End-to-end Encryption (E2EE) Demystified: What it does and does not protect
These days, more than ever before, the average person is concerned with the security and privacy of their data. With hundreds of millions of people having been impacted in dozens of high profile data breaches over the last few years, personal data privacy is top of mind. So it does not come as a surprise that companies that hold personal data are continuously looking into better ways to keep it secure and private. As recently as a few weeks ago we have seen massive data breaches such as the WhatsApp breach and multiple LastPass breaches, which have impacted millions of consumers, making customers seek a better understanding of encryption technologies including end-to-end encryption.
What is End-to-End encryption (E2EE)?
Before we get into End-to-End encryption, let us start by looking at the basics of encryption itself. Encryption is a data transformation technique that incorporates external strings (keys) to data to turn it into unusable ciphers that are impossible to steal without access to the key.
How does End-to-End encryption work?
End-to-End Encryption (E2EE), refers to the process by which data is encrypted before it leaves the data owner and retains encryption until it is retrieved by the data owner. During the time that it is not being used by the data owner, this data can travel across networks and be stored with third parties, all the while remaining securely encrypted. End-to-end encryption generally also guarantees that the data owner is the holder of the encryption key so that they and only they have the capability to decrypt the data. This means that end-to-end encrypted data cannot be decrypted or read by the service or storage provider.
How secure is End-to-End encryption?
End-to-end encryption (E2EE) is an excellent idea. It’s success, however, is dependent two factors:
- How well are the keys secured and whether keys are truly not available to anybody other than the data owner
- What portion of the data is actually secured using End-to-end encryption (E2EE) and what data does not fall under E2EE.
Let’s examine both of these ideas in a bit more detail:
Are End-to-End encryption keys housed safely?
Securing encryption keys in an E2EE model is critical to its security. These days encryption keys for E2EE for many implementations are securely housed on the device itself. For example, when E2EE is implemented on a mobile device, a common method of securing keys is in a secure enclave on the device. This ensures that keys cannot be retrieved by tampering with the device.
If keys are not secured then the value of the encryption is diminished since attackers can intercept the data stream and use the keys to decrypt and obtain the underlying original data.
Is all data secured using End-to-End encryption (E2EE)? What about Metadata?
Generally, there are two types of data that travel from the data owner to the data service provider. The first is what we might call a “message” and the second would be what we would call “metadata” which is data about the message.
Let us take the example of a message being sent from a mobile device where the user expects data security via E2EE. In this type of scenario the sum total of what is sent across consists of more than just the actual message itself. For the messaging workflow to be successfully executed, the message must take with it a lot of metadata. This metadata includes information about the sender, the recipient, message attributes such as size and type, information about the device, service and so on. This metadata is needed by the messaging application and the supporting systems and infrastructure components to correctly route and deliver the message to the intended recipient. For this reason the metadata must be available to entities other than the sender and the recipient.
When E2EE is applied to this scenario, what is typically encrypted in this fashion is the message itself. The metadata components that are required for routing and delivery do not fall within the E2EE umbrella. This means that those can be read by entities along the way. It should be noted that the entire communication including the message and metadata both would still be encrypted over the wire using data-in–transit encryption (TLS) and would be considered secure against interception over the network. This is not, however, the same thing as being end-to-end encrypted, starting from the end user device using keys controlled by the end user.
What are the advantages of End-to-End encryption? And, What are the limitations of End-to-End encryption?
Bottom Line for end-to-end encryption
- End-to-end encryption (E2EE) is an important data security technique that ensures that data is encrypted at all times while outside the control of the data owner.
- E2EE ensures this security by encrypting data using a key that is always controlled by the data owner.
- However, when looking at E2EE one must remember that this level of security is only applicable to the portion of the data to which it has been applied. In many scenarios E2EE data is accompanied by data about the data (metadata).
- At times, metadata can contain personal data and sometimes multiple metadata items can be combined together to create sensitive data. To the extent that this is the case, E2EE could create a false sense of security.
- In recent months we have seen several massive data breaches that have resulted in the loss of personal data belonging to millions of people, from systems that deployed E2EE on portions of data.
Using encryption-in-use from Titaniam to overcome the gaps in E2EE?
Data-in-use encryption, also known as encryption-in-use, is a cutting edge technique that allows querying and analytics on top of encrypted data without decryption. In the scenarios described above, this could enable data service providers to utilize metadata while keeping the metadata encrypted thus shutting down the compromised service provider attack vector entirely.
Titaniam offers the industry’s most advanced data security platform that combines encryption-in-use along with nine traditional data security techniques as well as rich key management, to deliver unprecedented levels of data security and privacy across a wide variety of applications and data platforms in cloud, on-prem, hybrid and multi-cloud architectures.
With Titaniam in place, E2EE could better deliver on its promise and we can extend the power of encryption to the entire set of data that should be secured against cyberattacks.
For more information about Titaniam please visit us here.