End-to-End Encryption (E2EE): Definition & Examples

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 06/16/2022 - 11:44
Time to read: 6 minutes

End-to-end encryption, or E2EE, works just the way the name implies — by encrypting data from one end to the other. 

Data or communications are encrypted on the device they are created and sent from, and then kept in the encrypted state until reaching the intended recipients where the data is then decrypted. In this way, the data is protected the entire time it is in transit. 

Third parties or unauthorized viewers are not able to read the communication even if it is intercepted.

E2EE works to keep communications and data secure. It is only readable between an intended sender and recipient. Even the service provider or server cannot read the encrypted messages. 

End-to-end Encryption is considered extremely secure. Even if hackers intercept the communication, they will not be able to read it without the private key only the sender and recipient have. 

E2EE requires the devices sending the communications to be secure, however. If even one of them is compromised, the entire message chain is then readable.

End-to-end encryption can be more secure than encryption-in-transit, as these messages can also be read by the server. E2EE can only be deciphered by the sender and intended recipient. 

What is end-to-end encryption?

End-to-end encryption serves to decrypt data or messages on one device, send them to a recipient, and decrypt them on the receiving end. While in transit, the message cannot be read by anyone, including the server. 

Encryption and decryption occur on the device level. This means that the computer or mobile device used to send the message decrypts the original data before transmission. Then, once the message reaches the recipient, their device will serve to decrypt the message. 

There is no opportunity for a third party to intercept and read the message. If an unauthorized party gains access to the communication, they will be unable to read it in its encrypted form. Without the intended recipient’s device to decrypt it, the message remains safe and secure.

End-to-end encryption is more secure than encryption-in-transit or transport layer encryption, which uses a third party to encrypt messages transmitted over the internet. 

The downside of this type of encryption is that law enforcement agencies are able to present a national security letter or warrant to access the data without the knowledge of the sender or recipient. The third party has access to the decryption keys and therefore the messages will be readable. 

With E2EE, there is no ability for eavesdropping or reading the contents of a message while it is in transit.

How does E2EE work?

End-to-end encryption commonly works using asymmetric cryptography involving a public key and a private key for encryption and decryption purposes. The public key is generated by a trusted CA (certificate authority) and publicly accessible. 

Public keys are stored on the server and used to decrypt messages. The private key, however, is kept on the device of the recipient directly. Only the unique and secret private key can decrypt the message sent with the corresponding public key.

The public key is used to lock the message, while the private key serves to unlock it. As only the intended has access to the private key, the message is indecipherable to anyone else. 

An example would be that John and Sally want to send confidential information back and forth. Both would set up accounts on the system that would then generate them each a public and private key pair. The public key remains stored on the server, while each unique private key is kept on the device of John and Sally respectively. John uses Sally’s public key to encrypt and send a message, which is then decrypted by Sally’s own private key. The same works in reverse when Sally wants to send a message to John. No one can eavesdrop on the message in transit.

Is end-to-end encryption prone to hacks?

End-to-end encryption can protect the contents of data and communications even from the server while it is being sent. If someone were to hack and read the transmission, all they would be able to see is gibberish since the message would still be encrypted. While the data or message can be hacked, it still remains unreadable.

E2EE can fall prey to man-in-the-middle attacks (MITM) however. A MITM attack occurs when the cybercriminal impersonates the sender or receiver. The attacker does not have to try and break the encryption, which most will not even attempt to do. Rather, they just have to gain access to a recipient during the key exchange process or through a substitution of the public key.

Endpoint authentication protocols can help to prevent MITM attacks by authenticating users before the communication begins to ensure that each user is who they say they are. This prevents any “man” in the middle of a conversation.

The benefits of end-to-end encryption

E2EE can provide a level of high security and ensure privacy and confidentiality between messaging and data transmission. 

Unlike with typical email providers, including Microsoft, Gmail, and Yahoo, where the provider has access to the contents of the user’s files and data, allowing them to read your messages or turn them over in a readable format to law enforcement when prompted, E2EE guarantees messages remain private and only read by the intended parties.

End-to-end encryption can offer the following benefits:

  • Security: Using asymmetric cryptography offers a high level of encryption and decryption.
  • Privacy: Even the provider or server does not have the ability to decrypt your data or messages.
  • Integrity: E2EE ensures that the message remains intact from sender to recipient and free from tampering or alteration of any kind.
  • Safety: Hackers or potential eavesdroppers cannot read the encrypted message.
  • Administrator protection: Attacks on the administrators will not result in access to the decryption key or device, rendering this form of attack useless.

The pitfalls of end-to-end encryption

End-to-end encryption can protect the privacy of your message and make it unreadable to potential eavesdroppers, but it does not erase any trace of the message being sent or its existence. The server can recognize who is communicating and with whom, what time the messages were sent, and with what frequency.

Perhaps the biggest limitation to end-to-end encryption, however, is the inability to be sure that both devices are secure. If a third party gains access to either one of the devices used for the communication, they will then have access to the private key and the ability to decrypt and read your communications. If the device falls into the wrong hands and it is not protected by some kind of security, like a PIN code or login requirement, the messages are no longer secure.

Similarly, it can be virtually impossible to know if the recipient is also following security protocols and if their device is similarly protected. End-to-end encryption is only as secure as the people and devices using it.

Additional resources

The National Security Agency (NSA) recommends the use of end-to-end Encryption when possible and especially for teleworking to protect confidential information and keep communications private. 

End-to-end encryption is considered so secure that the United States Department of State has adopted an ITAR amendment allowing controlled technical data to be transferred outside of the United States without requiring an export license if E2EE is used.

References

What Is End-to-End Encryption? Another Bull’s-Eye on Big Tech. (November 2019). The New York Times.

Man-in-the-Middle Attack (MitM). National Institute of Standards and Technology (NIST).

Selecting and Safely Using Collaboration Services for Telework- UPDATE. (November 2020). National Security Agency (NSA).

State Department Adopts ITAR Amendment on Use of End-to-End Encryption in International Data. (March 2020). JD Supra, LLC.