Explain Like I’m 5: End-to-end Encryption
All the aspects of our lives relocate online ― we’re blogging, instagramming, posting, facebooking, and messaging. We’re communicating and transferring our data using the Internet. Some parts of our communication are open to everyone and there is something we’d like to keep between ourselves and the recipients.
The more we’d like to keep our data safe and private, the more value it holds for someone trying to steal it, and the more effort will be put into coming up with technologies to steal it by the bad guys. The data can be turned into something unreadable with the help of passwords and ciphers, but even the strongest cipher is either known to at least two parties, or sooner or later it will get mechanically broken.
With the advancement of the modern technologies “sooner” is much sooner than one would think. A quote from the Queen of Hearts from Alice in Wonderland comes into mind as we must run as fast as we can security-wise just to keep our communication confidential. Something more advanced was needed and here is where the end-to-end encryption enters the picture.
End-to-end encryption
End-to-end encryption (often shortened to E2EE) means that only you and the person you’ve sent the message to can actually read it. It is a secure communication between you (one “end”) and your opponent (the other “end”). It was created as a means of communication that keeps eavesdroppers out of a conversation. Even if the data is somehow intercepted on the way from one “end” to another “end”, it will make no sense to the eavesdropper (usually referred to as “man-in-the-middle” or MITM) because it is encrypted.
A good example for explaining the E2EE communication and encryption would be the snail-mail.
Unencrypted data transmission: If you take a postcard, sign and stamp it, then put it inside a mailbox and that would be like sending out your data unencrypted. A seemingly reliable communication channel, if it is not encrypted, is a magnet for threats and those willing to get the information that’s being sent and received by the parties. For example, postal workers might read your postcard (accidentally or with malicious intent).
However, just hoping that no one can intercept your message is not enough. To make the communication secure, the message needs to be encrypted. Encryption allows making your communication trusted and confidential.
End-to-end encryption messaging: Let’s say, you seal the postcard/letter in an envelope* (“encrypting” the data inside because ideally one wouldn’t be able to read the contents of the letter unless the envelope is torn) and send it to the recipient. Then the recipient opens the letter (“decrypting” it in the process) and reads it. Again, ideally the letter is also destroyed after it is read by the intended recipient to make it a truly E2EE transmission of data.
In the digital world, you and your computer or phone (or any other device capable of transmitting data) are at the one “end” and the recipient with his/her device is at the other “end”, with a server between you. The data is encrypted (turned from something that can be easily read by anyone into something that can only be read by someone who knows the password(s)) on one device, and it then can be decrypted (turned from something that cannot be read without the corresponding password(s) into something that can be easily read by the recipient without further transformations) on the recipient’s device. If the sides in the conversation are secure, they trust each other. This is called end-to-end trust.
The end-to-end encrypted systems are secure systems that connect users while granting privacy and taking out the risk that someone might step in and “overhear” the communication. Zero Knowledge systems are using E2EE as the basis for their functioning ― to provide their users with confidentiality, integrity, and availability (these 3 qualities are often referred to as the “CIA triad”, a punny acronym hinting at intelligence services that are the first ones to be after the confidential data belonging to someone).
But, could it be that such precautions are a little bit too much? Why encrypting everything?
“Encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers. If you encrypt your laptop, and I hope you do, it protects your data if your computer is stolen. “ ― Bruce Schneier, renowned security technologist on the importance of strong encryption and security
Wait, does this all mean that now you need to install all kinds of esoteric encryption software to be able to communicate over the Internet without feeling being watched over your shoulder?
You are already using end-to-end encryption every day
During an E2EE process, the server that sends the encrypted data between the one “end” and the other “end” in the conversation is unable to decrypt and read the information it transfers. Even the companies that own the servers cannot access that information because it is not stored there and only the “ends” in the conversation have the means of decrypting the data. What kind of companies? Those you’re already very familiar with.
When it comes to E2E communication over the Internet, the best example would be messengers like WhatsApp, iMessage, and Signal (in which E2EE is turned on by default) or Telegram, Allo, and Facebook’s Secret Conversation where E2EE is enabled by a special switch.
What’s interesting ― providers of E2EE means of communication don’t ask you to trust them. The fact that their servers can be hacked into doesn’t change anything as the transferred data is encrypted and can only be read by the actual sender and the recipient, which currently makes some institutions very angry. The WhatsApp encryption is a particularly infamous example from this list as various governments repeatedly ask for a backdoor to be introduced into the system for the communication to be selectively decrypted for certain persons who are deemed to be suspicious by the officials.
However, end to end encryption apps that hold a backdoor automatically become unreliable because there is no such technology available to humans that will make the decrypted data available only to those pure of mind and heart 😈.
Summary
While it is perfectly clear why a letter is better off being sent sealed in an envelope, sending our personal data over unencrypted channels is somehow still deemed to be perfectly normal.
Communicating through open channels leaves many ways for malicious eavesdroppers to intercept or even alter the messages you’re sending between the “ends” in the communication. Which is why the number of properly encrypted end-to-end systems will grow and increase, integrating into our daily lives. Most people won’t notice that though.
The ways to protect the E2EE communication will also diversify. The future of communication is going to be interesting.
P.S. If you feel naked the next time you need to send out your message through an unencrypted channel or if you refrain from carrying out a monetary transaction on an insecure website, this article wasn’t written in vain.
P.P.S. * Of course we know that encryption works in a more complicated manner than just putting a letter into an envelope, but try to explain it to a real 5 year old child!:)
P.P.P.S. To learn more about the basics of protecting your data and identity online, check out our article “Before you resort to a tin foil hat” on Medium.
Got something to add? We’d love to hear from you! Please reach out to us via info@cossacklabs.com or @cossacklabs.
