End-to-end encryption

From Wikipedia, the free encyclopedia
Jump to: navigation, search

End-to-end encryption (E2EE) is a digital communications system that facilitates two or more parties, known as communication endpoints, to communicate securely through an untrusted third-party, such as telecommunications service providers, Internet providers, or application service providers.[1] E2EE can also describe a storage system where encrypted data are stored (temporarily or permanently) in an untrusted third-party where only the authorized users of the storage have the secret to decrypt the data.[2] Since the third-party has no knowledge of the data being communicated or stored, surveillance and tampering are impossible and therefore confidentiality and integrity of the data are ensured. E2EE systems can be uncertified, or certified through independent auditing as compliant to standards such as PA-DSS, P2PE or PCI DSS. Security of the uncertified systems depend on trust on the software on the communication endpoints, which sometimes comes from the third-party, to never leak the encryption key to the untrusted party.

E2EE systems work by communication endpoints encrypting the data in transit using a pre-shared secret (such as PGP), an one-time secret derived from a pre-shared secret (such as DUKPT) or a secret negotiated in situ (such as OTR). Examples of end-to-end encryption include PGP and S/MIME for email; OTR, iMessage or Signal for instant messaging; Tresorit, MEGA or SpiderOak for cloud storage; ZRTP or FaceTime for telephony; and TETRA for radio.

Typical server-based communications systems do not include end-to-end encryption. These systems can only guarantee protection of communications between clients and servers, not between the communicating parties themselves. Examples of non-E2EE messaging systems are Google Talk, Yahoo Messenger, Facebook, and examples of non-E2EE storage systems are Dropbox and Google Drive. Users may, however, utilize a third party instant messaging client (such as Pidgin) which supports OTR, allowing users to implement their own end-to-end encryption scheme over non-E2EE protocols. Some non-E2EE systems, for example LavaBit and SecretInk, have even described themselves as offering "end-to-end" encryption when they do not.[citation needed] Some systems which normally offer end-to-end encryption have been discovered to contain a back door, which causes negotiation of the encryption key between the communicating parties to be subverted, for example Skype.[citation needed]

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves, such as the technical exploitation of clients, poor quality random number generators, or key escrow.

See also[edit]


  1. ^ "What is end-to-end encryption?". TechTarget. Retrieved Nov 5, 2015. End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it's transferred from one end system or device to another. 
  2. ^ "Top 10 Online Storage Solutions with Encryption". Hongkiat. Retrieved Nov 5, 2015. These services provide end-to-end encryption for your data that is stored online. They use military-grade encryption algorithms to protect your data on their servers and while you upload or download them. 

External links[edit]

  • How-To Geek Why most web-services don't use end-to-end encryption.