The web is a very nasty place when the case is about security. There are always hackers waiting for the slightest chance of stealing sensitive info. People are making orders, banking, emailing, exchanging and a lot more online. These are very sensitive and personal data, requiring strong safety. The end-to-end encryption is a really strong solution. Now, researchers have developed a new, improved method to ensure that only the sender & the receiver reads the message.
The new research was carried out by Professor Mark Ryan at the University of Birmingham, Dr. Jiangshan Yu at the University of Luxembourg and Professor Cas Cremers at the University of Oxford. Heartbleed bug motivated this team to carry out further research on cryptography.
What is end-to-end encryption?
End-to-end encryption is very strong on its own. It encrypts a data in a way that only the sender and receiver will be able to decrypt the message. The data won’t be readable by telecom providers, ISPs (Internet Service Provider) or even the app provider!
The ultimate goal is to defeat any attempt of surveillance or tampering by any third party. Surveillance is a big issue in present days. The greatest example is the leaks by Edward Snowden, disclosing the activities of NSA – how dangerous surveillance could be. End-to-end encryption seems to be the perfect solution.
How end-to-end encryption works
In this system, only the sender and the receiver must know the unlocking key. That’s why end-to-end encryption system utilizes a pre-arranged string of symbols, named a pre-shared secret (PGP) or using a one-time key from such a pre-shared secret (DUKPT). In cases, both parties can negotiate using a secret key on-spot using the Diffie-Hellman key exchange.
Thus, the secret key is only known to 2 sides – no sneaking by any third party or surveillance service. The data is only decrypted at client devices.
New improvement
Even with the current end-to-end encryption, the data isn’t secured if the hacker compromises the client device. For example, according to Edward Snowden’s data leak, Microsoft allowed backdoor in their Skype app to deliver data to the NSA. Scientists are trying to fix this issue at the same time.
However, the newly improved system will force the attacker to leave a trace behind and notify the user(s) about the data breach. According to Dr. Yu, end-to-end encryption is really excellent at keeping hackers in check. However, with a compromised device, there’s nothing to do.
In the current encryption system, if the ISP and messaging service provider get access to the encryption key in any way, there’s nothing to do to stop them from spying on you. The new system, called DECIM (Detecting Endpoint Compromise in Messaging), certifies new key pairs for both the sender and receiver. The system stores the certificates in a tamper-resistant public ledger.
According to Dr. Yu, there’s no silver bullet in the end-to-end encryption system. However, they hope that their contribution will add an extra layer of security, leveling the playing field for both hackers and users.
End-to-end encryption usage
End-to-end encryption made its debut in the field of security with WhatsApp. Now, because of the viability and security, most of the messaging apps, including Facebook Messenger, TextSecure, Jabber and Apple’s iMessage use end-to-end encryption.
Some cloud backup services like SpiderOak and Wuala uses end-to-end encryption as well. They allow you to use your personal password as the encryption key. The local program encrypts the data on the machine. What the online servers do is preserve the data – they don’t know the password!
End-to-end encryption is a powerful tool for building a safer web. However, no method is secure enough – every digital device is hackable but at least, can defend enough to stay secure for the time being.
Take a look at this new “Man-in-the-middle” flaw in banking apps.