End-to-End Lifecycle Encryption
“Trust your application, not the network”
E2EE vs network security
End-to-End Encryption (E2EE) is a term used in communications security describing secure communication with no need for a secure channel. Instead of relying on a communication protocol lower in the stack to handle the encryption, the application that created the message will handle encryption and decryption of its own communication.
The key difference between traditional channel (“session”, “tunnel”) security and payload encryption based object security is that an application does not need to trust a channel and the different relaying nodes between sender and receiver.
Consider the case of an email message. When it’s carried over an IPSEC or TLS secured connection, the message is protected during transmission. However, it is unprotected in the receiver’s mailbox, and in intermediate servers, hubs, etc., along the way.
By contrast, with object security, the entire message is encrypted and integrity protected until it is examined and decrypted by the recipient. It also provides strong authentication of the actual sending device.
HYKER End-to-End Lifecycle Encryption
Often End-to-End is considered being encryption from one device to another. HYKER has taken this concept a step further since we focus on protecting the actual data element. When we talk about End-to-End we talk about the full lifecycle between the production of data until the consumption of that data.
This creates logical endpoints that can be, for instance, a device, but can also be a person, a vehicle, an analytics software, or anything else that produces or consumes data. It’s only in these logical endpoints that data can be accessed in clear text, never at any time or any place in-between.
To access the data the endpoint will need a key, a key that is generated by the producer endpoint and linked to the specific data produced. This key is never stored in a central point but will be shared upon request if so approved by the producer, or by a party to which the producer has delegated the key sharing rights to.
Different End-to-End Encryption models
E2EE comes in different flavors depending on the purpose the model has been developed for.
- Designed for e2e secure email.
- Simple in construction, (encrypt email symmetrically, then encrypt key asymmetrically)
- Identity tied to email
- Decentralised authentication (Web of Trust)
- Designed for Perfect Forward Secrecy (Throw everything away)
- Complex in construction, (X3DH, double ratchet)
- Identity tied to phone number
- Access control decided by device at send time
- GPLv3 for clients & AGPLv3 for servers
- Operates between recipients known and registered at send time
- Designed for retroactive access and dynamic trust
- Simple in construction
- Bring your own identity
- Dynamic recipient set
- Grant access to messages retroactively
- Access control delegation possible
- Commercial Software License
|Perfect Forward Secrecy||x|
|Access Control Delegation||x|
HYKER End-to-End Security provides all necessary functionality, including encryption key distribution, for simplified application development of full asynchronous end-to-end secure applications.