Encryption for beginners 1: (A)symmetric encryption

Most people do not realise how easily an email can arrive at the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name from the address book: they are all simple mistakes. And there is always the risk of hackers breaking into a provider's email server and thus gaining access to the email of all the users on that system. You should therefore always use encryption to reduce the chance that the wrong person gains access to a message with sensitive (personal) data. We give you a brief introduction to this interesting topic.


What is encryption?


Encryption is the encoding and decoding of data. It is the best way to make messages unreadable with the help of mathematical techniques (algorithms). Only the person who has the correct mathematical formula can make the original message readable again. We call such a mathematical formula the 'key'.


Symmetric encryption


To start with, it is good to be aware that there are different forms of encryption. The first variant is symmetric encryption. This form of encryption requires the sender to exchange a key with the recipient in advance. That key converts all data from readable to unreadable text, and you can only reverse this with the same key. The key is often a data set, that works best when it is completely random. 

The problem with symmetric encryption is that you have to store the key somewhere, and it can only be available for the person who needs the key. The best-known example is the use of a password on the computer: with the right combination of letters and numbers you can access the computer yourself. But someone else - who does not know the password - cannot. The big disadvantage of this of course is that if someone else gets this key (the password), the security becomes completely useless.

You come across symmetric encryption in services that store encrypted data for a user, for example (such as a backup in the cloud). The key remains in the hands of the user.


Asymmetric encryption


Asymmetric encryption does more or less the same thing: it makes data unreadable, and makes them readable again with the right key. The difference, however, is that the recipient's key is not the same as that of the sender. So they do not have to share the key with each other. This is because the data are made illegible with a public key, and a recipient uses his private key to make the data readable again. For two-way communication you therefore need two key pairs. Each party gives its public half to the other.

A quick example to clarify this system. Suppose Alice wants to send a message to Bob. Bob is in possession of a public key and a private key. Alice then receives the public key from Bob. She uses this to encrypt the message and then sends it to Bob. Bob decrypts the message with his private key and can read it.


Digital signature


You can make the public key public. You can publish it on a homepage or on a 'key server'. This makes it easy for anyone who wants to encrypt a message to get the right public key. You keep the private key for yourself, just like a password.

In some cases, asymmetric encryption can also allow data to be signed. In such cases, a signature is created using the private key, and the public key is then used to verify it. This makes it virtually impossible to send an email under someone else's name.

Asymmetric encryption is especially useful on the internet, for example for setting up a secure (https) connection between a browser and a website. It is also possible to use this to establish a secure connection with remote servers. A computer uses this form of encryption when software updates require a signature. This enables the system to be certain that the software originates from a trusted party.


Man-in-the-middle


Of course, asymmetric encryption also has disadvantages. For example, it is possible to break into an encrypted connection via a so-called man-in-the-middle (MITM) attack. This works as follows: when you want to send a message, you receive a public key to set up a secure connection. But in an MITM attack, you are communicating with a party other than your intended recipient. This party gives you their own public key , then gives the party you want to communicate with another public key and pretends that this is yours. The data you then send can then be intercepted and read. This could cause a lot of problems when you send your bank details, for example. The only thing you can do to prevent this is to make sure that you have the right public key. Do you want to know how we solved this problem at ZIVVER? We would be happy to explain it to you. Send your question to contact@zivver.com and we will get back to you!

RELATED
shutterstock_274821560 (1)

How to make your employees aware of the importance of secure information processing

Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]

Read more
shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more
shutterstock_675065458 (1)

Data and human errors: Where does it go wrong?

People make a mistake every 200-20,000 actions. So when humans play a role in a system, it is very likely they make mistakes. Like writing ‘2017’ for instance, when it should be ‘2018’, forgetting their keys, calling somebody by the wrong name. These things happen, after all, you cannot make an omelette without breaking eggs. Most people spend a large part of their […]

Read more
Untitled design (2)

Encryption for beginners 2: PGP and hashing

If you want to prevent the wrong people from gaining access to an email with sensitive personal data, you cannot do without encryption. An interesting subject, but a complex one for those who do not come into contact with it on a daily basis. That is why we gave you a short introduction earlier (Encryption for Beginners 1) in which we discussed symmetric and asymmetric […]

Read more