This article focuses on end-to-end encryption (E2EE), one of the possible ways to ensure the security of data transmission. We’ll take a look at the basic principles of its work and check the apps that can provide you with end-to-end encryption functionality.
When it comes to data safety on the Internet, an average user may think that such matters as end-to-end encryption do not concern him. Indeed, in the case of chatting with friends and relatives with no personal data involved, you can rely on luck and do not worry about the safety of your messages and end-to-end encryption issues.
But nowadays, data exchange via the Internet includes online banking and shopping, sending scans of personal documents, airline tickets, etc. That’s why even if you do not own valuable corporate information it won’t be superfluous to understand the principles of end-to-end encryption in messaging apps. Support of such functionality in enterprise apps can be critical if you want to avoid possible man-in-the-middle attacks and save valuable data from eavesdroppers.
Here we are going to describe the following:
- What is End-to-end encryption?
- How End-to-end encryption works?
- Examples of the end-to-end encryption software
- Security standards in WebRTC apps
The majority of experts on information security admits that end-to-end encryption is one of the most reliable methods to secure data exchange. According to this approach, the messages that are transmitted between end-to-end encryption applications can be read only by the users of these apps but not by any third party. Such functionality can be achieved by using unique keys for data encryption and decryption. Only the end users can generate and store these keys.
End-to-end encryption system was designed to ensure that even if a malefactor gets an access to the transmitted data, he won’t be able to decipher it. This distinctive feature of end-to-end encryption also relates to the servers that can store sent messages.
Since servers are not involved in the key generation process, all that a server “sees” is the encrypted messages transmitted between the communicating users. So, even in the case of data leak from a server nobody will be able to read the data.
Let’s take a closer look at how end-to-end encryption works to understand better how it can guarantee data safety.
According to the end-to-end encryption methodology, when a chatting session starts, the app of every user generates two cryptographic keys. Such keys can be generated using the PGP (Pretty Good Privacy) application. Since the PGP initial release in 1991, there has been no evidence of its hacking.
The first key is the public key.
End-to-end encryption apps exchange these keys between each other.
The second one is a secret key.
Secret key doesn’t leave the device. Using the public key, a user can only encrypt the message. To decrypt such message, according to end-to-end encryption methodology, you should use the corresponding secret key.
It doesn’t matter if the third party can get access to the public key since it can be used only for end-to-end data encryption. That’s why you can transmit public keys over an open communication channel.
After every end-to-end encryption app has generated a pair of keys and apps have exchanged the public keys, secure communication can begin. Data such as messages, video, and audio files pass the end-to-end encryption process at the sender side before being sent to a server. Data is stored on the server until the recipient’s app can receive it. After the recipient had notified the server about the data receipt, this data can be deleted from a server or kept there for some time.
Here’s a good analogy that can help understand how end-to-end encryption apps work. Imagine that two people are talking in a foreign language. The third person that does not have the required language skills (does not have the encryption key) can’t extract any valuable information from the heard messages.
This pretty simple concept allows being sure that messages are transferred securely between two or more endpoints. The process of encryption/decryption won’t be a hard task for modern devices. Even the mobile apps can handle end-to-end encryption without any troubles. Probably, the only situation that can be a source of worries is chatting with multiple users.
In this case, if you want to send a message, you have to encrypt it for each recipient. The higher the number of interlocutors, the more work your end-to-end encryption application has to do. To avoid possible lags in the app work, developers need to make extra efforts to ensure that end-to-end encryption doesn’t harm the user experience.
Now, let’s take a look at some examples of the apps that provide users with end-to-end encryption functionality.
1. WhatsApp Messenger
One of the most popular messengers in the world was initially released in 2009. In the first version of the app, there were no any end-to-end encryption algorithms. For data transmission, WhatsApp uses an open and free protocol called XMPP. It’s based on XML and allows exchanging text messages, audio/video data, and files.
In 2012 developers of the app began to work on the end-to-end encryption features. At first, it was only about encrypted text messages. But starting from 2014 it allows exchanging encrypted text and audio/video messages.
This is a text and video messaging app. It is the title holder of the most popular messenger in Russia. It was released in 2010, but the support of end-to-end encryption was added only in 2016. Starting from version 6.0 texts and voice messages between individuals and groups are protected by end-to-end encryption.
But you should pay attention that this feature works only if all participants are using the latest Viber version. According to the developer’s overview of their app, it uses the same security concepts as the Signal messenger.
Encrypted Text Message Apps
1. Facebook Messenger App
Starting from October 4, 2016, Facebook Messenger app allows using end-to-end encryption. This optional feature is available in Secret Conversations mode and includes a timer that shows how long the encrypted messages will remain invisible. Since this option is not available by default, it’s user’s care to make sure that the data transmission will be safe.
