Deep diving into End-to-End Encryption (E2EE)🔐
Let’s dive technically and mathematically into end-2-end encryption
As a Frontend, If you building a chat application, you should make that chat secure, right? so let’s know how to do that.
This article covers:
- What is E2E Encryption?
- What is the Symmetric Encryption Algorithm?
- The problem with Symmetric Encryption.
- What is the Asymmetric Encryption Algorithm?
- How Asymmetric Encryption works mathematically?
- The problem with Asymmetric Encryption.
- Man in the Middle.
- Is E2EE really secure?
- How to know really you are on google.com?
- How WhatsApp verifies your chat.
1- What’s E2E Encryption?
End-to-end encryption is a communication system where only communicating users can read messages. the encryption-decryption methods are happening on the frontend side and not the server side, so even the server CAN NOT encrypt or decrypt the messages.
2- What is Symmetric Encryption? + It’s problem:
Symmetric Encryption is a way to encrypt your message with a key, then send it to the other recipient, to read it, but he can not decrypt it without that key. There is no secure way to send it to him, so this way is not possible for sending a secure message, if you send the key inside the message it’ll be found in the public area and that message will be decrypted easier.
take a look at this sketch I made:
So that’s why the Asymmetric key comes for:
3 — What is the Asymmetric Encryption Algorithm?
The Asymmetric Encryption Algorithm is a way that makes only the sender and the receiver can encrypt and decrypt their messages.
The way it works is by generating a private key and a public key for each user [Pair of Keys].
Private Key: Never ever shared with anyone.
Public key: Shared with anyone, and anyone can send you a message by this key.
Note: there is a relationship between the Private/Public keys for that user.
So in this algorithm, we shared the Public keys, that’s why it is called the Key Exchange method.
Example: Alice sending “HELLO” to Bob, Alice needs Bob’s Public key to encrypt the “HELLO” message by using Bob’s Public key, then send it to Bob, Bob is now the only one who can decrypt that message using his Private key.
Take this sketch I made:
So, Alice needs Bob’s Public key to combine it with its Private key then make an offline Shared Secret and this is the Answer. then send it to Bob, Bob now needs its Private key and Alice’s Public Key to unlock this Cypher text.
Now Let's do the math:
5- How Asymmetric Encryption works mathematically:
This Diffie Hellman key exchange method is to make public/private key pairs and distribute the public key.
We need this method:
- N: very large prime number.
- G: generator number < n ≤ 0
#1: Randomly generate a private key < n ≤ 0
#2: Generate a Public key: G power [Private key] mod N
#3: Exchange the keys
#4: Calculate the Shared Secret:
Shared Public key power [Private key] mod N
I made an image for example:
So what’s the problem with this algorithm?
6- The problem with Asymmetric Encryption:
Imagine there is a man in the middle between Alice and Bob, and while Alice sending to Bob a message, Sean breaks this and claims that he is Bob, since we can not know whether is Bob or not, in the end, it’s just a variable, a number, so Sean generate Private/Public key and send to Alice his Public key, and Alice send to him the message, here Sean can decrypt the message since he can also get Alice public key, now Sean can read/edit/delete the message and send forward it to Bob, now Bob is also can’t know if this message is really from Alice.
And that lady and gentleman is big trouble! 😬
7 — Man in the Middle
8- Is E2EE really secure / how to know you are on google.com:
So Like we see the Exchange key is not secure 100%, even if we make the encryption/decryption on the Client side only.
So in that case we must know the Identity of the user we want to send the message to, so we need a third party to check for us if that user is the claims user; Something like Digital Certificate Authentication.
What is a Digital Certificate Authentication (CA): Digital Certificates are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authenticity online.
Example SSL:
An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a web server (and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to activate a secure session between a browser and the web server hosting the SSL Certificate. In order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must contain the domain name of website using it, be issued by a trusted CA, and not have expired.
So now when you go to google.com you know that you are on the real google website and not another one.
10 — How WhatsApp verifies your chat:
Is what’s App using third parties to check the identities of the chatters?
the answer is NO.
So how do I know on WhatsApp if I texting the right person, and not a man in the middle?
The answer is you do not know really if it is your right person or the man in middle the middle.
wait, what?!
So even WhatsApp is not secure for the Man in the Middle attacks?
the answer is YES.
And WhatsApp has been cracked many times.
But the good news is that WhatsApp has a way to verify the personal identity of the guy you are texting, in the profile of that person:
Go to Person Profile > click Encryption > Scan the code of your guy.
And voila you now know if your messages are really encrypted with the E2EE method with that guy.
Thanks for reading, subscribe to get more articles like this.
follow me on Twitter: 🐥@diafi_amir
