If used correctly, end-to-end encryption can help protect the contents of your messages, text, and even files from being understood by anyone except their intended recipients. It can also be used to prove that a message came from a particular person and has not been altered
What does encryption do?
- A clear readable message is encrypted into a scrambled message.
- The scrambled message is sent over the internet.
- When it arrives at the destination, the intended receiver decrypts it into the original readable message.
Symmetric Encryption: A case study.
John writes a note for her classmate Richa but does not want any other classmate to see it. Well, what can he do?
He decides to encrypt his message, by shifting the letters down by 3. So, now if any other classmate takes a peek into the note, they won’t get it.
This kind of encryption technique is called Caesar cipher. Turns out John’s note is still not secure, some of his classmates brute force the key with all possible combinations.
As time passed John learned some really advanced symmetric encryption techniques, and could generate keys that were much harder to guess.
Well, now John faced an even bigger issue. His classmate would eavesdrop on him when he shared the key with Richa. Their communication was still not secure.
Well, they all grew up, went on to college, had their own computers and learned about Public-key cryptography.
Public Key Cryptography: A case study.
Now John learned about Public-key cryptography which is an asymmetric cryptographic algorithm. Now with this algorithm, he can generate 2 keys – a public key and a private key. A message encrypted with the receiver’s public key can only be decrypted with the receiver’s private key.
John and Richa again started to communicate with their computers. In reality, there are 100s of computers between Richa and John to facilitate their communication. They both generate their public and private keys. Now Richa will send her public key to John. John will use this public key to encrypt his message and then send the encrypted message back to Richa. Now Richa will use her private key to decrypt the message.
Well, this may seem fine, no bad guy can see the message because it can only be decrypted by a private key which is never shared. Not exactly.
Let’s just say one of the intermediaries is a bad guy who wants to spy on John. When Richa sends her public key the bad guy gets it in the middle. Then the bad guy sends his public key to John. John doesn’t notice that this isn’t Richa’s public key. He decrypts the message with the bad guy’s public key and sends it back. Now the bad guy could decrypt the message and read the content. He could change the content if he wishes or can send the original content, decrypting it with Richa’s public key. Neither Richa nor John knows but their connection has been compromised.
This is known as “man in the middle attack”.
Luckily, public-key cryptography has a solution for man in the middle attack. Public key cryptography lets you double-check someone’s digital identity with something called fingerprint verification. This verification can be done when the sender and receiver meet personally and verifies manually the public key fingerprint you got and his public key fingerprint. Other end-to-end encrypted apps also have a way to check for fingerprints, though there are some variations on what the practice is called and how it is implemented. In some instances, you’ll read each character of the fingerprint extremely carefully and ensure it matches what you see on your screen, versus what your friend sees on their screen. In others, you might scan a QR code on another person’s phone to “verify” their device.
Asymmetric encryption and its algorithms aren’t perfect, but they’re still incredibly effective at helping us to establish secure communications with third parties via public channels. It is perfect for transmitting small chunks of data to a large number of endpoints. It is also way more secure than symmetric encryption.