End-to-end encryption must be easy to use


Jacqui Nelson
Contributor

The sudden rise in remote working due to COVID-19 has driven strong interest in encryption. Business-critical and sensitive data that previously traversed only secure corporate networks is now being carried over the internet to and from the homes of employees.

Organisations of all kinds are holding videoconferences and discussing commercially sensitive issues over public videotelephony services such as Zoom, which has seen a meteoric rise in usage.

There were many other technologies hurriedly pressed into service to support the massive surge in remote working. The security of some of these technologies was, to say the least, sub-optimal.

Jacqui Nelson
Dekko Secure chief executive officer Jacqui Nelson

Now that the initial panic has subsided, organisations of all kinds are looking for solutions that are more secure and generally more fit for purpose. Everybody expects that, long term, there’ll be more people working from home more of the time. The shift to remote working raised lots of questions about security. Many of these were centred on Zoom. The company claimed its service provided end-to-end encryption (E2EE) for conference communications, but this was soon revealed to not be strictly accurate.

End-to-end communication meant data was encrypted between all parties, so long as they were using the Zoom app or accessing via a browser. However, all communications could be decrypted by the software platform. This type of pseudo end-to-end security can become a problem if guarantees are made to third parties about the security and integrity of data being exchanged.

It’s analogous to your landlord having keys to your apartment and you not being allowed to change the locks. You might be happy to trust the landlord and hope no-one else has a key, but if someone loaned you a really valuable painting to hang on your wall, you might have second thoughts.

Some public communications services do provide E2EE, notably Telegram and Apple iMessage. Neither Telegram or Apple can decrypt your messages, but these services are not useful for organisations that want to secure communications with their employees and with third parties for applications such as file transfer or want audit, as they don’t integrate with existing solutions.

For encryption to be truly secure end-to-end the sender must be able to encrypt a message so that it can be decrypted only by the intended recipient. Simple encryption does not confer this level of security.

With simple encryption, messages are scrambled using an algorithm. A key is generated that can be used to unscramble the message, but both the encrypted message and the key must then be transmitted for the message to be decrypted. Both could be intercepted, so such a system is not secure.

True E2EE uses two keys. Anyone wanting to receive secure messages generates a public key made available to any sender to encrypt a message, and a private key, held securely by the recipient and used to decrypt the message.

The Internet Engineering Task Force (IETF) defined E2EE with a message exchange format called RFC4880. It provides encryption, decryption, signing and key management functions. In 1999, free open source software, GNU Privacy Guard (GNUPG), was released to implement this format. It is available to run on Windows, Mac OS, Android and other operating systems.

However, you need to be pretty tech savvy to use it. GNUPG is complicated and fraught with easy mistakes – a common one is sharing your private key instead of your public key. The user manual runs to 16,000 words!

Software applications that sit on top of GNUPG are available to hide its complexity – such as Signal from Open Whisper Systems. It’s available for Android, iOS, Windows, Mac OS and Linux.

Signal and Telegram are useful but they are not a complete solution. Businesses and government agencies communicate and collaborate now more than ever. They’re making more use of outsourcing, software-as-a-service and distributed teams, which is generating a huge increase in the sharing and transfer of sensitive data.

There’s plenty of technology available to beef up security, but users often complain that it makes collaboration and communication more difficult, and they tend to avoid using it.

Good security technology needs to combine robust safety with ease of use. It needs features such as seamless management of encryption keys, data sovereignty and system certification. And it needs to cater for all forms of communications: collaboration, messaging, document sharing, conferencing, and offer tools like document approval to make workflow management easier.

Jacqui Nelson is CEO of Dekko Secure, an Australian owned and operated technology company that provides industry-leading end-to-end encryption.

This article was produced in partnership with Dekko Secure as part of the Connect with Confidence sponsored content series by Dekko Secure and InnovationAus.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories