End-to-end Payload Encryption
“Trust your application, not the network”
End-to-end payload encryption is a term used in communications security describing secure communication with no need for a secure channel. Instead of relying on a communication protocol lower in the stack to handle the encryption, the application that created the message will handle encryption and decryption of its own communication.
The key difference between traditional channel (“session”, “tunnel”) security and payload encryption based object security is that an application does not need to trust a channel and the different relaying nodes between sender and receiver.
Consider the case of an email message. When it’s carried over an IPSEC or TLS secured connection, the message is protected during transmission. However, it is unprotected in the receiver’s mailbox, and in intermediate servers, hubs, etc., along the way.
By contrast, with object security, the entire message is encrypted and integrity protected until it is examined and decrypted by the recipient. It also provides strong authentication of the actual sending device.
HYKER Payload Encryption Protocol (PEP) provides all necessary functionality, including encryption key distribution, for simplified application development of full asynchronous end-to-end secure applications. While the content of a message is protected end-to-end, it’s still possible to define and retrieve metadata about the transaction that can be stored upon request in an application-related database for, for instance, statistical purposes. If not, all traces of the transaction is erased from our systems upon the delivery of the message.
Implementations can be, for instance:
- Asynchronous communication with message brokers (e.g. MQTT, AMQP, XMPP, etc.) where tunnel security is inefficient
- End-to-end communication where the network and relaying hubs, servers, cloud, etc. cannot be trusted.