A concept that you see more often when the security of technology is mentioned, is client-side encryption. In this article we take a step-by-step and simple approach to explain what this concept means. First, we go through the meaning of a client and encryption. This makes understanding the concept behind client-side encryption easier. Lastly, we discuss end-to-end encryption, which is sometimes associated with client-side encryption.
What Is a Client?
To understand what a client is, we have to distinguish between a client and a server. Both are computers but with different roles. A client is a computer used by the end-user that is requesting data. A server responds to a request by providing the needed data or changing the data already present on the server.
An example is when someone is trying to access a website. Websites are stored on servers. The visitor of the website or the client has to send a request to the server to receive the required data. This process happens automatically and goes through a browser.
What Is Encryption?
Encryption is the process of making data unreadable by encoding it using a key. A key is used to scramble the data and make it seem like a random set of characters. So the data becomes useless for someone without the key. Only by applying the key the process of encryption can be reversed to make the data readable again.
For more about encryption see this article.
What Is Client Side Encryption?
Client-side encryption means encrypting data by the client before sending it out to any outside party like a server. The client has his own keys and Key Management System (KMS). Encryption is applied to the data which means that it is randomized and unreadable without the key. Interception of the data doesn’t necessarily lead to bad consequences. An attacker would still have to break the encryption algorithm, which is extremely difficult.
The counterpart of client-side encryption is server-side encryption. With server-side encryption, the data is first sent to the server and then encrypted. If someone intercepts it there is nothing in place to prevent him from deriving its contents and using these for some other purpose. That is why it is often said that server-side encryption is less secure.
So client-side encryption has these main benefits compared to server-side encryption :
- Data in transit is encrypted
- Data remains encrypted in storage
The data that goes out (in transit) is randomized. Even if it is intercepted by an attacker, the encryption is nearly impossible to reverse.
When the data reaches a server it is already encrypted. So there is no risk of the server owner accessing the contents of the data.
Client-side encryption still has vulnerabilities that mainly lay in key management. The client has to manage the encryption key himself. When someone gets the keys he still can decrypt the data. There is the risk of an attacker acquiring keys because the key owner is too sloppy. That is why key management is sometimes outsourced to a third party. This doesn’t mean every vulnerability is dealt with, because the keys still have to be exchanged between the client and the key management service. To protect keys from being stolen, the keys are also encrypted. This way encryption becomes more and more complex.
Sometimes the concept end-to-end encryption is used instead of client-side encryption. These two concepts are not the same. However end to end encryption is a case of client-side encryption, because data is encrypted at the user/client before it goes out to any party. End-to-end encryption is more specific and refers to moe decentralized parties exchanging data. Like regular users instead of parties fulfilling different roles, as in the case of a client and a server.
An example can be given of exchanging messages with a mobile app. Data is encrypted at the user before it goes out. The data might go through several parties but remains encrypted till it reaches the intended recipient, another user. This intended user can then decrypt and read the message. This way the content of the messages is visible for the sender and recipient, but remains hidden for any outside parties.
End-to-end encryption is a case of client-side encryption because data is encrypted before going out, but more specific in the sense that sender as well as recipient are able to decrypt the data. If the purpose of the server is just to store sensitive data, it would be inappropriate to apply end to end encryption because the service provider would be able to decrypt and access the data.