of encrypting communications between the receiver and the sender, so that they are the only parties who can decrypt the data. Its origins could be traced back to the 1990s, when Phil Zimmerman published Pretty Good Privacy (better known as PGP).

Before we understand why you might want to use E2EE and how it works, let's see how unencrypted messages work.

How do unencrypted messages work?

Let's see how a regular smartphone messaging platform might work. You install the app and create an account, which allows you to communicate with others who have done the same. You write a message and enter your friend's username, then post it to a central server. The server sees that you addressed the message to your friend, so it forwards it to the recipient.

Communication entre les utilisateurs A et B. Ils doivent faire passer les données par le serveur (S) pour se joindre.

Communication between users A and B. They need to pass data through the server (S) to join.


You may know this model as a client-server model. The client (your phone) doesn't do much, but the server does most of the work. But this also means that the service provider acts as an intermediary between you and the receiver.

Most of the time, the data between A<>S and S<>B of the diagram is encrypted. One example is Transport Layer Security (TLS), which is widely used to secure connections between clients and servers.

TLS and similar security solutions prevent anyone from intercepting the message as it passes from client to server. Although these measures may prevent outsiders from accessing the data, the server can still read it. This is where encryption comes in. If the data from A has been encrypted with a cryptographic key belonging to B, the server cannot read or access it.

Without E2EE methods, the server can store the information in a database with millions of others. As large-scale data breaches have proven time and time again, this can have disastrous consequences for end users.

How does end-to-end encryption work?

End-to-end encryption ensures that no one, not even the server that connects you to others, can access your communications. The communications in question may be plain text, emails, files, or video calls.

Data is encrypted in applications such as Whatsapp, Signal or Google Duo (in principle) so that only senders and recipients can decrypt it. In end-to-end encryption schemes, you can start this process with what's called a key exchange.

What is a Diffie-Hellman key exchange?

The idea of ​​Diffie-Hellman key exchange was conceived by cryptographers Whitfield Diffie, Martin Hellman and Ralph Merkle. It is a powerful technique that allows parties to generate a shared secret in a potentially hostile environment.

In other words, the creation of the key can be done on insecure forums (even under the gaze of observers) without compromising the resulting messages. In the information age, this aspect is particularly valuable because parties do not need to physically exchange keys to communicate.

The exchange itself involves big numbers and crypto magic. We won't go into details. Instead, we'll use the popular paint color analogy. Suppose Alice and Bob are in separate hotel rooms at opposite ends of a hallway, and they want to share a particular color of paint. They don't want anyone else to find out what it is.

Unfortunately, the floor is full of spies. Let's assume Alice and Bob can't enter each other's rooms in this example, so they can only interact in the hallway. What they could do is agree on a common paint in the hallway, say, yellow. They take a can of this yellow paint, share it between them and return to their respective rooms.

In their rooms, they will mix yellow with a secret paint, a paint that no one knows. Alice uses a shade of blue, and Bob a shade of red. Spies cannot see the secret colors they use. They will, however, see the resulting mixtures, as Alice and Bob now emerge from their room with their blue-yellow and red-yellow concoctions.

They exchange these mixtures in public. It doesn't matter if the spies see them now, because they won't be able to determine the precise shade of the added colors. Remember, this is just an analogy: the real math behind this system makes it even harder to guess the secret “color.”

Alice takes Bob's mixture, Bob takes Alice's, and they return to their room. Now they add their secret colors.

  • Alice combines her secret shade of blue with Bob's red-yellow mixture, resulting in a red-yellow-blue mixture.

  • Bob combines his secret shades of red with Alice's blue-yellow mixture, resulting in a blue-yellow-red mixture.

Both suits have the same colors, so they must be identical. Alice and Bob managed to create a unique color that the opponents do not know.

Les deux combinaisons comportent les mêmes couleurs, elles doivent donc être identiques. Alice et Bob ont créé avec succès une couleur unique que les adversaires ne connaissent pas.

So this is the principle that we can use to create a shared secret out in the open. The difference is that we are not faced with corridors and painting, but with insecure communications channels, public keys and private keys.

