End-to-end encryption

In many non-E2EE messaging systems, including email and many chat networks, messages pass through intermediaries and are stored by a third party service provider,{{Cite web|title=Cryptography Concepts – Fundamentals – E3Kit {{!}} Virgil Security|url=https://developer.virgilsecurity.com/docs/e3kit/fundamentals/cryptography/#end-to-end-encryption|access-date=2020-10-30|website=developer.virgilsecurity.com}} from which they are retrieved by the recipient. Even if the messages are encrypted, they are only encrypted 'in transit', and are thus accessible by the service provider.{{Cite web|last=Mundhenk|first=Ben Rothke and David|date=2009-09-10|title=End-to-End Encryption: The PCI Security Holy Grail|url=https://www.csoonline.com/article/2124346/end-to-end-encryption--the-pci-security-holy-grail.html|access-date=2020-11-04|website=CSO Online|language=en}} Server-side disk encryption is also distinct from E2EE because it does not prevent the service provider from viewing the information, as they have the encryption keys and can simply decrypt it.

The lack of end-to-end encryption can allow service providers to easily provide search and other features, or to scan for illegal and unacceptable content.{{citation needed|date=November 2024}} However, it also means that content can be read by anyone who has access to the data stored by the service provider, by design or via a backdoor. This can be a concern in many cases where privacy is important, such as in governmental and military communications, financial transactions, and when sensitive information such as health and biometric data are sent. If this content were shared without E2EE, a malicious actor or adversarial government could obtain it through unauthorized access or subpoenas targeted at the service provider.{{Cite web |last=Weinstein |first=Gary |title=Encryption: The Necessary Tool For U.S. National Security And The Intelligence Community |url=https://www.forbes.com/sites/digital-assets/2023/05/07/encryption-the-necessary-tool-for-us-national-security-and-the-intelligence-community/ |access-date=2024-07-26 |website=Forbes |language=en}}

E2EE alone does not guarantee privacy or security.{{Cite web |last=Meehan |first=Tom |date=2021-11-29 |title=End-to-End Encryption Doesn't Guarantee Internet Privacy |url=https://losspreventionmedia.com/end-to-end-encryption-doesnt-guarantee-internet-privacy/ |access-date=2022-11-05 |website=Loss Prevention Media |language=en-US}} For example, data may be held unencrypted on the user's own device, or be accessible via their own app, if their login is compromised.

The term "end-to-end encryption" originally only meant that the communication is never decrypted during its transport from the sender to the receiver.{{cite book|last=Baran|first=Paul|title=On Distributed Communications|chapter=IX. Security, Secrecy, and Tamper-Free Considerations. III. Some Fundamentals of Cryptography|url=https://www.rand.org/pubs/research_memoranda/RM3765/RM3765.chapter3.html|date=1964|publisher=RAND corporation|access-date=2020-04-07|archive-date=2020-04-07|archive-url=https://web.archive.org/web/20200407143949/https://www.rand.org/pubs/research_memoranda/RM3765/RM3765.chapter3.html|url-status=dead}}

For example, around 2003, E2EE has been proposed as an additional layer of encryption for GSM{{cite conference|last1=Moldal|first1=L.|last2=Jorgensen|first2=T.|title=IEE Seminar Secure GSM and Beyond: End to End Security for Mobile Communications |chapter=End to end encryption in GSM, DECT and satellite networks using NSK200|publisher=IET|chapter-url=https://ieeexplore.ieee.org/document/1292124|date=11 February 2003|volume=2003 |page=5 |doi=10.1049/ic:20030013}} or TETRA,{{cite conference|last=Murgatroyd|first=Brian|title=IEE Seminar Secure GSM and Beyond: End to End Security for Mobile Communications |chapter=End to end encryption in public safety TETRA networks|publisher=IET|chapter-url=https://ieeexplore.ieee.org/document/1292126|date=11 February 2003|volume=2003 |page=7 |doi=10.1049/ic:20030015}} in addition to the existing radio encryption protecting the communication between the mobile device and the network infrastructure. This has been standardized by SFPG for TETRA.{{cite web|title=New chair for the SFPG|url=https://tcca.info/new-chair-for-the-sfpg/|date=2007}} Note that in TETRA E2EE, the keys are generated by a Key Management Centre (KMC) or a Key Management Facility (KMF), not by the communicating users.{{cite thesis|type=Master's Thesis|last=Morquecho Martinez|first=Raul Alejandro|title=Delivery of encryption keys in TETRA networks|date=31 March 2016|publisher=Aalto University|url=https://aaltodoc.aalto.fi/bitstream/handle/123456789/20880/master_Morquecho_Martinez_Raul_2016.pdf}}

