Not only since the success of messenger services such as Telegram, Threema & Co. has end-to-end encryption (E2EE) been on everyone’s lips. For many, E2EE is synonymous with the secure exchange of data and messages over the Internet. In fact, E2EE offers a high level of security. However, users should keep a few things in mind. Which these are we’ll clarify in this blog.
E2EE - How it works
With end-to-end encryption, the data to be sent is encrypted directly on the sender’s system or device and decrypted again at the recipient’s end. In between, nobody is able to read the data or manipulate it in any way. This is achieved with the help of so-called cryptographic keys, which are stored exclusively on the two end devices. This way, only both devices know how to handle the data. Therefore, even if an unauthorized third party intercepts the data, they would not be able to do anything with it because they lack the corresponding key.
With current computing power and known algorithms, end-to-end encryption is considered unbreakable. It is one of the most secure encryption methods in the world, not even the provider of an E2EE solution has access to the security keys.
End-to-end encryption is more secure than TLS or SSL
In connection with secure e-mail transmission, many people ask themselves “I send my mails via a Transport Layer Security Protocol (TLS). Why should I still use end-to-end encryption now?” This thought is obvious, since TLS also sends encrypted mails. However, TLS only provides encryption between each individual user and the respective service provider. This means that the provider has access to the decrypted data, at least theoretically, before sending it back encrypted to the recipient.
The same is true for SSL or access to websites via HTTPS: in this case, too, the data is encrypted on its way from the client to the server. However, the encryption ends at the server itself – and can then theoretically be read in decoded form. This difference is especially important when you want to send data via common cloud solutions such as Dropbox & Co. that do not offer end-to-end encryption. This is because in this case, cloud providers can read the data unencrypted, despite encrypted data transmission via SSL. With E2EE, however, you can be sure that the encryption is really only lifted at the intended recipient – without the provider or any other third party gaining access to the decrypted data.
E2EE is not an all-encompassing security solution
End-to-end encryption protects data from unauthorized access on the way from one end device to another. However, if unauthorized third parties have already gained access to one or both end devices, the data is no longer secure. End-to-end encryption cannot replace security mechanisms that protect the end devices themselves from unauthorized access.
A man-in-the-middle attack is also theoretically possible with end-to-end encryption, for example, when unauthorized third parties plant their own public key on the sender so that the data can be encoded with a key known to them.
In such a case, documents that have already been sent cannot be read, but new ones can be read. However, such an attack is usually quickly noticed, since the original recipient key usually has to be exchanged and the actual recipient does not have access to the newly sent data.
In another scenario, cybercriminals can bypass the cracking of the security key completely if they succeed in compromising one of the end devices – then they can easily access the data before encryption or after decryption. The assumption that E2EE keeps it secret who you are communicating with is also a fallacy. The encryption keeps the content of your communication confidential and inaccessible to third parties. However, in order for the servers to know who is to receive which message, your e-mail also contains so-called meta data. This can be, for example, your IP address, information on date and time or even device information. This meta data may be encrypted on the way from you TO the server, but usually not ON the server.
Usability is a key factor
One of the reasons why end-to-end encryption has been so late in becoming established, especially for sending e-mails, is that the implementation and use of the technology is often not very easy. However, the simple use of E2EE is a basic prerequisite for employees in companies to use it consistently for secure communication. If it is too complicated to use, employees will regularly forego end-to-end encryption or find other workarounds. Companies should therefore ensure that the use of E2EE does not present users with too many obstacles. Fortunately, there are a number of solutions on the market today, such as epiKshare, that make secure end-to-end encrypted mail delivery simple and straightforward.
Secure mail sharing with epiKshare
The secure sending of e-mails with end-to-end encryption is a basic component of the epiKshare suite. Without having to resort to additional certificates that are subject to a fee, epiKshare allows you to encrypt your data using the particularly secure AES-256 algorithm and send it directly from Outlook via your ownCloud. Handling is particularly easy, as the encryption is simply controlled by the user and executed via the web browser. Encrypted files can also be made available to external users at a later date – the encryption keys are simply dynamically adjusted in the background.
For more information on end-to-end encryption with epiKshare, please visit https://www.epikshare.com/epikware/epikryption/