Want to understand the CMMC Proposed Rule and what it means for you? JoinCoffee + Compliance on 1/10 @3pm
- Blog
By: Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP
Share This
In recent years, we’ve become increasingly aware of the hidden costs of the convenience we get from Big Tech. From Google’s shady data mining practices, to Colonial Pipeline’s infrastructure fail, to peeping toms in our inboxes, it’s clear that it’s up to consumers and businesses to protect ourselves from overreaching Big Tech.
Today, many popular messaging technologies have adopted end-to-end encryption with the goal of ensuring the secure communications of their users. For example, WhatsApp, Telegram and Signal all rely on the use of encryption-to-end encryption (e2ee) to ensure no one but the sender and the recipient can read the communications.
The National Security Agency calls for the defense industrial base (DIB) in particular to use end-to-end encryption to secure data. Other industries, as well as individuals, should follow suit. But what is end-to-end encryption? How does end-to-end encryption differ from other forms of data protection and why is it more secure?
This piece will focus on providing answers to these questions.
- End-to-end encryption: What it is and how it works
- An example of how end-to-end encryption works
- How end-to-end encryption differs from other types of data security
- Why end-to-end encryption is important and what it protects against
- What are the advantages of end-to-end encryption
- How to implement end-to-end encryption
End-to-end encryption: What is it and how does it work
Encryption in transit and encryption at rest are standard these days, but they aren’t enough to protect your data and ensure secure communications. When your data is at rest on the server, it is vulnerable. Once a hacker infiltrates the server, they can camp out there indefinitely, reading your messages.
With end-to-end encryption by contrast, the only people who can access the data are the sender and the intended recipient(s) – no one else. Neither hackers nor unwanted third parties can access the encrypted data on the server.
In end-to-end, encryption occurs at the device level. Messages and files are encrypted before they leave the phone or computer by a public key which is available to everyone but are only decrypted by the recipient’s private key when they reach their destination. Hackers can’t access data on the server because they don’t have the private keys required to decrypt the data. Instead, secret keys are stored on the individual user’s device and are only available to the recipient.
This process of creating a public-private key pair is known as asymmetric cryptography. Separate cryptographic keys secure and decrypt the message. Public keys are widely disseminated and are used to lock or encrypt a message. Private keys are only known by the owner and are used to unlock or decrypt the message.
In end-to-end encryption, the system creates public and private cryptographic keys for each person who joins.
An example of end-to-end encryption
In order to better understand how end-to-end encryption works, let’s provide an example.
An example of how end-to-end encryption works
Let’s say Alice and Bob create accounts on the system. The end-to-end encrypted system provides each with a public-private key pair, whereby their public keys are stored on the server and their private keys are stored on their device.
Alice wants to send Bob an encrypted message. She uses Bob’s public key to encrypt her message to him. Then, when Bob receives the message, he uses his private key on his device to decrypt the message from Alice.
When Bob wants to reply, he simply repeats the process, encrypting his message to Alice using Alice’s public key.
How end-to-end encryption differs from other types of data security
As noted above, end-to-end encryption is a type of asymmetric encryption. Asymmetric means that different keys are used to encrypt and decrypt data. End-to-end encryption typically relies on the use of public and private keys to ensure data security and privacy.
By contrast, symmetric encryption uses only one key such as a password or string of numbers to encrypt data. The same key is used to both encrypt and decrypt data. Symmetric keys are much faster at performing encryption and decryption operations than asymmetric encryption. However, if used as the only source of data protection, symmetric encryption isn’t very scalable. As a system grows and more information and users are added, it becomes increasingly difficult to distribute and update the symmetric keys.
Another encryption solution that is frequently used is encrypting data in transit and at rest.
With encryption in transit – frequently TLS – data is encrypted from the endpoint to the server. However, that data is vulnerable because it can easily be sniffed by hackers who control a malicious server and use that control to steal data.
With encryption at rest, data might be encrypted on the server but the decryption keys for that data are often nearby, on the same server or centrally managed. The weak key protection represents a single point of vulnerability and attack for the server . Attackers frequently take advantage of this vulnerability for ransomware or to read and steal data.
Why end-to-end encryption is important and what it protects against
You don’t want someone camped out in your network, reading your messages. End-to-end encryption keeps your data secure. This not only protects your data from hackers, but also protects your privacy from Big Tech.