Later, around 2014, the meaning of "end-to-end encryption" started to evolve when WhatsApp encrypted a portion of its network,{{Cite magazine|title=Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People|language=en-us|magazine=Wired|url=https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/|access-date=2021-03-02|issn=1059-1028}} requiring that not only the communication stays encrypted during transport,{{Cite journal|last=Mtega|first=Wulystan Pius|date=Jan 2021|title=Using WhatsApp Messenger for improving learners' engagement in teaching and learning: a case of undergraduate students at the Sokoine University of Agriculture, Tanzania|url=https://www.proquest.com/docview/2492709488|journal=Library Philosophy and Practice|pages=1–18|id={{ProQuest|2492709488}}|via=ProQuest}} {{citation needed span|date=June 2020|but also that the provider of the communication service is not able to decrypt the communications either by having access to the private key, or by having the capability to undetectably inject an adversarial public key as part of a man-in-the-middle attack.}} This new meaning is now the widely accepted one.{{Cite journal|last=Lewis, James A., Denise E. Zheng, and William A. Carter.|title=The effect of encryption on lawful access to communications and data|journal=Rowman & Littlefield}}

{{Update section|date=November 2024|reason=begins with "As of 2016" and makes little-to-no mention of Signal, WhatsApp, and more}}

As of 2016,{{Cite web|title=A history of end-to-end encryption and the death of PGP|url=https://www.cryptologie.net/article/487/a-history-of-end-to-end-encryption-and-the-death-of-pgp/|access-date=2020-10-30|website=www.cryptologie.net}} typical server-based communications systems do not include end-to-end encryption.{{Cite book|last=Nabeel|first=Mohamed|title=2017 IEEE International Conference on Edge Computing (EDGE) |chapter=The Many Faces of End-to-End Encryption and Their Security Analysis |date=2017-06-23|chapter-url=http://dx.doi.org/10.1109/ieee.edge.2017.47|publisher=IEEE|pages=252–259|doi=10.1109/ieee.edge.2017.47|isbn=978-1-5386-2017-5|s2cid=3419988}} These systems can only guarantee the protection of communications between clients and servers,{{Cite web|date=2016-02-19|title=What is End-to-end encryption (E2EE) ?|url=https://www.gbnews.ch/what-is-end-to-end-encryption-e2ee/|access-date=2020-11-05|website=Geneva Business News {{!}} Actualités: Emploi, RH, économie, entreprises, Genève, Suisse.|language=fr-FR}} meaning that users have to trust the third parties who are running the servers with the sensitive content. End-to-end encryption is regarded as safer{{Cite book|last1=Bai|first1=Wei|last2=Pearson|first2=Michael|last3=Kelley|first3=Patrick Gage|last4=Mazurek|first4=Michelle L.|title=2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) |chapter=Improving Non-Experts' Understanding of End-to-End Encryption: An Exploratory Study |date=September 2020|chapter-url=https://ieeexplore.ieee.org/document/9229664|location=Genoa, Italy|publisher=IEEE|pages=210–219|doi=10.1109/EuroSPW51379.2020.00036|isbn=978-1-7281-8597-2|s2cid=220524858}} because it reduces the number of parties who might be able to interfere or break the encryption.{{cite web|title=End-to-End Encryption|url=https://ssd.eff.org/en/glossary/end-end-encryption|website=EFF Surveillance Self-Defense Guide|publisher=Electronic Frontier Foundation|access-date=2 February 2016|url-status=live|archive-url=https://web.archive.org/web/20160305112131/https://ssd.eff.org/en/glossary/end-end-encryption|archive-date=5 March 2016}} In the case of instant messaging, users may use a third-party client or plugin to implement an end-to-end encryption scheme over an otherwise non-E2EE protocol.{{cite web|title=How to: Use OTR for Windows|url=https://ssd.eff.org/en/module/how-use-otr-windows|website=EEF Surveillance Self-Defence Guide|publisher=Electronic Frontier Foundation|access-date=2 February 2016|url-status=dead|archive-url=https://web.archive.org/web/20160120015142/https://ssd.eff.org/en/module/how-use-otr-windows|archive-date=20 January 2016}}