This messenger app for iOS was developed in 2011. At the first stage of end-to-end encryption, the message in encrypted by the combination of 1280-bit RSA public key and 128-bit AES algorithm. Then on the base of the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm, this messenger creates a signature. After that, users exchanges the keys for the end-to-end encryption needs.
3. Signal Private Messenger
Signal is an example of highly secure text messaging app with strong end-to-end encryption algorithms. The messages are encrypted by the Signal Protocol that combines prekeys, Double Ratchet Algorithm, and 3-DH handshake.
Voice calls are encrypted with SRTP and the ZRTP key-agreement protocol. Its reliability can be judged from the fact that many other messengers such as WhatsApp, Facebook Messenger, and Google Allo use it as a basic end-to-end encryption algorithm.
The Signal Protocol allows using end-to-end encrypted group chats as well. According to the researchers from Ruhr University Bochum, UK’s University of Oxford and many others, this protocol was deemed safe and secure.
4. Voxer Walkie Talkie App
Not so long ago Voxer Walkie Talkie, a chatting app with voice messages support, has joined a list of end-to-end encryption software. Developers launched the first version of this iOS and Android app back in 2011.
The main distinctive feature of Voxer is a Live-messaging mode. It allows users to organize audio broadcasts or exchange short voice messages. You can listen to these messages as they’re coming or they can be saved so you can return to them later.
And now, Voxer developers have added end-to-end encrypted private chats to their app. From now on, all the data that you share via the private chat such as voice messages, text, or files are protected by end-to-end encryption based on Signal Protocol. Currently, the end-to-end encryption feature is available only for one-on-one chats.
At the moment, protected group chat is an expected feature. All content sent using a private chat won’t be shared with other devices. Instead, it’ll be erased right after you log out of your account.
5. Telegram Messenger
Telegram messenger appeared in 2013. It’s available both for mobile and desktop platforms. Users can exchange messages and files of any type. Even though end-to-end encryption is not available by default, you can use this feature by activating the Secret Chat mode. Before sending messages via the transport protocol (HTTP, TCP, UDP) the MTProto protocol encrypts it.
This end-to-end encryption protocol was created by the Telegram app developers, and it consists of three parts. The high-level component defines the method that converts API’s responses and answers into the binary code. Cryptographic layer defines the method of encryption that will be used before sending the message. The last one, delivery component, defines the method of message delivery.
During the message preparation, to provide strong end-to-end encryption, Telegram adds the 64-bit key identifier to the body of the message. This identifier defines authorization keys of user and server. Together, they form 256-bit key and 256-bit initialization vector. This vector is used for message encryption by the AES-256 algorithm. The encrypted message contains the following info: session, message ID, the serial number of the message, and server salt.
WebRTC is a technology of building web chatting apps that is rapidly gaining popularity. Possibly the reason for such attention is the possibility to use WebRTC apps without installing any third-party add-ons. End-to-end encryption support also played a role.
After WebRTC support was added to the modern browsers, they can compete with the communication software such as Skype. Such apps can provide users with all required functionality including the message encryption. You can exchange messages and make video calls right from your web browser.
To see how these apps can look like and evaluate the usability, you can check our video:
Developing WebRTC based software with end-to-end encryption support doesn’t require using any frameworks. But despite the seeming simplicity, browser security standards in WebRTC apps leave no room for concern. According to the channel type, WebRTC app uses DTLS (Datagram Transport Layer Security or SRTP (Secure Real-time Transport Protocol) protocol.
The first one is used for data streams; the second one was designed for media streams. The security protocols ensure that the data transfer process is secured with the encryption keys. The TLS/SSL standards support allows using secure HTTPS connection. End-to-end encryption between the peers will guarantee that no third-party will be able to get access to your data which is particularly important in the case of the enterprise apps.
If you follow the trends in the development of chatting apps, it won’t be a secret that the security issues is a source of concern for both users and developers. Users become more choosy and increasingly paying attention to the safety level of the messaging apps they use.
Developers following these intentions of users try to implement the most reliable and cutting-edge end-to-end encryption technologies that provide secure data transmission. End-to-end encryption app allows reaching the desired level of data security. The best part about E2EE is that even if a third party finds a way to intercept your messages, without a secret key that is stored on your device, there will be no chances to decrypt it.
Since using communication apps in business involves additional risks associated with data leak, opt for end-to-end encryption software may be crucial. To be sure that the functionality of chatting app meets your needs and provides the necessary security level, it’s better to prefer the custom WebRTC apps development over using the existing solutions.