“Trust your application, not the network”
E2EE vs network security
End-to-End Encryption (E2EE) is a term used in communications security describing secure communication with no need for a secure channel. Instead of relying on a communication protocol lower in the stack to handle the encryption, the application that created the message will handle encryption and decryption of its own communication.
The key difference between traditional channel (“session”, “tunnel”) security and payload encryption based object security is that an application does not need to trust a channel and the different relaying nodes between sender and receiver.
Consider the case of an email message. When it’s carried over an IPSEC or TLS secured connection, the message is protected during transmission. However, it is unprotected in the receiver’s mailbox, and in intermediate servers, hubs, etc., along the way.
By contrast, with object security, the entire message is encrypted and integrity protected until it is examined and decrypted by the recipient. It also provides strong authentication of the actual sending device.
Different End-to-End Encryption models
E2EE comes in different flavors depending on the purpose the model has been developed for.
- Designed for e2e secure email.
- Simple in construction, (encrypt email symmetrically, then encrypt key asymmetrically)
- Identity tied to email
- Decentralised authentication (Web of Trust)
- Designed for Perfect Forward Secrecy (Throw everything away)
- Complex in construction, (X3DH, double ratchet)
- Identity tied to phone number
- Access control decided by device at send time
- GPLv3 for clients & AGPLv3 for servers
- Operates between recipients known and registered at send time
- Designed for retroactive access and dynamic trust
- Simple in construction
- Bring your own identity
- Dynamic recipient set
- Grant access to messages retroactively
- Access control delegation possible
- Commercial Software License
|Perfect Forward Secrecy||x|
|Access Control Delegation||x|
HYKER End-to-End Security provides all necessary functionality, including encryption key distribution, for simplified application development of full asynchronous end-to-end secure applications. While the content of a message is protected end-to-end, it’s still possible to define and retrieve metadata about the transaction that can be stored upon request in an application-related database for, for instance, statistical purposes. If not, all traces of the transaction is erased from our systems upon the delivery of the message.
Implementations can be, for instance:
- Asynchronous communication with message brokers (e.g. MQTT, AMQP, XMPP, etc.) where tunnel security is inefficient
- End-to-end communication where the network and relaying hubs, servers, cloud, etc. cannot be trusted.