What is end-to-end encryption?
End-to-end encryption is often mentioned as one of the best ways to greatly reduce identity theft, but what exactly is end-to-end encryption? It turns out that there are actually conflicting definitions of it, so there’s no quick and easy answer to this question.
The US government’s Federal Standard 1037C, Telecommunications: Glossary of Telecommunication Terms, defines end-to-end encryption as “the encryption of information at its origin and decryption at its intended destination without any intermediate decryption.”
Another US government document, Special Publication 800-12 – An Introduction to Computer Security – NIST Handbook, takes a different approach. SP 800-12 distinguishes between link encryption and end-to-end encryption, where link encryption encrypts routing information and end-to-end encryption doesn’t.
Which of these definitions is more useful depends on your point of view. If you’re a credit card processor, for example, if the transactions that you process are encrypted on each link between the merchant where credit card data is captured and your systems, that doesn’t necessarily provide a useful level of protection to the credit card information. It might be possible for a hacker to capture it between where it’s in the clear between links.What’s probably more useful to you is for the credit card information to be encrypted as soon as it’s collected and only decrypted when it’s needed for some sort of processing. If that’s done in a hardware security module, that gives you fairly strong protection against any hackers that might be targeting you. You really don’t care about whether or not the routing information that’s used to process your transactions is encrypted or not.
I’m not sure what the motivation was for the SP 800-12 definition. It must have made sense when it was written. Maybe it’s just out of date. SP 800-12 was published back in October 1995. It probably went through the extensive review that government documents typically go through, so it was probably actually written at least a year or two before that. Maybe it’s safe to ignore it today and stick with the FS 1037C version.