In the recent past, terms like end-to-end encryption would be geek-only and not likely to be in the layman’s tongue. Most of us wouldn’t bother wanting to know and looking it up on the internet. Today, end-to-end encryption is part of your daily digital life. It is actually the ultimate security mechanism that protects your confidential and private data online, like your credit card number during a transaction, or your phone call being listened to.
Now that global concerns about people’s privacy are compromised, hackers lurk around every corner, and governments pry into their citizens’ private communications, Internet calls, VoIP, and instant messaging applications are offering encryption of end to end. It became a common theme when WhatsApp brought it to over a billion users; after being preceded by applications like Threema and Telegram, among others. In this one, we are going to look at what end-to-end encryption is, how it works in very simple terms, and what it does for you.
Before we move on to the “start to finish” part, let’s first look at what plain old encryption is. The fight for data security and privacy online is a battle fought on many fronts, but in the end, it comes down to this: when private data is sent to another computer or server on the Internet, which is done many times a day, it is as if Little Red Riding Hood’s mother sends them to her grandmother’s house on the other side of the forest. These forests, which she has to cross alone without defense, have wolves and other dangers far deadlier than the wolf in the bedtime story.
Once you send your voice call, chat, email or credit card number data packets through the internet jungle, you have no control over who gets their hands on them. This is the nature of the Internet. This is what makes so many things that run on it free, including Voice over IP, which gives you free calls. Your data and voice packets pass through many unknown servers, routers and devices where any hacker, big brother or rogue state agent can intercept them. How to protect your data then? Enter encryption, the last resort.
Encryption involves converting your data into an encrypted form in such a way that it is impossible for any party intercepting it to read, understand, and understand it, except for the intended recipient. When it reaches this legitimate recipient, the encrypted data reverts to its original form and becomes perfectly readable and understandable again. This last process is called decryption.
Let’s complete the glossary. Unencrypted data is called plain text; encrypted data is called ciphertext; the computer mechanism or recipe that runs on the data to encrypt it is called an encryption algorithm, i.e. simply software that works with the data to encrypt it. An encryption key is used with the algorithm to encode the plaintext in such a way that the correct key is required in conjunction with the algorithm to decrypt the data. Therefore, only the party that owns the key can access the original data. Note that the key is a very long string of numbers that you don’t have to remember or care about, as the software does it all for you.
Encryption, or as it was known before the digital age, cryptography, has been used for millennia before our era. The ancient Egyptians used to complicate their hieroglyphs to prevent lower level people from understanding things. Modern and scientific encryption came in the Middle Ages with the Arab mathematician Al-Kindi who wrote the first book on the subject. He got really serious and advanced during World War II with the Enigma machine and helped considerably in defeating the Nazis in many cases.
Now, the first messaging and calling apps to arrive with end-to-end encryption come from Germany, where people are particularly concerned about their privacy. Some examples are Telegram and Threema. Actually, this may have been exacerbated by the scandal that German Chancellor Merkel’s phone calls were intercepted by the United States. In addition, Jan Koum, co-founder of WhatsApp, mentioned his Russian childhood background and all theatrical espionage as one of the driving elements of his desire to impose privacy through encryption in his application, which however it was quite late.
Symmetric and asymmetric encryption
Pay no attention to the complex wording. We just want to make the difference between two versions of a simple concept. Here’s an example to illustrate how encryption works.
Tom wants to send a private message to Harry. The message is passed through an encryption algorithm and, using a key, is encrypted. While the algorithm is available to anyone who can afford to be geeky enough, like Dick who wants to know what he’s saying to himself, the key is a secret between Tom and Harry. If Dick the hacker manages to intercept the encrypted message, he won’t be able to decrypt it back to the original message unless he has the key, which he doesn’t.
This is called symmetric encryption, where the same key is used for encryption and decryption on both sides. This poses a problem, as both legitimate parties need to have the key, which may involve sending it back and forth, thus exposing it to compromise. Therefore, it is not effective in all cases.
The solution is asymmetric encryption. Two types of keys are used for each party, a public key and a private key, that is, each party has a public key and a private key. The public keys are available to both parties, and to anyone else, since the two parties mutually share their public keys prior to communication. Tom uses Harry’s public key to encrypt the message, which can now only be decrypted using this (Harry’s) public key and Harry’s private key.
This private key is only available to Harry and no one else, not even Tom the sender. This key is the only element that makes it impossible for any other party to decrypt the message because there is no need to send the private key.
End-to-End Encryption Explained
End-to-end encryption works as explained above, and is an implementation of asymmetric encryption. As its name suggests, end-to-end encryption protects data in such a way that it can only be read at both ends, by the sender and the recipient. No one else can read the encrypted data, including hackers, governments, and even the server that the data passes through.
End-to-end encryption inherently involves many important things. Consider two WhatsApp users communicating via instant messaging or calling over the Internet. Your data passes through a WhatsApp server as it transits from one user to another. For many other services that offer encryption, the data is encrypted during transfer, but is only protected from external intruders like hackers. The service can intercept the data on its servers and use it. They can potentially deliver the data to third parties or law enforcement authorities. End-to-end encryption keeps data encrypted, with no chance of decryption, even on the server and elsewhere. So even if they want to, the service cannot intercept and do anything with the data. Law enforcement authorities and governments are also among those who cannot access the data, even with authorization. Theoretically, no one can except the parties at the two ends.
How to use end-to-end encryption
It’s not actually manually used end-to-end directly and you don’t have to do anything to get it to work. The services behind it, the software and the security mechanisms of the web take care of it.
For example, the browser you’re reading in is equipped with end-to-end encryption tools, and they go to work when you engage in online activities that require the security of your data during transmission. Consider what happens when you buy something online using your credit card. Your computer needs to send the credit card number to the merchant on the other side of the world. End-to-end encryption ensures that only you and the merchant’s computer or service can access the highly sensitive number.
Secure Socket Layer (SSL), or its latest updated version Transport Layer Security (TLS), is the encryption standard for the web. When you enter a site that offers encryption for your data – these are usually sites that handle your private information such as personal details, passwords, credit card numbers, etc. – there are signs indicating safety and security.
In the address bar, the URL starts with https:// instead of http:// , the additional s represents secure . You will also see an image somewhere on the page with the Symantec (owner of TLS) and TLS logo. Clicking on this image opens a pop-up window certifying the authenticity of the site. Companies like Symantec provide digital certificates to websites for encryption.
Voice calls and other means of communication are also protected through the use of end-to-end encryption with many applications and services. You benefit from the privacy of encryption just by using these applications for communication.
The above description of end-to-end encryption is theoretically simplified and illustrates the fundamental principle behind it, but in practice, it is much more complex than that. There are many standards for encryption, but you really don’t want to go any further.
I’d rather think about the question that’s probably on your mind right now: Do I need encryption? Well, not always, but you do. We probably need encryption less often than we do. It depends on what you transfer in your personal communication. If you have things to hide, then you’ll be thankful for the existence of end-to-end encryption.
Many personally do not find it important for their WhatsApp and other instant messaging applications, and only include chats with friends and family. Who would care to spy on us while there are a billion people talking? However, we all need it when doing online banking or e-commerce. But then, you know, you can’t choose. Encryption happens without your knowledge, and most people don’t care when their data is encrypted.