What Is End-to-End Encryption & Why Does It Matter?
Imagine going to the bank to deposit $300, but instead of handing it straight to the banker, you pass through the hands of three random strangers first. Yes, you put it in an envelope, but you didn’t actually seal the envelope.
This means anyone who touches the money could take it out and use it before it reaches the banker. Moreover, the deposit slip with your account number and other banking information is in the envelope. Now you have a second set of issues to contend with.
Encryption that isn’t end-to-end (E2E) puts you in exactly this type of situation, and we’re about to tell you why. Read on to learn how E2E encryption works, why it’s important, and anything else you may want to know about this ultra-secure form of encryption.
Want to make sure all your data is as secure as possible? PIA VPN uses powerful encryption to protect all the traffic that leaves your device. When you connect to a VPN server, PIA encrypts all your data using sophisticated protocols like AES and WireGuard®, so no-one can see what you’re up to online.
Glossary of Encryption Terms
Algorithm — A sequence of rules that help computers perform calculations and process data. Asymmetric encryption — Encryption method that requires the sender and receiver to use two different keys, one to encrypt the text and a different one to decrypt the text. Cipher — An algorithm for encrypting and decrypting data, also called code. Ciphertext — Standard text (plaintext) scrambled using encryption algorithms. Cryptography — The process of writing or breaking codes. Decryption — A process that returns text to its original form after it has been encrypted. Encryption — A process using mathematical algorithms to scramble text and make it unreadable to anyone who doesn’t possess the required key. Plaintext — Standard text in its raw form, before it’s encrypted. Protocol — Sets of rules for transferring data between electronic devices. Public key — A numerical value used to encrypt or decrypt data on a specific device. Both devices involved in the transmission use a public key. Private key — A numerical value that decrypts data on a specific device. Only the recipient device holds the private key. String — A sequence of characters including symbols, numbers, spaces, and letters, that’s used for programming. Symmetric encryption — Encryption method that requires the sender and receiver to use one key to both encrypt and decrypt text.
A Brief History of Encryption
The earliest known use of cryptography was found in an Egyptian tomb dating back to 1900 BC. While it isn’t the cryptography used as the basis for encryption today, it was a method of transforming words into symbols — something that needed to be deciphered before it could be read fully.
So, what exactly is encryption? Encryption is a process used to convert plaintext (e.g. the text you type into documents) into ciphertext (encoded text) using specific algorithms. This text can’t be decrypted without the proper decryption cipher (key). Encryption keys are made up of bits (information strings) and are used by cryptographic algorithms like AES or DES to encrypt and decrypt data.
The concept of modern encryption started in the 1970s, as IBM formed the ‘crypto group’ as a way to protect its customers’ personal information using a block cipher. The US then adopted this ‘crypto group’ as the national Data Encryption Standard (DES) to secure government documents. This standard was kept in place until 1997 when DES was cracked and therefore no longer the strongest available form of encryption.
Phil Zimmermann, a computer scientist and cryptologist, created Pretty Good Privacy (PGP), which many tech professionals view as the unofficial birth of E2E. PGP became one of the most popular forms of email encryption software and is still in use today. Zimmermann also made notable contributions to Voice over Internet Protocol (VoIP), creating the Zfone protocol.
The 1990s saw the creation of safer transfer protocols, including Secure Socket Layer (SSL) in 1995 and Transport Layer Security (TLS) in 1999. Both of these protocols are used for securing information transmissions over network connections.
At the turn of the new millennium, the Advanced Encryption Standard (AES) replaced DES as the national standard. In 2013, Edward Snowden’s revelations about how much data the government collected daily from US citizens spurred the need for secure online data transfers. Using some of PGP’s concepts, E2E encryption was born.
💡 Did You Know?
Cryptography comes from the Greek words kryptos (hidden) and graphein (word).
What Is End-to-End Encryption?
If you want to send files or messages in complete secrecy, you’ll need to use end-to-end encryption (E2EE). This form of encryption uses asymmetric (or public key) encryption, so the key is never sent through an unsecured channel.
While many forms of encryption use the same public key to encrypt and decrypt data, E2EE requires two keys for decryption. In addition to the public key which is used to encrypt the data on each device, a private key is required to decrypt the data once it reaches the intended recipient.
The Process of Creating E2EE
Step 1: Public and private keys are generated for each device.
Step 2: Both devices being used exchange public keys.
Step 3: The public keys are used to encrypt the data to be sent.
Step 4: The receipt gets the data and it’s decrypted using the private key.
(An integrity check may be performed to verify data after the last step.)
Even if a third party intercepts the message in transit, they wouldn’t be able to decrypt the data because it can only be unlocked with a private key. If they opened the file, third parties would see the encrypted data, but it would be completely unreadable — think alphabet soup straight out of the can, only with added symbols and punctuation.
| E2E Encryption vs Other Popular Forms of Encryption |
|---|
| E2EE vs Point-to-Point Encryption (P2PE) E2E encrypts and decrypts your data only once at the endpoint, while P2PE allows encryption and decryption to occur at multiple points. |
| E2EE vs Transport Layer Security (TLS) Only the sender and the recipient can see the data because it requires both a public (encryption) and private (decryption) key. TLS only encrypts data between web browsers and pages, so your ISP can still see data stored in plaintext at the website server’s endpoint. |
| E2EE vs Link Encryption
When you use E2E, encryption happens on the sender’s end and the data is only decrypted at the endpoint. Link encryption happens at the starting point, but then the data is decrypted and re-encrypted multiple times before reaching the endpoint.
|
| E2EE vs Data at Rest Encryption (DARE)
E2E keeps your data encrypted in transit and only decrypts the data once it reaches the intended recipient. DARE encrypts data when it is already at rest on a database, backup device, or server; it provides no protection when the data is in transit.
|
Advantages of E2E Encryption
E2E encryption has multiple advantages when protecting sensitive data like personal information. This form of encryption is used in all industries where protecting data integrity and security is a must, including healthcare, finance, e-commerce, and communications.