Service providers like Google (Gmail), Yahoo, or Microsoft hold copies to the decryption keys. This means these providers can read users’ email and files. Google has used this access to profit off of users’ private communications via targeted ads.
By contrast, in well-constructed end-to-end encrypted systems system providers never have access to the decryption keys.
What are the advantages of end-to-end encryption
The NSA recently issued guidelines for using collaboration services. The NSA’s number one recommendation is that collaboration services employ end-to-end encryption. The NSA notes that by following the guidelines it defines, users can reduce their risk exposure and become harder targets for bad actors.
The advantages of end-to-end encryption
- Ensures your data is secure from hacks: Ensures your data is secure from hacks: With end to end encryption, you are the only one who has the private key to unlock your data. It doesn’t matter if the server is breached; your data is safe.
- Protects your privacy: When you use providers like Google and Microsoft, your data is decrypted on their servers. This means they can read it. And if they can access your data, so can hackers.
- Protects admins: Admins aren’t honey pots. They don’t control data access, so they can’t be leveraged as a single point of vulnerability.
How to implement end-to-end encryption
Legacy systems such as PGP were early examples of technologies that tried to implement end-to-end encryption. However, they inevitably were difficult to use and maintain because of the challenges from key management. As a result, these systems failed to catch on.
PreVeil however has developed techniques to use end-to-end encryption that maximize data protection and facilitate key management. At PreVeil, end-to-end encryption is at the core of how we protect users’ email and files. Hundreds of defense companies and small businesses rely on PreVeil every day to protect their customers’ most sensitive data.
Learn more about how PreVeil uses end-to-end encryption to protect your data. Download our architectural whitepaper today.
Recent Posts
As a seasoned expert in cybersecurity, with extensive knowledge in encryption technologies and data protection, I can confidently delve into the intricacies of the concepts discussed in the provided article. My expertise is rooted in a comprehensive understanding of encryption methods, cybersecurity protocols, and the evolving landscape of digital security.
Now, let's break down the key concepts in the article:
1. CMMC Proposed Rule:
- The Cybersecurity Maturity Model Certification (CMMC) Proposed Rule is not explicitly detailed in the provided text, but it's implied that the article is addressing cybersecurity concerns, particularly in the defense industrial base (DIB). CMMC is likely relevant in the context of ensuring secure communications and data protection.
2. End-to-End Encryption (E2EE):
- Described as a fundamental technology for securing communications, especially in the defense industrial base.
- E2EE ensures that only the sender and intended recipient(s) can access the encrypted data, safeguarding it from hackers and unauthorized third parties.
3. Encryption in Transit and Encryption at Rest:
- Encryption in transit (e.g., TLS) secures data during transmission from endpoint to server.
- Encryption at rest involves securing data on the server, but vulnerabilities may arise if decryption keys are easily accessible, posing risks of data theft or ransomware attacks.
4. Asymmetric Cryptography:
- E2EE is explained as a type of asymmetric encryption.
- In asymmetric cryptography, different keys (public and private) are used for encryption and decryption, enhancing data security.
5. Advantages of End-to-End Encryption:
- Data Security: E2EE ensures that even if a server is breached, the data remains secure as only the intended recipients possess the private keys.
- Privacy Protection: Unlike service providers like Google or Microsoft, E2EE prevents third-party access to decryption keys, preserving user privacy.
- Administrative Protection: Admins are not vulnerable points as they lack control over data access, reducing the risk of leverage by bad actors.
6. National Security Agency (NSA) Recommendations:
- The NSA advocates for the use of end-to-end encryption in collaboration services to reduce the risk exposure of users and make them harder targets for malicious actors.
7. Implementation of End-to-End Encryption:
- Legacy systems like PGP faced challenges in key management for end-to-end encryption.
- PreVeil is presented as a modern solution that maximizes data protection and eases key management for end-to-end encryption, particularly in securing users' email and files.
This breakdown underscores the importance of end-to-end encryption in contemporary cybersecurity practices, particularly in safeguarding sensitive data in critical sectors like the defense industry. The article provides valuable insights into the technology, its advantages, and the need for robust encryption protocols in the face of evolving cybersecurity threats.
