End-to-end encryption
End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers — including telecom providers, Internet providers, and even the provider of the communication service — from being able to access the cryptographic keys needed to decrypt the conversation.
End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves.
Because no third parties can decipher the data being communicated or stored, for example, companies that use end-to-end encryption are unable to hand over texts of their customers’ messages to the authorities.
E2EE and privacy.
It is important to note that E2EE does not equal privacy or security.
In many messaging systems, including email and many chat networks, messages pass through intermediaries and are stored by a third party, from which they are retrieved by the recipient. Even if the messages are encrypted, they are only encrypted ‘in transit’, and are thus accessible by the service provider, regardless of whether server-side disk encryption is used. Server-side disk encryption simply prevents unauthorized users from viewing this information, it does not prevent the company itself from viewing the information, as they have the key and can simply decrypt this data.
This allows the third party to provide search and other features, or to scan for illegal and unacceptable content, but also means they can be read and misused by anyone who has access to the stored messages on the third party system, whether this is by design or via a backdoor. This can be seen as a concern in many cases where privacy is very important, such as businesses whose reputation depends on their ability to protect third party data, negotiations and communications that are important enough to have a risk of targeted ‘hacking’ or surveillance, and where sensitive subjects such as health, and information about minors are involved.
Authentication
Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust. An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users’ public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy[citation needed]), before starting their conversation. If the fingerprints match, there is in theory, no man in the middle.
When displayed for human inspection, fingerprints usually use some form of Binary-to-text encoding[citation needed]. These strings are then formatted into groups of characters for readability. Some clients instead display a natural language representation of the fingerprint. As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user’s native (system) language. This can, however, make cross-language comparisons prone to errors.
In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of more error prone hexadecimal or natural language strings. An example of the base 10 fingerprint (called safety number in Signal and security code in WhatsApp) would be
37345 35585 86758 07668
05805 48714 98975 19432
47272 72741 60915 64451Endpoint security
The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user’s computer can still be hacked to steal his or her cryptographic key (to create a MITM attack) or simply read the recipients’ decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end. Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google’s Project Vault. However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.
However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant’s network in Iran. To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.
Compliance and regulatory requirements for content inspection
While E2EE can offer privacy benefits that make it desirable in consumer-grade services, many businesses have to balance these benefits with their regulatory requirements. For example, many organizations are subject to mandates that require them to be able to decrypt any communication between their employees or between their employees and third parties. This might be needed for archival purposes, for inspection by Data Loss Prevention (DLP) systems, for litigation-related eDiscovery or for detection of malware and other threats in the data streams. For this reason, some enterprise-focused communications and information protection systems might implement encryption in a way that ensures all transmissions are encrypted with the encryption being terminated at their internal systems (on-premises or cloud-based) so can have access to the information for inspection and processing.
cyber security
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. … A compromised application could provide access to the data its designed to protect.
career in cyber security:
Refer guvi for more details about cyber security .
