End-to-End Encryption

This is a critical technology for ensuring confidentiality, which our team have been using for nearly 20 years.

E2E schemes typically use public key encryption to identify users and share symmetric keys, which are then used to protect the data that is shared, because symmetric encryption is considerably faster than public key encryption.

More advanced schemes typically use multiple layers of symmetric encryption, with the first layer being used to protect keys for the second layer, which in turn protect the keys for the third layer, and so on. This can be used to create a hierarchical encryption scheme, similar to a file system folder structure, where users can be granted access to any specified sub-tree.

Data Access Control (DAC) can be represented in the Blockchain as a file or folder key that has been encrypted with the user’s public key, and provides a fairly high level of assurance that contents of the specified file system sub-tree can only be accessed by authorised users.

Such access control schemes are logically equivalent to the idea of “reading someone into a project”, where there is a high level of assurance that the protected content will only be available to the authorised users, but the technical mechanism does not allow the authorisation to be subsequently revoked.

This does not prevent additional technical mechanisms being implemented to support revocation of authority, but it does highlight one of the fundamental limitations of encryption as a DAC mechanism, because once the user has been given access to a key, it is not possible to guarantee that they have not retained the information for future usage.

However, E2E encryption does offer a substantial safeguard to protect granular data sets, such as the records of a specific individual within a medical context, and makes it very easy to explicitly protect even smaller sub-sets of the data, such as mental health or sexual health records of each specific individual.

The challenge for organisations that want to implement such controls is how to manage them, because unlike traditional DAC mechanisms that enforce the controls using physical mechanisms, there are no backdoors in the E2E scheme, and the controls cannot be overridden by system administrators.

This requires the organisation to consider the management controls very carefully, with particular regard for the social contracts that are implicit within the workplace, and the potential for social engineering attacks against those social contracts.

It is relatively easy to implement encryption key escrow mechanisms, including dual key access arrangements, and access by consensus arrangements. These are particularly important in cases where the only user authorised to access a specific dataset become incapacitated or unavailable, and there is a legitimate requirement for access authority to be granted to another user.

It is also relatively easy to implement physical controls within the information supply chain, which enforce revocation of authority based upon DAC entries within the Blockchain, and may include time-limited access, or requirements for approval by third parties , in addition to basic revocation. However, such mechanisms always depend upon trust in some form of gatekeeper.

This approach has been developed further within the Threshold Encryption (TE) scheme, which identifies a number of independent gatekeepers, who collectively control access to the encryption keys, which can only be released by consensus.

An alternative, and perhaps complementary approach, is to embed the E2E encryption mechanism within a security hardened execution environment (SHEE), which implements physical controls that are independent of the user credentials.