Recently, I made a post on our blog about encryption - what it is, how it relates to other similar terms in the industry, and why it is important. Today, it's time to take the topic further and explain end-to-end encryption vs link encryption.

As you may know, we at Secure Group develop products that offer end-to-end encrypted communication. Namely, our apps Secure Email, Secure Chat, and Secure Voice. So I'll start with this side of the comparison.

Note: this is not a versus scenario in which one of the two options will simply win. What I'll try to do here is compare the two types of encryption by presenting their specific features.

What is end-to-end encryption?

End-to-end encryption, sometimes abbreviated as E2EE, is a system for secure transfer of information where data is encrypted and decrypted only at the end points, no matter how many points it touches in the middle of its virtual journey. This type of encryption is a great way to provide secure, private communication.

End to end encryptionFor example, person A wants to tell person B something - a big secret no one else should be able to read. They are far from each other and need a secure communication channel, let's say email. So they both install the same app, like our Secure Email, to start communicating. In his app, person A creates a pair of cryptographic keys - one to encrypt the outgoing email and one to decrypt it when it arrives. Then he shares the decryption key with person B, writes the email and sends it to him. Person B receives the encrypted email in his Secure Email, where it gets decrypted and becomes readable again.

No matter what happens with the email while it travels from person A to person B, no one in the middle will be able to read it because no one else has the key to decrypt it. And the same goes for chat and even voice communication (amazing, I know).

No one but the communicating users

So in end-to-end encryption, only the communicating users can read the messagesIn principle, it prevents potential eavesdroppers – including telecoms, ISPs, and even the company running the specific communication service, such as Secure Group – from being able to access the cryptographic keys needed to comprehend the conversation.

This is why companies that offer or use end-to-end encryption services are usually unable to hand over their users' messages to anyone.

I say "usually" because there are companies that do offer end-to-end encryption communication services but also have a "backdoor", i. e. a universal way to access users' messages and hand them over. This is a practice that we firmly disapprove.

Secure the ends

Of course, there are still two vulnerable points left even in the most perfect end-to-end encryption scheme: the ends. If a bad guy hacks into person B's phone or forces person B to use his phone in front of him, then the incoming secret will be compromised.

So there are two more things to secure - the device and the person himself.

While we at Secure Group don't offer physical security, we do have our own secure phones developed to counter such scenarios: the Android-based Secure Phone line of smartphones and the BlackBerry-OS-based Secure BlackBerry line.

They can all be controlled and wiped remotely by assigned administrators using our exclusive mobile device management systems and have a variety of security features to address anyone's needs.

What is link encryption?

Link encryption differs from end-to-end encryption mainly in the fact that it encrypts and decrypts all traffic at every point, no just at the end points. With this approach, all data is in an encrypted state while it travels on its communication path. However, when it reaches a router or another intermediate device, it gets decrypted so that the intermediator knows which way to send it next.

HTTPSSometimes called online encryption, link encryption is usually applied by service providers and is incorporated into network protocols. Unlike end-to-end encryption, which is most often initiated by a user, link encryption is commonly initiated or enforced by the service provider.

TLS and SSL are the most common

The most common form of link encryption are cryptographic protocols Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), both frequently referred to as SSL.

So from a service provider's point of view, link encryption is convenient because it works no matter what users do and still offers security. This is why it is preferred in human-to-server communication (but also human-server-human).

For example, the Secure Group website utilizes link encryption via SSL. When visitors use it to log into our systems for registered users, the entire traffic between them and us is encrypted, no matter if they want it or not.

However, a major weakness is that information (or part of it) needs to be decrypted at several points before it reaches its destination. This is why it's better to protect sensitive user-to-user communication via end-to-end encryption.

Well, I hope this cleared the matter. Follow our website, blog and Facebook page for more information about encryption and posts like this one.

Download Whitepaper