Aspects on end to end and link encryption
This post was written by Dr. Pascal Papagrigoriou and Sifniadis Panagiotis, Empelor GmbH
(Zug , Switzerland), Nov. 30th
Due to the rapid increase of the number of people that use the internet as a means to communicate not only for personal matters but also for business issues as well, the importance of securing people’s and business’ online communications becomes more imperative as time progresses. In order to address this matter various encryption techniques are currently in use. What is important however in this article is the communication level where the encryption will be performed. In particular, two general modes of encryption implementation are link encryption and end to end encryption.
The idea behind “end to end encryption” (E2EE) is that it is possible to send information over a network in such a way that only the recipient and sender can access it. Only the communicating parties can read the messages and generally have access to the information exchanged between them. Potential eavesdroppers – including not only telecom and internet providers but also the provider of the communication service are unable to access the encrypted data. “Link encryption” on the other hand is another security communication approach that encrypts and decrypts all traffic at each end of a communication line and not at the point of origin or the final destination.
Each mode of encryption has its own advantages and disadvantages. End to end encryption will normally be initiated by the user and it would be more complicated to set up in contrast to link encryption which would be automatically initiated since it is working on lower network layers (often done in hardware). Due to the fact that link encryption operates at the lower levels of the OSI model it is possible to encrypt package headers, addresses and routing information while this is not the case with end to end encryption. On the other hand, link encryption requires one key per host pair making it more complicated and prone to attacks since more points of vulnerability exist as opposed to end to end encryption where only one key per user pair is necessary. End to end encryption typically requires more resources and is slower whereas link encryption is very attractive for high-speed data transmission between data centers and applications that require low latency.
How conversations are encrypted and decrypted.
A particular disadvantage of link encryption, that needs to be addressed separately, is directly related to the fact that link encryption is performed either in hardware or at a very low level. This fact significantly complicates upgrades, changes or updates. If an implementation or protocol error is discovered after the deployment of the equipment then expensive equipment replacements may be necessary. A recent example of a protocol error is a discovery of a security weakness of the WPA2 protocol where attackers can use a novel attack technique called KRACK (short for Key Reinstallation Attack) to decrypt packets delivered over Wi-Fi thus reading information that was previously assumed to be safely encrypted.
As a conclusion it should be noted that in order to have complete protection (both privacy and integrity) the best solution is to combine both end to end and link encryption, especially in critical infrastructures where unauthorized access or leak of information will lead to a breach of availability and integrity of assets.
CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.