A quick explanation on how End-to-End Encryption works - using symmetric and asymmetric encryption
First, remember that encryption requires two components: you need a file (your data), that you protect/hide with an encryption key (which is essentially a large and very complex password which you cannot remember). More info on this in our previous blogpost: What do we mean by encryption and end-to-end encryption?
Two types of encryption that you can use with End-to-End Encryption:
1) Symmetric encryption: Which means that with the same information (key), you can encrypt and decrypt.
2) Asymmetric encryption: which uses two keys, one to encrypt and the other one to decrypt:
1) The public key, which everybody has "access to", that is used to encrypt. Here, you take the file, take the public key, and you get your protected file. That's how your data is protected with asymmetric encryption.
But if you want to be able to actually read it, you need the private key.
2) The private key, that you need in order to decrypt and go back to reading the file.
Which means that you use a different key to read your file (decrypt) from the one you use to protect your file (encrypt).
Public and private keys with asymmetric encryption: how does it work?
Most people think of WhatsApp when they hear End-to-End Encryption. So let's illustrate the situation using this example: I want to send you a message, and I want it to be protected. In that case I take your public key, and I protect the message. And when you’re going to get the message, you’re only going to be able to read it with your private key.
There is actually a repository - a database - with everybody’s public keys. And that’s why I can send you a message, because I've got your public key somehwere, and why you can send me a message, because you’ve got my public key somewhere. In general that public key is on a server. It depends on the service. I could also send it to you when we connect. It really depends.
Thus with the information from the public key you can only encrypt data. You cannot decrypt it. You can only get/read your file with the private key. That's why the private key is protected and private, and that you can send the info in the public key to anyone you want.
With End-to-End Encryption, you can use both types of encryption
Let's take again the example of WhatsApp: I write a message and I send it to you. This message is protected before going out. Then it leaves my phone, and the message is ciphered all the way through internet, servers, etc. When it arrives on your phone, that’s when you unlock/unblock it.
WhatsApp uses asymmetric encryption, but you can actually implement End-to-End Encryption with both encryptions (symmetric and asymmetric).
- If you use symmetric encryption, you need to have the same password on both sides (that's why it’s called symmetric). We set one password for the both of us, so when you and I speak, we can just enter the same password and decipher it whenever you or I receive the message. That can be useful and practical if you really know the person. However in the case of WhatsApp it's just simpler to use asymmetric encryption.
- With asymmetric encryption, as we said, instead of using the same password you use a public key and a private key. With WhatsApp for example, it’s done automatically for you so you don’t have to do anything. I send you a message using your public key to encrypt the message, which upon receiving you can only decrypt with your private key. Essentially, the public key is for people to send you stuff. The private key is for you to open it.
With symmetric encryption, the two doors have the same key. With asymmetric encryption, each door has its own key.
We'll release a blogpost soon on how we handle End-to-End Encryption with Duple.