Entre Bits y Valores: El Debate Ético en Torno al Cifrado de Extremo a Extremo

Between Bits and Values: The Ethical Debate Around End-to-End Encryption

Esquema explicativo de cifrado de extremo a extremo

 What is end-to-end encryption and why is it important?

Over the last decade, information security has been gaining greater importance and awareness, where one of the aspects of security has been to converse privately, evolving archaic systems for transmitting clear information through sophisticated encryption mechanisms. end to end. 

End-to-end encryption (E2EE – End to End Ecryption) is a computer security mechanism that guarantees the confidentiality and integrity of data in a communication between two parties through a channel potentially insecure. It consists of encrypting the data at the source end and decrypting it at the destination (client-client) without this being done on the service provider's server, ensuring that a third party cannot intercept the data in the clear without the relevant decryption key. The asymmetric key pair [1], is generated between the sender and the recipient, which implies that only these two parties They have access to the keys necessary to decrypt the data. Therefore, the loss of the key pair would prevent access to the transmitted messages.

A practical example is found in instant messaging applications such as Signal, an open source project that uses robust Extended Triple Diffie-Hellman encryption [2] or Post-Quantum Extended Diffie-Hellman [3] proof of quantum computers. This guarantees privacy from a technological point of view, the only data linked to which is the telephone number. Although it may seem like an ideal application from a privacy point of view, its main disadvantage is its limited use. Other well-known applications such as WhatsApp are also based on the same scheme [4], where the privacy of conversations remains intact (as long as you have not been reported by a user [5]). In contrast, the large amount of other unencrypted user data and metadata collected on its servers could endanger privacy [6].

Another architecture opposite to end-to-end encryption is data-in-transit encryption, which consists of encrypting the message at the sending end, decrypting it at the server, encrypting it again at the server and finally decrypting it at the receiving end (client-server-client). . Like the previous one, it protects the information during its transmission, but allows the intermediary server to make use of the transmitted messages [7].

An example of this architecture is the Telegram application, where private messages use the cloud to host and process the transmitted data. However, the application also offers the option to encrypt communication end-to-end using 'secret messages' [8].

As can be seen, privacy technologies are very sophisticated, where despite the architecture or encryption used, there are non-technological factors such as the conditions and management offered by service providers that can indirectly influence privacy. of the user. 

Taking into account the rise of E2EE encryption not only in the field of instant messaging with very common basic functions among them, but also in email, video conferencing or others, there is a tipping point where users with fraudulent intentions could take advantage of the advantages of technology to transmit illegal content without being detected. So much so, that government institutions could implement restrictions on the use of end-to-end protocols [9]  by being hindered in the massive control of illicit content through keywords or other methods, as happened in 1993 with Phil Zimmermann [10] under investigation for having published PGP (Pretty Good Privacy i>). One possible measure could be to force technology companies to implement control mechanisms or content scans at each end before encryption and broadcast to the receiver, leaving the main feature of the protocol unusable.

To recap, regardless of the moral dilemma to what extent authorities should be allowed access to our privacy, it is recommended to use applications that collect the least amount of data possible, preferably open source and not controlled by a well-known giant company. for their commercial purposes. Additionally, it is recommended to protect the weakest end, the terminal, not only at the level of applications with possible embedded malware, exploitable vulnerabilities or backdoors, but also by protecting a strong password or using double verification factors. 

What do you think about banning the use of end-to-end encryption? 

And about the use of these protocols?

Is privacy at odds with the purpose of communication?

References

[1] J. Ramió Aguirre, “Class4crypt c4c10.4 RSA Algorithm,” [Online]. Available: https://youtu.be/w5dWeZwfK8w?si=70Arkine_WmHy3jX

[2] Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/Post-Quantum_Extended_Diffie-Hellman

[3] Web. [Online]. Available: https://en.wikipedia.org/wiki/Post-Quantum_Extended_Diffie-Hellman

[4] WhatsApp, [Online]. Available: https://faq.whatsapp.com/820124435853543/?locale=es_LA

[5] WhatsApp, [Online]. Available: https://faq.whatsapp.com/414631957536067/?helpref=hc_fnav

[6] Xataka, «Signal vs Telegram vs WhatsApp: what are the differences and which one takes more care of your privacy,» [Online]. Available: https://www.xataka. com/basics/signal-vs-telegram-vs-whatsapp-what-differences-which-takes-care-of-your-privacy

[7] «What is end-to-end encryption and why do you need it?» [Online]. Available: https://www.kaspersky.es/blog/what-is -end-to-end-encryption/23862/

[8] Telegram, [Online]. Available: https://core.telegram.org/api/end-to-end

[9] «Leaked Government Document Shows Spain Wants to Ban End-to-End Encryption,» [Online]. Available: https://www.wired.com/story/europe-break -encryption-leaked-document-csa-law/

[10] «The Critical Hole at the Heart of Our Cell Phone Networks,» [Online]. Available: https://www.wired .com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/


Arturo Fernández, Cybersecurity Analyst at Zerolynx.

return to blog

Leave a comment

Please note that comments must be approved before they are published.