Editing End-to-end encryption (section)

== Challenges ==

=== Man-in-the-middle attacks ===
End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during [[key exchange]] or by substituting their [[public key cryptography|public key]] for the recipient's), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that they share with the actual recipient, or their public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a [[man-in-the-middle attack]] (MITM).<ref name="Wired Lexicon" /><ref name="Schneier">{{cite book|last1=Schneier|first1=Bruce|last2=Ferguson|first2=Niels|last3=Kohno|first3=Tadayoshi|title=Cryptography engineering : design principles and practical applications|url=https://archive.org/details/cryptographyengi00ferg|url-access=limited|date=2010|publisher=Wiley Pub., inc.|location=Indianapolis, IN|isbn=978-0470474242|page=[https://archive.org/details/cryptographyengi00ferg/page/n211 183]}}</ref>

==== Authentication ====
{{see also|Key Transparency}}
Most end-to-end encryption protocols include some form of endpoint [[Authentication cookie|authentication]] specifically to prevent MITM attacks. For example, one could rely on [[Certificate Authority Security Council|certification authorities]] or a [[web of trust]].<ref>{{cite web|title=What is man-in-the-middle attack (MitM)? – Definition from WhatIs.com|url=http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM|website=IoT Agenda|access-date=7 January 2016|language=en-US|url-status=live|archive-url=https://web.archive.org/web/20160105000628/http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM|archive-date=5 January 2016}}</ref> An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users’ public keys or shared secret keys. The parties compare their [[Public key fingerprint|fingerprints]] using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy{{citation needed|date=June 2020}}), before starting their conversation. If the fingerprints match, there is, in theory, no man in the middle.<ref name="Wired Lexicon" />

When displayed for human inspection, fingerprints usually use some form of [[binary-to-text encoding]]{{citation needed|date=June 2020}}.<ref>{{cite journal|last=Dechand|first=Sergej|date=10–12 August 2016|title=An Empirical Study of Textual Key-Fingerprint Representations|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_dechand.pdf|journal=The Advanced Computing System Association|pages=1–17}}</ref> These strings are then formatted into groups of characters for readability. Some clients instead display a [[natural language]] representation of the fingerprint.<ref name="pEp-whitepaper">{{cite web|url=https://pep.foundation/docs/pEp-whitepaper.pdf|title=pEp White Paper|publisher=pEp Foundation Council|date=18 July 2016|access-date=11 October 2016|url-status=live|archive-url=https://web.archive.org/web/20161001160110/https://pep.foundation/docs/pEp-whitepaper.pdf|archive-date=1 October 2016}}</ref> As the approach consists of a [[one-to-one mapping]] between fingerprint blocks and words, there is no loss in [[entropy]]. The protocol may choose to display words in the user's native (system) language.<ref name="pEp-whitepaper"/> This can, however, make cross-language comparisons prone to errors.<ref name="Marlinspike-2016-04-05"/>

In order to improve [[Internationalization and localization|localization]], some protocols have chosen to display fingerprints as base 10 strings instead of more error prone hexadecimal or natural language strings.<ref name="Budington-2016-04-07"/><ref name="Marlinspike-2016-04-05">{{cite web|last1=Marlinspike|first1=Moxie|title=WhatsApp's Signal Protocol integration is now complete|url=https://whispersystems.org/blog/whatsapp-complete/|publisher=Open Whisper Systems|access-date=11 October 2016|date=5 April 2016|url-status=live|archive-url=https://web.archive.org/web/20161010101243/https://whispersystems.org/blog/whatsapp-complete/|archive-date=10 October 2016}}</ref> An example of the base 10 fingerprint (called ''safety number'' in Signal and ''security code'' in WhatsApp) would be:

  37345  35585  86758  07668
  05805  48714  98975  19432
  47272  72741  60915  64451

Other applications such as Telegram, instead, encode fingerprints using emojis.

Modern messaging applications can also display fingerprints as [[QR code]]s that users can scan off each other's devices.<ref name="Budington-2016-04-07">{{cite web|last1=Budington|first1=Bill|title=WhatsApp Rolls Out End-To-End Encryption to its Over One Billion Users|url=https://www.eff.org/deeplinks/2016/04/whatsapp-rolls-out-end-end-encryption-its-1bn-users|website=Deeplinks Blog|publisher=Electronic Frontier Foundation|access-date=11 October 2016|date=7 April 2016|url-status=live|archive-url=https://web.archive.org/web/20160912010025/https://www.eff.org/deeplinks/2016/04/whatsapp-rolls-out-end-end-encryption-its-1bn-users|archive-date=12 September 2016}}</ref>

