*By Moises Matias
End-to-end encryption is a data protection method that encrypts information on the sender's device and only decrypts it on the recipient's device. This means that as the message travels through servers and networks, it remains protected and inaccessible to anyone else until it reaches the recipient. It's like sending a message in a virtual vault that only the recipient has the key to open.
How P2P encryption works
End-to-end encryption allows companies to create secure communication links between devices or components within those devices, so that intermediary devices are not exposed to sensitive information that may be in transit on the network. P2P is most commonly deployed as a solution for payment card industry data security standard (PCI PIN) compliance, but it can also be used for other sensitive data.
For example, consider a clothing chain that has many retail stores located across the country, handling all financial transactions from a centrally located data center. It would be difficult for the retailer to ensure the logical security of each store's local networks, due to the number of these networks and the public nature of the retail locations.
The main benefit of end-to-end encryption is its ability to reduce the scope of security efforts.
By deploying P2P encryption, the retailer can remove exposure of credit card numbers in the merchandising environment. For example, when deploying a point-of-sale (POS) system that uses encrypted card scanners and is supported by a back-end system in the home office that supports end-to-end encryption, the entire store network is taken off the loop. Like the hardware card reader, which encrypts the data before it reaches the POS terminal, there is no device on the store's network that has the ability to decrypt the card number. This protects card and PIN numbers from a variety of attacks, including eavesdropping on unauthorized devices. Devices like these don't have access to the encryption key, so they remain unable to access the card number.
Why use P2P encryption?
The main benefit of end-to-end encryption is its ability to reduce the scope of security efforts. In the retail scenario that was described earlier, if the merchant is able to guarantee the integrity of the hardware card readers, it only needs to apply the strictest security controls to the centralized back-end systems that can open the data. In highly regulated environments, this strategy can dramatically reduce the number of systems and networks that must meet compliance and monitoring requirements that can often be costly; both in time and in value for the customer.
Limitations of P2P Encryption
While peer-to-peer encryption is a promising security technology option, it is not yet widely deployed, primarily due to the small number of mature products on the market.
Several organizations wanted to implement it soon after the PCI Security Standards Council adopt a streamlined validation process for such products, but many have been unable to find products that meet the specifications and standards stipulated by the PCI.
There are instances where vendors report that they were starting to field test offerings, there was no commercially viable solution that could serve them. Today in Brazil, as the market gains greater maturity, more companies seek to apply this solution. This scenario can be observed around the world as well.
This compliance delay leads to the second major limitation of P2P encryption; it often requires a considerable financial investment to start working, on behalf of suppliers not native to the country or at prices considered impractical. This includes POS hardware and software upgrades and potential fee increases from vendors who are eager to capitalize on sudden demand from companies looking to limit their compliance obligations.
How to protect cryptographic keys
For P2P encryption to work as securely as possible, strict controls for protection and access to decryption keys should always be in place. Current guidance requires the use of hardware security modules (HSMs) with an appropriate security rating to protect access and creation of cryptographic keys. Today, acquirers and other payment chain participants are already marketing value-added services that exploit P2PE to reduce compliance costs for their end customers. From a PCI PIN point of view, any system that has the ability to decrypt account data falls in scope immediately, so the ability to isolate merchants by protecting keys in HSMs has significant benefits throughout the supply chain.
Finally, it's important to remember that P2P encryption is not a one-size-fits-all solution. While it certainly can reduce the need to secure remote networks, it doesn't eliminate the need for security controls. The most important example of this is the need to employ strong cryptographic key management practices, through the use of HSMs and integrated security systems, which cover everything from communication/creation of keys and networking, to their storage and use . If an adversary manages to gain access to the decryption key, this solution will be rendered useless. This means that any device deemed out of scope must not have access to the keys used to protect sensitive information.
In conclusion, point-to-point encryption is a technology that organizations increasingly adopt in an effort to increase data security and reducing the scope of compliance initiatives, especially in payment systems environments. Currently, however, there are several significant limitations to the approach that security professionals looking to utilize this technology must consider; But the continuous improvement in commercial P2P products and the need for companies to comply with security and their commitment, has made this solution increasingly present in the daily lives of companies in a global scenario.
The importance of end-to-end encryption in everyday life
Speaking at a slightly higher level, the adoption of end-to-end encryption is a crucial measure to protect the privacy of our online conversations in a scenario between people in their daily lives. By using this technology, applications ensure that even they themselves, as service providers, do not have access to message content. This means that, in the event of intrusions or unauthorized access attempts, the information remains secure.
Examples of applications that use end-to-end encryption
There are several popular applications that have adopted end-to-end encryption as a fundamental part of their security policies. Among them, we highlight three:
Whatsapp: WhatsApp is one of the most used applications in the world and pioneered the adoption of end-to-end encryption. All messages, photos, videos and calls are protected by this technology.
sign: Signal is known for its strong emphasis on privacy. It is a popular choice for those who want secure communication., as it also uses end-to-end encryption for all your conversations.
Telegram: Telegram offers the option of “secret conversations”, which are protected by end-to-end encryption. This function needs to be enabled manually, but it provides an additional layer of security for conversations.
Comparison between the mentioned apps
While all three apps mentioned use end-to-end encryption, there are differences between them. WhatsApp is known for its ease of use and large user base, while Signal stands out for its robust security and privacy. Telegram offers more customization options, but the end-to-end encryption feature needs to be activated manually.
Recommendations to ensure the security of your conversations
In addition to using applications with end-to-end encryption, there are some best practices users can adopt to bolster the security of their conversations. These include setting strong device passwords, being careful when clicking on suspicious links, and not sharing passwords with third parties.
The future of end-to-end encryption
As digitalization increases and privacy awareness grows, it is likely that end-to-end encryption will become even more essential to protecting our personal information and communications online. New technologies and improvements may emerge, ensuring an even safer digital environment.
End-to-end encryption is a powerful tool for securing network communications and ensuring that only intended recipients have access to content. With the growing importance of digital privacy, it is essential that there is an understanding and value in adopting this technology in our daily communications, and that its use is integrated into compliance policies and other solutions that build defense into deep layers.
*Moisés Matias, Cybersecurity Architect Officer at Kryptus
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
