End-to-end encryption

End-to-end encryption


End-to-end encryption (E2EE) encrypts clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (eg. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).


A classic deployment of E2EE is demonstrated by its use within the Terrestrial Trunked Radio TETRA standard, as defined by the Security Fraud Prevention Group (SFPG) of the Tetra MoU [ [http://www.tetramou.com/uploadedFiles/Files/Presentations/TWC05_8_Security_Brian.ppt] A presentation by Brian Murgatroyd to the SFPG (sadly in powerpoint format...)] .

In this context E2EE allows security-aware users (eg. police) to retain control over access to their communications. Unlike TETRA air-interface encryption (an example of Link encryption) users do not have to share key-variables with network operators (eg. [http://www.airwaveservice.co.uk 'Airwave'] , [http://www.astrid.be 'A.S.T.R.I.D'] , [http://www.c2000.nl 'C2000'] ). In this way the user traffic (in this case voice or data) travels through the public network encrypted from the transmitting user terminal until it reaches the receiving user terminal where it is decrypted.

If only air-interface encryption were used interception of the user traffic would be possible at any point after the air-interface encryption had been removed (ie. at any point other than the TETRA air-interface) and the traffic entered the trunked network. This exposes the user traffic to any weaknesses of the trunked network and implicitly requires trust between the user and the network operator. In this way E2EE is particularly suited to situations where users do not trust network operators or government infrastructures.

In the TETRA deployment of E2EE the management, distribution and updating of encryption key-variables and crypto-associations (links between network address and key-variables) is facilitated by use of a Key Management Centre (KMC). The KMC is under user-control, although it is connected to the trunked-network to allow the user to manage E2EE terminals by the use of encrypted key-management messages (KMMs). These KMMs allow the user to achieve Over-The-Air re-Keying (OTAK).

The key-variables and crypto-associations allows the user (by use of the KMC) to partition the trunked-network address space into 'encrypted' and 'non-encrypted' channels. It is possible to define sets of key-variables called crypto-groups and it is further possible define which crypto-group any particular encrypted channel uses. Furthermore it is possible for the operator of the KMC to partition their user-fleet into user-groups (groups of users who receive the same crypto material).

In this way the KMC user can determine which parts of their user-fleet can communicate with one and other and allows the user organisation to achieve crypto-separation between different groups of users. This is particularly important in organisations that are self-policing: internal investigations must be conducted without the knowledge of those being investigated and so investigators would want crypo-separation between their own communications and that of other users. Correct operation of KMC will allow the internal-investigator to intercept other user communications while not being able to be intercepted himself.


SFPG have suggested methods of implementing TETRA E2EE using (at least) AES and IDEA algorithms utilising a number of different key-lengths. Both of these have been implemented by some or all of the manufacturers listed below. There are a number of country-specific private algorithms which have been successfully used, they cannot be mentioned here, other than to say private algorithms are possible if you are willing to pay a manufacturer to implement your algorithm in their product.


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Transparent end-to-end encryption for the internets — (IPETEE) is a proposal for a network level encryption method which would effectively encrypt all internet communication. The encryption would be handled by software on the client and server machines, and would negotiate the encryption behind the… …   Wikipedia

  • End-to-end — has various meanings.*In e commerce, end to end marketing describes methods or services directly connecting people who want to sell and buy. This practice eliminates middlemen from the trade. *In computer communication, end to end refers to end… …   Wikipedia

  • BitTorrent protocol encryption — Protocol encryption (PE), message stream encryption (MSE), or protocol header encrypt (PHE)[1] are related features of some peer to peer file sharing clients, including BitTorrent clients. They attempt to enhance privacy and confidentiality. In… …   Wikipedia

  • Link encryption — is an approach to communications security that encrypts and decrypts all traffic at each end of a communications line (e.g. a teleprinter circuit or the line between two network switches). It contrasts with end to end encryption where messages… …   Wikipedia

  • Array controller based encryption — Within a storage network, encryption of data may occur at different hardware levels. Array controller based encryption describes the encryption of data occurring at the disk array controller before being sent to the disk drives. This article will …   Wikipedia

  • Advanced Encryption Standard — AES, Rijndael AES, Rijndael Создатель: Винсент Рэймен Йоан Даймен Созда …   Википедия

  • Advanced Encryption Standard — AES Der Substitutionschritt, einer von 4 Teilschritten pro Runde Entwickler Joan Daemen, Vincent Rijmen Veröffentlicht 1998, Zertifizierung Oktober 2000 Abgeleitet …   Deutsch Wikipedia

  • NSA encryption systems — The National Security Agency took over responsibility for all U.S. Government encryption systems when it was formed in 1952. The technical details of most NSA approved systems are still classified, but much more about its early systems has become …   Wikipedia

  • Disk encryption theory — Disk encryption is a special case of data at rest protection when the storage media is a sector addressable device (e.g., a hard disk). This article presents cryptographic aspects of the problem. For discussion of different software packages and… …   Wikipedia

  • Tiny Encryption Algorithm — Infobox block cipher name = TEA caption = Two Feistel rounds (one cycle) of TEA designers = Roger Needham, David Wheeler publish date = 1994 derived from = derived to = XTEA key size = 128 bits block size = 64 bits structure = Feistel network… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”