Some non-E2EE systems, such as Lavabit and Hushmail, have described themselves as offering "end-to-end" encryption when they did not.{{cite news|last1=Grauer|first1=Yael|title=Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure|url=https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/|magazine=WIRED|language=en-US|url-status=live|archive-url=https://web.archive.org/web/20170309013643/https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/ |archive-date=2017-03-09}} Other systems, such as Telegram and Google Allo, have been criticized for not enabling end-to-end encryption by default. Telegram did not enable end-to-end encryption by default on VoIP calls while users were using desktop software version, but that problem was fixed quickly.{{cite web|title=Why Telegram's security flaws may put Iran's journalists at risk|url=https://cpj.org/blog/2016/05/why-telegrams-security-flaws-may-put-irans-journal.php|publisher=Committee to Protect Journalists|access-date=23 September 2016|date=31 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160819013449/https://cpj.org/blog/2016/05/why-telegrams-security-flaws-may-put-irans-journal.php|archive-date=19 August 2016}}{{Cite web|last=Hackett|first=Robert|url=http://fortune.com/2016/05/21/google-allo-privacy-2/|title=Here's Why Privacy Savants Are Blasting Google Allo|date=21 May 2016|website=Fortune|publisher=Time Inc.|access-date=23 September 2016|url-status=live|archive-url=https://web.archive.org/web/20160910182246/http://fortune.com/2016/05/21/google-allo-privacy-2/|archive-date=10 September 2016}} However, as of 2020, Telegram still features no end-to-end encryption by default, no end-to-end encryption for group chats, and no end-to-end encryption for its desktop clients. In 2022, Facebook Messenger came under scrutiny because the messages between a mother and daughter in Nebraska were used to seek criminal charges in an abortion-related case against both of them. The daughter told the police that she had a miscarriage and tried to search for the date of her miscarriage in her Messenger app. Police suspected there could be more information within the messages and obtained and served a warrant against Facebook to gain access. The messages allegedly mentioned the mother obtaining abortion pills for her daughter and then burning the evidence. Facebook expanded default end-to-end encryption in the Messenger app just days later.{{Cite web |last=Duffy |first=Sara O'Brien, Clare |date=2022-08-10 |title=Nebraska teen and mother facing charges in abortion-related case that involved obtaining their Facebook messages {{!}} CNN Business |url=https://www.cnn.com/2022/08/10/tech/teen-charged-abortion-facebook-messages/index.html |access-date=2024-07-26 |website=CNN |language=en}}{{Cite web |last=Duffy |first=Clare |date=2022-08-11 |title=Meta testing expanded encryption features amid renewed scrutiny of messaging data {{!}} CNN Business |url=https://www.cnn.com/2022/08/11/tech/meta-messenger-encryption-tests/index.html |access-date=2024-07-26 |website=CNN |language=en}} Writing for Wired, Albert Fox Cahn criticized Messenger's approach to end-to-end encryption, which was not enabled by default, required opt-in for each conversation, and split the message thread into two chats which were easy for the user to confuse.{{Cite magazine |last=Cahn |first=Albert Fox |title=Facebook's Message Encryption Was Built to Fail |url=https://www.wired.com/story/facebook-message-encryption-abortion/ |access-date=2024-07-27 |magazine=Wired |language=en-US |issn=1059-1028}}

Some encrypted backup and file sharing services provide client-side encryption. This type of encryption is not referred to as end-to-end encryption because only one end has the ability to decrypt the data. However, the term "end-to-end encryption" is sometimes incorrectly used to describe client-side encryption.{{Cite web|title=Improving Non-Experts' Understanding of End-to-End Encryption: An Exploratory Study|url=https://www.researchgate.net/publication/342621891|access-date=2020-11-05|website=ResearchGate|language=en}}

End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during key exchange or by substituting their public key for the recipient's), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that they share with the actual recipient, or their public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a man-in-the-middle attack (MITM).{{cite book|last1=Schneier|first1=Bruce|last2=Ferguson|first2=Niels|last3=Kohno|first3=Tadayoshi|title=Cryptography engineering : design principles and practical applications|url=https://archive.org/details/cryptographyengi00ferg|url-access=limited|date=2010|publisher=Wiley Pub., inc.|location=Indianapolis, IN|isbn=978-0470474242|page=[https://archive.org/details/cryptographyengi00ferg/page/n211 183]}}

{{see also|Key Transparency}}

Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust.{{cite web|title=What is man-in-the-middle attack (MitM)? – Definition from WhatIs.com|url=http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM|website=IoT Agenda|access-date=7 January 2016|language=en-US|url-status=live|archive-url=https://web.archive.org/web/20160105000628/http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM|archive-date=5 January 2016}} An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users’ public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy{{citation needed|date=June 2020}}), before starting their conversation. If the fingerprints match, there is, in theory, no man in the middle.

