Re: link-encryption vs end-to-end encryption

OliLue · ‎03-13-2024

Hi all,

i understand the difference between link-encryption and end-to-end encryption.

But in me exam preparation, I found some question which confuse me.

When do you use link-encryption and when do you use end-to-end encryption?

My point would be:

End-to-end encryption used in application

link-encryption used for connection encryption.

But after a couple of question, clear with my wrong answer, I`m confused.

I hope someone of you could help me, and bring light back to this topic

Thanks in advance

OliLue

denbesten · ‎03-13-2024

If you run the website, you would set up end-to-end encryption with the web browser.

If you run the computer network, you would set up link encryption between two routers, presumably separated by an untrusted middle, such as the Internet.

Caute_cautim · ‎03-14-2024

@OliLue

Much of the confusion on the topic of Link vs. End-to-End encryption is due to conflicting terminology used to say the same thing. Let me try to help… Data can be encrypted in either two fashions – with or without the IP header (routing information) encrypted. Either way the DATA is protected for confidentiality purposes.

The two methods of encryption used in a VPN are commonly called End-to-End and Link. In End-to-End encryption the IP header is NOT encrypted. TLS (SSL) does this as they are used prior to the application of the IP header. Link encryption occurs AFTER the IP header has been placed in the packet and it therefore encrypts the data and the IP header.

If a VPN is setup to utilize End-to-End encryption, then any intermediary routing devices can easily view the IP header and make routing decisions. A man in the middle attack could also see the routing information and could perform something called “traffic analysis” which looks at the source and destination IP addresses to determine what people are talking about and how often/much they are talking. Think of this as pulling a phone record in a police show – the data does not appear in the phone record (as it is also encrypted in the End-to-End VPN tunnel). However, the phone record can provide useful information about the frequency and duration calls just as IP headers can provide information about the endpoints.

An example here might be monitoring encrypted communications between Evil HQ and Evil field operators…the actual communications are unread, however the fact that there are communications may be important.

If a VPN is set up to utilize Link encryption, then the IP information is protected (encrypted) as well as all of the data traffic. This situation would make it impossible to route over the LAN or the Internet unless each routing device had a copy of the secret key used. Which would be horrible key management practice, or if each pair of routing devices had their own shared key, which would be a logistical nightmare. Furthermore, the data (and the IP header) would be decrypted by each and every routing device along the way which would mean that any router becoming compromised would provide the attacker with your plaintext data. I have seen Link encryption performed with military hardware encryptors on a dedicated point-to-point circuit (non-routed link) and they work very well.

You can “nest” the two encryption types, utilizing End-to-End encryption to protect the data on the LAN and Link encryption to further protect the IP information on the edge devices prior to sending the data out on an uncontrolled WAN. The data will then be doubly encrypted.

We can further confuse things by adding IPSec into the conversation. IPSec has two modes of encryption called “Transport” and “Tunnel”. Transport mode is equivalent to End-to-End in that it does NOT protect the IP headers, just the data. Tunnel mode is equivalent to Link encryption and protects (encrypts) the data and the IP header information.

As always, the challenge is protecting the routing information as well as the data. IPSec solves this problem in Tunnel mode by adding a new IP header to the front of the encrypted IP header. This new IP header will be used by the intermediary routing devices (perhaps the routers on the Internet) to route to the opposite end of the IPSec tunnel – to the receiving end of the IPSec tunnel. The device on the receiving end of the tunnel will look at the new IP header and determine that it is the end station (according at least to the new IP header) and will decrypt the packet revealing the internal protected IP header which it will then use to route to the real IP destination.

Another option for devices performing Link encryption, but not running IPSec can be to utilize GRE.

"Generic Routing Encapsulation, or GRE, is a protocol for wrapping data packets inside secondary data packets in order to set up a direct point-to-point network connection." Normally used at network routers, and used for network protocols, which are not supported by a device

To summarize – both End-to-End and Link encryption will protect the confidentiality of the data. End-to-End will NOT protect the IP information thus leaving you open to traffic analysis.

Hope this helps?

Regards

Caute_Cautim

OliLue · ‎03-24-2024

Thanks denbesten,

slowly there comes light in the dark.

Thanks for your example

Best regards

OliLue · ‎03-24-2024

Thanks Caute_Cautim,

you description helps me to think in different ways und make it clear.

Best regards

sriganeshp · ‎04-11-2024

Thank you for the explanation, I found this as i was trying to confirm what is mentioned in the book 9th Edition ISC2 official guide for CISSP under the SSH VPN topic, page 607

was contradicting to the rest of explanation and my understanding of it

The content says