Exchange messages

Once the parties have shared their secret, they can use it as the basis for a symmetric encryption scheme. Popular implementations usually incorporate additional techniques for more robust security, but all of this is abstract to the user. Once you connect with a friend on an E2EE app, encryption and decryption can only happen on your devices (unless there is a major software vulnerability).

It doesn't matter if you are a hacker, the service provider or even law enforcement. If the service is truly end-to-end encrypted, any message you intercept will be incomprehensible.

The pros and cons of end-to-end encryption

Disadvantages of end-to-end encryption

End-to-end encryption only has one downside, and whether it's a downside depends entirely on your perspective. For some, the value proposition of E2EE is problematic, precisely because no one can access your messages without the corresponding key.

Offenders say criminals can use E2EE safely, knowing that governments and tech companies cannot decrypt their communications. They think there is no need to protect their messages and phone calls from the law. This sentiment is shared by many politicians who support legislation to open back doors in systems to allow them access to communications. Of course, this would defeat the purpose of end-to-end encryption.

It should be noted that applications that use E2EE are not 100% secure. Messages are hidden when relayed from one device to another, but they are visible on endpoints, i.e. laptops or smartphones at either end. This isn't a downside of end-to-end encryption, but it's worth keeping in mind.

Le message est visible en texte brut avant et après déchiffrement.

The message is visible in plain text before and after decryption.

E2EE ensures that no one can read your data while it is in transit. But other threats exist:

  • Your device could be stolen: if you don't have a PIN code or if the attacker bypasses it, they can have access to your messages.

  • Your device could be compromised: your machine could be equipped with malware that spies on information before and after it is sent.

Another risk is that someone could come between you and your counterpart by mounting a man-in-the-middle attack. This would happen at the start of the communication. If you do a key exchange, you don't know that it's really an exchange with your friend. You could unknowingly establish a secret with an attacker. The attacker then receives your messages and has the key to decrypt them. They can trick your friend in the same way, that is, they can relay messages and read or modify them as they wish.

To get around this problem, many apps include a security code feature. This is a string of numbers or QR code that you can share with your contacts via a secure channel (ideally offline). If the numbers match, you can be sure that a third party is not spying on your communications.

Benefits of end-to-end encryption

In a configuration without any of the previously mentioned vulnerabilities, C2BEB is undoubtedly a very valuable resource for increased privacy and security. Like onion routing, it is a technology advocated by privacy activists around the world. It's also easy to integrate into apps that look like the ones we're used to, meaning the technology is accessible to anyone capable of using a cell phone.

It would be a mistake to view E2EE as a mechanism useful only for criminals and whistleblowers. Even companies that appeared secure turned out to be susceptible to cyberattacks, exposing unencrypted user information to malicious parties. Access to user data such as sensitive communications or identity documents can have catastrophic impacts on individuals' lives.

If a company whose users rely on E2EE is hacked, hackers cannot extract meaningful information about message content (provided the encryption implementation is robust). At best, hackers will be able to get their hands on metadata. This is still concerning from a privacy perspective, but it is an improvement over access to the encrypted message.


Conclusion

In addition to the apps mentioned previously, there are a growing number of E2EE tools available for free. Apple's iMessage and Google's Duo come with the iOS and Android operating systems, and other privacy- and security-conscious software continues to emerge.

Let us repeat that end-to-end encryption is not a magic barrier against all forms of cyberattacks. However, with little effort, you can actively use it to massively reduce the risk you expose yourself to online.

Disclaimer and Risk Warning: This content is presented to you “as is” for general information and educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal or professional advice, nor as a means of recommending the purchase of a specific product or service. You should seek advice from appropriate professionals before making any decisions. Where the article was written by a third-party contributor, please note that the opinions in the article do not necessarily reflect those of Binance Academy. Please read our full disclaimer here to find out more. Prices of digital assets can be volatile. The value of your investment may go down as well as up and you may not get back the amount you invested. You are solely responsible for your investment decisions and Binance Academy is not responsible for any losses you may incur. This content should not be construed as financial, legal, or professional advice. For more information, please refer to our Terms of Use and Risk Warning.