The 'End-To-End' Data Savior Read on as Pavan Kushwaha – a young ethical hacker and founder of cyber security start-up Kratikal Tech that recently raised $500k, puts E2EE in perspective.

By now, the term end-to-end encryption (E2EE) might not be alien to you. It is what you get every time you initiate a new conversation in WhatsApp: "messages you send to this chat are now end-to-end encrypted". Read on as Pavan Kushwaha – a young ethical hacker and founder of cyber security start-up Kratikal Tech that recently raised $500k, puts E2EE in perspective.

How does this work?

If X (sender) is sending a product to Y (recipient) through let's say a third person then the third person can fiddle or tamper with it. So this becomes an insecure way of exchanging product between X and Y. But if that product is delivered in a sealed box and is accessible only through "keys' that allows only the two parties to open, then the product's privacy is ensured. In digital exchange of data, this otherwise can be breached at various touch points like router, modem, Internet service provider, and data center before it reaches Y's device. This is E2EE and is a must have for businesses in Internet of Things and finance sectors.

Is there any particular type of encryption?

Yes. Encryption is of two types – symmetric and asymmetric. Though not compulsory, E2EE is mostly asymmetric in nature. All Internet-based interactions like emails, calls, and chats can be encrypted. In symmetric encryption, the cryptographic "key' is generated by X and is shared with Y to
decrypt the message for reading. However, because the key here is shared, there are chances of the data being compromised. This problem is solved in asymmetric encryption where two separate keys are generated for every user - a public key and a private key. A person who wants to send a secure message to this user, can use his public key to encrypt the message. The user can then use his private key to decrypt the message. Though the two keys are mathematically related, it is infeasible to derive any one key from the other.

But how secure is even E2EE?

If the data is encrypted properly then it would take billions of years for hackers to decrypt that data using a super computer because it has billions of key combinations to be cracked. How strong is encryption depends on how many "bits' the key has. Higher the number of bits, stronger is the encryption. For e.g., five-bit key advanced encryption system (AES) has 32 combinations (2^5=32) whereas an AES 256-bit key used at government level has some billions key combinations while most apps are AES 128-bit key secured.

How should startups go about it?

They should adopt E2EE right from day one. The volume of data has no relation to the strength of encryption. There are few protocols available for E2EE like Pretty Good Privacy (PGP) and Signal Protocol.

Do you think companies avoid E2EE?

Right! It is because they want to access their customers' data like browsing history, search habits, frequency of visits for advertisements and marketing purposes. Competitors often hack into the companies' data to leverage it even as it leads to revenue loss for companies. Telcom major Airtel in 2015 was accused of breaching customer privacy by tracking its data usage of customers using its 3G network without their consent. This was done by injecting JavaScript code into the users' browsers. Government also can check your data if required if it is not encrypted.

(This article was first published in the April issue of Entrepreneur Magazine. To subscribe, click here)