||This article provides insufficient context for those unfamiliar with the subject. (October 2009)|
End-to-end encryption (E2EE) is an uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its starting point and decoding it at its destination. It involves encrypting clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).
In this context E2EE allows security-aware users (e.g. police) to retain control over access to their communications. Unlike TETRA air-interface encryption (an example of Link encryption) users do not have to share key-variables with network operators (e.g. 'Airwave', 'A.S.T.R.I.D', 'C2000'). In this way the user traffic (in this case voice or data) travels through the public network encrypted from the transmitting user terminal until it reaches the receiving user terminal where it is decrypted.
If only air-interface encryption were used, interception of the user traffic would be possible at any point after the air-interface encryption had been removed (i.e. at any point other than the TETRA air-interface) and the traffic entered the trunked network. This exposes the user traffic to any weaknesses of the trunked network and implicitly requires trust between the user and the network operator. In this way E2EE is particularly suited to situations where users do not trust network operators or government infrastructures.
In the TETRA deployment of E2EE the management, distribution and updating of encryption key-variables and crypto-associations (links between network address and key-variables) is facilitated by use of a Key Management Centre (KMC). The KMC is under user-control, although it is connected to the trunked-network to allow the user to manage E2EE terminals by the use of encrypted key-management messages (KMMs). These KMMs allow the user to achieve Over-The-Air re-Keying (OTAK).
The key-variables and crypto-associations allows the user (by use of the KMC) to partition the trunked-network address space into 'encrypted' and 'non-encrypted' channels. It is possible to define sets of key-variables called crypto-groups, and it is further possible to define which crypto-group any particular encrypted channel uses. Furthermore, it is possible for the operator of the KMC to partition their user-fleet into user-groups (groups of users who receive the same crypto material).
This lets the KMC user determine which parts of their user-fleet can communicate with one another and allows the user organisation to achieve crypto-separation between different groups of users. This is particularly important in organisations that are self-policing: internal investigations must be conducted without the knowledge of those being investigated and so investigators would want crypo-separation between their own communications and that of other users. Correct operation of KMC will allow the internal-investigator to intercept other user communications while not being able to be intercepted himself.
-  A presentation by Brian Murgatroyd to the SFPG