Some messaging services like Facebook Messenger and WhatsApp even offer it to users to secure their private chats. Some of the primary benefits of E2E include the following:
- Messages sent with E2E encryption can’t be tampered with during transit
- Only the sender and the intended recipient can view the message
- Your ISP has no part in the encryption process so they never see the plaintext
- Government or law enforcement agencies who request data from your ISP will see it in its encrypted form, which is unreadable and thereby unusable
💡 Did You Know?
Cryptography is the science of hiding a message using a secret code, while encryption is a way to encrypt and decrypt data. Without cryptography, which studies ways to privatize messages between parties, the process of encryption wouldn’t be possible.
Disadvantages of E2E
That doesn’t mean E2E encryption is flawless. Services that provide E2E encryption may create backdoors (ways around a system’s security measures) to give the service access to data that’s been encrypted. Many claim it helps them track scams, prevent illegal activity, and meet legal requirements, but it only weakens encryption and violates privacy. Any service using a backdoor isn’t providing true E2E encryption. Here are a few other disadvantages of E2E to consider:
- The server that your message travels through can’t decipher the message, but it can see the date, time, recipient, and size of the message, so some metadata is exposed
- E2E can’t protect your data if your device is stolen or infected with malware
- Once the message reaches its destination, it’s decrypted forever
Services hide their true encryption practices in their terms of service and privacy policies, so a careful read can help you determine if they’re using true E2E encryption.
VPNs vs E2E Encryption — Do I Need Both?
Well, the two provide different services. When you download a VPN, your ISP will be able to see you’re using one, but it won’t be able to tell what sites you’re visiting or any other data about your online activity. A VPN also encrypts your data in transit between your device and the VPN server.
E2E encryption encrypts data in transit between the sender’s device and the receiver’s device. Even though your ISP and anyone else interested will be unable to decrypt the message itself, any other information like your location and the service you’re using to send the message is still visible. Essentially, a VPN provides added privacy for your overall connection, while E2E only protects the content of your messages.
Why E2EE Is So Important
If data is only encrypted once it reaches your provider’s server, is it doing you any good? What about every internet traffic stop it made along the way – can you assume they were all safe? The answer is a resounding no. Unfortunately, if you aren’t using E2E encryption, that’s exactly what can happen.
Many sites and services use symmetric encryption because it can be faster, and the public key can be sent with the data. Yes, symmetric encryption has its place. It’s faster than asymmetric encryption and consumes fewer network resources, so it’s popular for transmitting large amounts of data at once. However, when the key is sent with the transmission, there is a risk of someone intercepting it and decrypting your data.
AES encryption can be symmetric; making it asymmetric with E2E practices is what makes it private. Asymmetric encryption like E2E includes a public key for encryption and a private key for decryption that isn’t sent with the encrypted data, so it can’t be compromised. No one between the two devices can view the information because only the recipient has the private key.
✅ Pro Tip
Don’t be fooled by ‘convenient’ E2E solutions. Any service using an E2E process that sends the decryption (private) key with the encrypted file, document, or message is creating an opportunity for cybercriminals to intercept and decrypt the contents. It’s still considered E2E but it’s more like locking your car door, leaving the window open, and setting the keys on the dashboard when you go into the store.
Real-World Impact of Not Having E2EE
Data Transmissions Are Exposed
Many people confuse AES encryption with E2E, but one is an algorithm and the other is a process. E2E encryption uses the 256-bit AES encryption algorithm, requiring both a public and private key for access to data. If you use a service that offers AES but not E2E, you risk data exposure (though it’s important to note that AES is currently considered to be virtually unhackable).
AI Tools Have Access to Your Data
Using any smart tool could put your data at risk if it doesn’t provide E2E encryption. AI reads, analyzes, and improves your input, then uses it to perfect its services. Without the secure transmission E2E encryption provides, cybercriminals and anyone else who may compromise the servers these devices use have an opportunity to steal your sensitive information. This is because the public key is included with transmissions between devices.
Government Spying
Some government and law enforcement agencies don’t think using E2E is a good idea, claiming that it gives people too much privacy. Officials’ main concern is individuals performing illicit activities online, but they also don’t want to lose all the information they collect about average citizens.
With E2EE, no one can decrypt the data besides the sender and receiver. This makes spying virtually impossible, which is especially important when you think about massive data-sharing networks like the 14-Eyes Alliances.
Stolen Data
E2EE has taken data protection to an entirely new level, and paired with AES algorithms, protects your communications like Fort Knox. If E2E didn’t exist, there would be no way to ensure that your communications and files were truly private. Message, financial, and e-health services that don’t offer E2E are subject to data theft — including information you share with them, as well as their own. This means your sensitive healthcare information, banking details, and more could be stolen and used for malicious means like identity theft.
E2E Is the Most Protective Form of Encryption
E2E encryption isn’t ‘future-proof’, meaning technology (including encryption) is an ever-evolving beast. What’s secure today could be hackable next week. That said, E2E is currently the most secure form of encryption available to the public.
This is because the private key is never sent over any unsecured channel, so you never need to worry about it being intercepted. Ultimately, using apps and services that provide E2EE is the best route to take if you value your privacy.