When displayed for human inspection, fingerprints usually use some form of binary-to-text encoding{{citation needed|date=June 2020}}.{{cite journal|last=Dechand|first=Sergej|date=10–12 August 2016|title=An Empirical Study of Textual Key-Fingerprint Representations|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_dechand.pdf|journal=The Advanced Computing System Association|pages=1–17}} These strings are then formatted into groups of characters for readability. Some clients instead display a natural language representation of the fingerprint.{{cite web|url=https://pep.foundation/docs/pEp-whitepaper.pdf|title=pEp White Paper|publisher=pEp Foundation Council|date=18 July 2016|access-date=11 October 2016|url-status=live|archive-url=https://web.archive.org/web/20161001160110/https://pep.foundation/docs/pEp-whitepaper.pdf|archive-date=1 October 2016}} As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user's native (system) language. This can, however, make cross-language comparisons prone to errors.

In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of more error prone hexadecimal or natural language strings.{{cite web|last1=Marlinspike|first1=Moxie|title=WhatsApp's Signal Protocol integration is now complete|url=https://whispersystems.org/blog/whatsapp-complete/|publisher=Open Whisper Systems|access-date=11 October 2016|date=5 April 2016|url-status=live|archive-url=https://web.archive.org/web/20161010101243/https://whispersystems.org/blog/whatsapp-complete/|archive-date=10 October 2016}} An example of the base 10 fingerprint (called safety number in Signal and security code in WhatsApp) would be:

37345 35585 86758 07668

05805 48714 98975 19432

47272 72741 60915 64451

Other applications such as Telegram, instead, encode fingerprints using emojis.

Modern messaging applications can also display fingerprints as QR codes that users can scan off each other's devices.{{cite web|last1=Budington|first1=Bill|title=WhatsApp Rolls Out End-To-End Encryption to its Over One Billion Users|url=https://www.eff.org/deeplinks/2016/04/whatsapp-rolls-out-end-end-encryption-its-1bn-users|website=Deeplinks Blog|publisher=Electronic Frontier Foundation|access-date=11 October 2016|date=7 April 2016|url-status=live|archive-url=https://web.archive.org/web/20160912010025/https://www.eff.org/deeplinks/2016/04/whatsapp-rolls-out-end-end-encryption-its-1bn-users|archive-date=12 September 2016}}

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user's computer can still be hacked to steal their cryptographic key (to create a MITM attack) or simply read the recipients’ decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end. Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google's Project Vault.Julie Bort, Matt Weinberger [http://www.businessinsider.com/googles-project-vault-for-secret-messages-2015-5?r=US&IR=T&IR=T "Google's Project Vault is a tiny computer for sending secret messages"] {{webarchive|url=https://web.archive.org/web/20170808195058/http://www.businessinsider.com/googles-project-vault-for-secret-messages-2015-5?r=US&IR=T&IR=T |date=2017-08-08 }}, Business Insider, NYC May 29, 2015 However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.Whonix Wiki [https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key "Air Gapped OpenPGP Key"] {{webarchive|url=https://web.archive.org/web/20170808194727/https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key |date=2017-08-08 }} PGP has been recommended by experts for this purpose.{{cite web|quote=If I really had to trust my life to a piece of software, I would probably use something much less flashy — GnuPG, maybe, running on an isolated computer locked in a basement. |author=Matthew D. Green |url=https://blog.cryptographyengineering.com/2013/03/09/here-come-encryption-apps/ |title=A Few Thoughts on Cryptographic Engineering |date=9 Mar 2013}} However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant's network in Iran.Bruce Schneier [https://www.schneier.com/blog/archives/2013/10/air_gaps.html "Air Gaps"] {{webarchive|url=https://web.archive.org/web/20170609082507/https://www.schneier.com/blog/archives/2013/10/air_gaps.html |date=2017-06-09 }}, Schneier on Security, October 11, 2013 To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.{{cite web|url=https://github.com/maqp/tfc|title=maqp/tfc|website=GitHub|access-date=26 April 2018|url-status=live|archive-url=https://web.archive.org/web/20170331092533/https://github.com/maqp/tfc/|archive-date=31 March 2017}}

