What are the differences between end-to-end encryption and encryption in transit?
With the coronavirus crisis, the use of external technologies is necessary.
For this post, I will talk (among others) about Zoom, the trendy application for video conferencing that plays on the terms for securing their solution.
Encrypting exchanges, why?
Why do we do encryption? There can be many reasons, the most obvious is to avoid data interception.
In the case of an encrypted exchange, even if my data stream were intercepted, the impact would be nil, since the attacker would be unable to read this stream, assuming of course that I have set up a strong enough encryption.
So the idea is, as I've talked about in posts in the past, the idea is, using public key exchange, to encrypt the data and exchange it that way. In this way, only the recipient with my public key is able to decrypt the information I send them, and vice versa.
I'll start with the end-to-end encryption. In this model, the data is encrypted from sender to receiver, without any protocol break.
This means that the servers between the two users cannot access the data. This is the model used by many instant messengers. The Telegram application, for example, uses this model.
The interests of this solution are multiple, for the user:
- The intermediate infrastructure cannot read my exchanges
- It is not possible for a state to monitor conversations (in theory anyway).
- If my network is compromised, it is not possible to decipher my stream with a man-in-the-middle attack.
However, to be truly effective, this encryption also requires that both the sender and receiver can support effective encryption protocols, otherwise it will only be a levelling down, with the weakest protocol in common being used.
Encryption in transit
Behind this term, we always have data encryption, often always using asymmetric encryption. However, the data is no longer encrypted all the way to the recipient.
With encryption in transit, the data is encrypted to the server, which decrypts it and then re-encrypts it to be sent to the client.
This means that at some point, the data is in clear text, and can therefore be used or analyzed by the intermediate server. In addition, if the intermediary's infrastructure were to be compromised, the data could also be vulnerable.
This solution has a few advantages:
- The level of security can be different between the two parties, since the chosen encryption will be the strongest between the server and each of the senders/recipients.
- We still have protection against man in the middle, since the exchange with the server remains well encrypted.
Nevertheless, unlike end-to-end encryption, the intermediary can fully exploit the data, or help a state or be solicited for a police investigation for example, since he has potential access to the decrypted data.
In any case, the best protection is always the user, and it is necessary to be aware of the level of security provided by an application before using it and not to blindly go for it.
Ask yourself the question of the confidentiality of the information you are going to exchange. If it is private or confidential information, it is preferable to opt for solutions that work with end-to-end encryption. Otherwise, encryption in transit may be sufficient.
Furthermore, the exchange of information is not the only layer of security to consider. If you are exchanging important data, it may be necessary to ensure that the terminals used are secure. It is always possible to compromise them, and in this case, access to the data is always possible.
As always, the best security is the user!