Subscribe to Email Updates

By Fady Bashay


Text Size

- +

Topics: Risk Management

Because many applications require the transfer and sharing of sensitive information, such as email, text messages, documents,and control data, it is imperative to pass these information assets from sender to receiver in an encrypted format. Every day, we hear news about new security breaches of personal information, credit cards information, and sensitive data that was stolen or disclosed because it wasn’t encrypted either in transit or at rest.

Download The Beginner’s Guide to Cybersecurity Risks

You need a way to keep this data protected, but still usable. End-to-end encryption is the way to accomplish this. But how can you ensure your data remains safe? How do you keep your information assets usable without being stolen? Here’s how end-to-end encryption works and how you can keep your information assets protected.

End-to-End Encryption Ensure Data Remains Safe

With end-to-end encryption,sensitive information assets are encrypted and not decrypted until they’ve reached the authorized user. Thanks to the complex mathematical algorithms like DES, AES, RSA, El Gamal, and hashing used in modern encryption systems, data encryptionrenders stealing the message by a cybercriminal useless, since the copied message will be indecipherable.

An encryption algorithm by itself cannot make encryption work. But it can be used todevelopsecure applications that embody this algorithm and deploy encryption protection automatically.

The two most common ways of building end-to-end encryption are by either using a single secret key encryption process (symmetric encryption) or usinga key pair encryption (public key encryption) process.

Keys in the Information Kingdom

The way public key encryptionoperates is through anencryption/decryption key system, which works using key pairs: a public and a private key. When information needs to be sent, it’s encrypted on the sender’s end with a public key. The public key ismathematically paired to the private key and can be given out to anyone who wants to encrypt a message.

When the public key is used for encryption, only the associated private key can be used for decryption.Obviously, it needs to be protected and kept private.

When the information encrypted with the public key is then sent to where it needs to go, the private key does its job of decrypting the information at the destination that was originally encrypted by using its public key.

Think of it as a locked dropbox. Only you have the key to open the box—ensuring anything left inside is safe until you choose to open the box with your private key. But anyone can leave a package in the box by dropping it through the open slot,provided you’ve told them where the box is (the “where” is the public key you use to drop it through the open slot).

Some examples of end-to-end encryption applications aremessage and code signing, anSSL/TLS web server, and anSSH remote login service.

Private Key Management

Without private key applications,we would not be able to decrypt data, use certificates for code signing, or securely communicate with a SSL/TLS web server.Hence, protecting private keys is vital forend-to-end encryption.

Some companies take this to heart and ensure the private key is only accessible through a secure serviceand device that remains isolated from the common network. There are a number of best practices used to securely store and manage private keys.

One of the best ways is the use of hardware storage devices such as USB tokens, smart cards and Hardware Security Modules (HSM). Having private keys securely stored in a hardware storage device with restricted access means that attackers must first gainphysical access to the storage device itself, which is relatively difficult.

Sometimes, it is too expensive or impractical to use a hardware storage device for some applications. In this case, another more common method is to generate and store the private key on the local filesystem. However, generating and storing the key in this manneradds additional points of vulnerability that may lead to ahigher risk ofa system compromise.

Access to a private key should always be restricted to only authorized and trusted staff, whether it is stored in a hardware storage device or locally on the filesystem.

Managing encryption systems and services is not an easy job, but it can be accomplished with the right tools, professionalsupport, and robust processes. If your technical specialists do not have the necessary training and experience, consider hiring an encryption expert to assist with implementing cryptographic services in a trustworthy manner; the peace of mind is worth it.


Fady Bashay

Fady Bashay is a Security Consultant who specializes in PKI, Certificate lifecycle management, cryptography and key management. He has a Master of Engineering Information System Security from Concordia University in Montreal and is working at Difenda Inc. as a Senior Information Security Consultant.