A backdoor is usually a secret method of bypassing normal authentication or encryption in a computer system, a product, an embedded device, etc.{{cite news|last1=Eckersley|first1=Peter|last2=Portnoy|first2=Erica|title=Intel's Management Engine is a security hazard, and users need a way to disable it|url=https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it|access-date=7 March 2018|agency=www.eff.org.|date=8 May 2017|url-status=live|archive-url=https://web.archive.org/web/20180306011455/https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it|archive-date=6 March 2018}} Companies may also willingly or unwillingly introduce backdoors to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by Edward Snowden showed that Skype had a backdoor which allowed Microsoft to hand over their users' messages to the NSA despite the fact that those messages were officially end-to-end encrypted.{{cite news|last1=Goodin|first1=Dan|title=Think your Skype messages get end-to-end encryption? Think again|url=https://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/|work=Ars Technica|date=20 May 2013|url-status=live|archive-url=https://web.archive.org/web/20151222185542/http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/ |archive-date=22 December 2015}}{{cite news|last1=Greenwald|first1=Glenn|author-link=Glenn Greenwald|last2=MacAskill|first2=Ewen|last3=Poitras|first3=Laura|last4=Ackerman|first4=Spencer|last5=Rushe|first5=Dominic|title=Microsoft handed the NSA access to encrypted messages|url=https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data|work=the Guardian|date=12 July 2013|url-status=live|archive-url=https://web.archive.org/web/20151119014627/http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data |archive-date=19 November 2015}}

Following terrorist attacks in San Bernardino in 2015 and Pensacola in 2019, the FBI requested backdoors to Apple's iPhone software. The company, however, refused to create a backdoor for the government, citing concern that such a tool could pose risk for its consumers’ privacy.{{Cite web|last=Leswing|first=Kif|date=2020-01-16|title=Apple's fight with Trump and the Justice Department is about more than two iPhones|url=https://www.cnbc.com/2020/01/16/apple-fbi-backdoor-battle-is-about-more-than-two-iphones.html|access-date=2021-04-16|website=CNBC|language=en}}

While E2EE can offer privacy benefits that make it desirable in consumer-grade services, many businesses have to balance these benefits with their regulatory requirements. For example, many organizations are subject to mandates that require them to be able to decrypt any communication between their employees or between their employees and third parties.{{cite news|title=Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss|url=https://blog.sonicwall.com/en-us/2017/11/why-gdpr-makes-it-urgent-to-scan-encrypted-traffic-for-data-loss/|work=SonicWall|date=28 November 2017}}

This might be needed for archival purposes, for inspection by Data Loss Prevention (DLP) systems, for litigation-related eDiscovery or for detection of malware and other threats in the data streams. For this reason, some enterprise-focused communications and information protection systems might implement encryption in a way that ensures all transmissions are encrypted with the encryption being terminated at their internal systems (on-premises or cloud-based) so they can have access to the information for inspection and processing.

• Comparison of instant messaging protocols
• {{slink|Comparison of VoIP software#Secure VoIP software}} – a table overview of VoIP clients that offer end-to-end encryption
• Diffie–Hellman key exchange – method of negotiating secret keys for the communicating users without sharing them with observers, such as the communication system provider
• End-to-end auditable voting systems
• Point-to-point encryption
• Crypto Wars

{{reflist|35em}}

• {{cite conference|last1=Ermoshina|first1=Ksenia|last2=Musiani|first2=Francesca|last3=Halpin|first3=Harry|editor=Bagnoli, Franco|display-editors=etal|pages=244–254|title=End-to-End Encrypted Messaging Protocols: An Overview|book-title=Internet Science |publisher=Springer |location=Florence, Italy |conference=INSCI 2016 |doi=10.1007/978-3-319-45982-0_22 |isbn=978-3-319-45982-0 |date=September 2016|url=https://hal.inria.fr/hal-01426845/file/paper_21.pdf}}
• {{cite journal |last1=Bhuse |first1=Vijay |title=Review of End-to-End Encryption for Social Media |journal=International Conference on Cyber Warfare and Security |date=2023 |volume=18 |issue=1 |pages=35–37 |doi=10.34190/iccws.18.1.1017 |doi-access=free}}

{{Cryptographic software}}

{{DEFAULTSORT:End-To-End Encryption}}

Category:Cryptography

Category:Telecommunications

Category:Secure communication

Category:Internet privacy

Category:Computer networks engineering