< Back to listing

Posted 18 avril 2016

The last report published by Intel Security titled “McAfee Labs Threat Predictions Report”, is not very optimistic about the evolution of IT threats that companies would have to tackle for the next three years. One of the answers to these threats, presented by the IT security industry, is data encryption and more specifically what is known as end-to-end encryption. Yet, given the multiple ambiguous options to choose from, it’s important to precisely define what is end-to-end encryption.

In a standard end-to-end encryption process*, data are encrypted as soon as they leave a terminal, they remain encrypted through all transit nodes: data are then “scrambled”, which means protected. It’s then not important where they are transiting: confidentiality and integrity are preserved. Depending on the context, encryption can be packet-based, such as in telecommunication systems, or file-based. In both cases, confidentiality of encrypted material is preserved regardless of the transit networks and systems.

End-to-end encryption is very strong when performed properly and offers incomparable levels of security, since it is independent from intermediate systems. However, using this process should be studied on a case-specific basis. Thus, web-oriented applications are genuinely hard to adapt to this conception**. Similarly, content-based search becomes more complex.

Nowadays, an inappropriate use of the words end-to-end encryption is spreading, which is considering data to be encrypted at any moment while it’s not in a continuous way. In fact, those who offer these solutions omit to state that at some point, in machine memory, data is no longer encrypted. But, not considering memory, which has received the data, as a transit point is a big mistake on end-to-end encryption’s concept. Some file sharing web-services add security layers at some point of their processes (link encryption, data storage, sometimes memory, etc.) but not end-to-end, to be able to use server data for commercial analytics (indexing, search, etc.). The confusion, leveraged by some unprincipled commercial parties, is to make users believe that: “transit encryption” + “standstill encryption” = “end-to-end encryption”. It is wrong! In that kind of option where marketing and security are mixed, an important amount of trust is necessary for the data-storage provider and intermediaries…

* The real definition: https://en.wikipedia.org/wiki/End-to-end_encryption

** http://www.howtogeek.com/166507/why-most-web-services-dont-use-end-to-end-encryption