=== Endpoint security ===
The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user's computer can still be hacked to steal their cryptographic key (to create a MITM attack) or simply read the recipients’ decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end.<ref name="Wired Lexicon" /> Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google's Project Vault.<ref>Julie Bort, Matt Weinberger [http://www.businessinsider.com/googles-project-vault-for-secret-messages-2015-5?r=US&IR=T&IR=T "Google's Project Vault is a tiny computer for sending secret messages"] {{webarchive|url=https://web.archive.org/web/20170808195058/http://www.businessinsider.com/googles-project-vault-for-secret-messages-2015-5?r=US&IR=T&IR=T |date=2017-08-08 }}, ''[[Business Insider]]'', NYC May 29, 2015</ref> However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully [[Air gap (networking)|air gapped]] computer.<ref>Whonix Wiki [https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key "Air Gapped OpenPGP Key"] {{webarchive|url=https://web.archive.org/web/20170808194727/https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key |date=2017-08-08 }}</ref> [[Pretty Good Privacy|PGP]] has been recommended by experts for this purpose.<ref>{{cite web|quote=If I really had to trust my life to a piece of software, I would probably use something much less flashy — GnuPG, maybe, running on an isolated computer locked in a basement. |author=[[Matthew D. Green]] |url=https://blog.cryptographyengineering.com/2013/03/09/here-come-encryption-apps/ |title=A Few Thoughts on Cryptographic Engineering |date=9 Mar 2013}}</ref> However, as [[Bruce Schneier]] points out, [[Stuxnet]] developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant's network in Iran.<ref>Bruce Schneier [https://www.schneier.com/blog/archives/2013/10/air_gaps.html "Air Gaps"] {{webarchive|url=https://web.archive.org/web/20170609082507/https://www.schneier.com/blog/archives/2013/10/air_gaps.html |date=2017-06-09 }}, ''[[Schneier on Security]]'', October 11, 2013</ref> To deal with key exfiltration with malware, one approach is to split the [[Trusted Computing Base]] behind two [[Unidirectional network|unidirectionally connected]] computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.<ref>{{cite web|url=https://github.com/maqp/tfc|title=maqp/tfc|website=GitHub|access-date=26 April 2018|url-status=live|archive-url=https://web.archive.org/web/20170331092533/https://github.com/maqp/tfc/|archive-date=31 March 2017}}</ref>

=== Backdoors ===
A backdoor is usually a secret method of bypassing normal authentication or encryption in a computer system, a product, an embedded device, etc.<ref>{{cite news|last1=Eckersley|first1=Peter|last2=Portnoy|first2=Erica|title=Intel's Management Engine is a security hazard, and users need a way to disable it|url=https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it|access-date=7 March 2018|agency=www.eff.org.|date=8 May 2017|url-status=live|archive-url=https://web.archive.org/web/20180306011455/https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it|archive-date=6 March 2018}}</ref> Companies may also willingly or unwillingly introduce [[Backdoor (computing)|backdoors]] to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by [[Edward Snowden]] showed that [[Skype]] had a backdoor which allowed Microsoft to hand over their users' messages to the [[NSA]] despite the fact that those messages were officially end-to-end encrypted.<ref>{{cite news|last1=Goodin|first1=Dan|title=Think your Skype messages get end-to-end encryption? Think again|url=https://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/|work=Ars Technica|date=20 May 2013|url-status=live|archive-url=https://web.archive.org/web/20151222185542/http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/ |archive-date=22 December 2015}}</ref><ref>{{cite news|last1=Greenwald|first1=Glenn|author-link=Glenn Greenwald|last2=MacAskill|first2=Ewen|last3=Poitras|first3=Laura|last4=Ackerman|first4=Spencer|last5=Rushe|first5=Dominic|title=Microsoft handed the NSA access to encrypted messages|url=https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data|work=the Guardian|date=12 July 2013|url-status=live|archive-url=https://web.archive.org/web/20151119014627/http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data |archive-date=19 November 2015}}</ref>

Following terrorist attacks in [[2015 San Bernardino attack|San Bernardino in 2015]] and [[Naval Air Station Pensacola shooting|Pensacola in 2019]], the [[Federal Bureau of Investigation|FBI]] requested backdoors to [[Apple Inc.|Apple's]] [[iPhone]] software. The company, however, refused to create a backdoor for the government, citing concern that such a tool could pose risk for its consumers’ privacy.<ref>{{Cite web|last=Leswing|first=Kif|date=2020-01-16|title=Apple's fight with Trump and the Justice Department is about more than two iPhones|url=https://www.cnbc.com/2020/01/16/apple-fbi-backdoor-battle-is-about-more-than-two-iphones.html|access-date=2021-04-16|website=CNBC|language=en}}</ref>

=== Compliance and regulatory requirements for content inspection ===
While E2EE can offer privacy benefits that make it desirable in consumer-grade services, many businesses have to balance these benefits with their regulatory requirements. For example, many organizations are subject to mandates that require them to be able to decrypt any communication between their employees or between their employees and third parties.<ref>{{cite news|title=Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss|url=https://blog.sonicwall.com/en-us/2017/11/why-gdpr-makes-it-urgent-to-scan-encrypted-traffic-for-data-loss/|work=SonicWall|date=28 November 2017}}</ref>
This might be needed for archival purposes, for inspection by [[Data loss prevention software|Data Loss Prevention (DLP)]] systems, for litigation-related [[Electronic discovery|eDiscovery]] or for detection of [[Antivirus software|malware]] and other threats in the data streams. For this reason, some enterprise-focused communications and information protection systems might implement encryption in a way that ensures all transmissions are encrypted with the encryption being terminated at their internal systems (on-premises or cloud-based) so they can have access to the information for inspection and processing.