Encryption for beginners 1: (A)symmetric encryption
Most people do not realise how easily an email can arrive at the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name from the address book: they are all simple mistakes. And there is always the risk of hackers breaking into a provider's email server and thus gaining access to the email of all the users on that system. You should therefore always use encryption to reduce the chance that the wrong person gains access to a message with sensitive (personal) data. We give you a brief introduction to this interesting topic.
What is encryption?
Encryption is the encoding and decoding of data. It is the best way to make messages unreadable with the help of mathematical techniques (algorithms). Only the person who has the correct mathematical formula can make the original message readable again. We call such a mathematical formula the 'key'.
To start with, it is good to be aware that there are different forms of encryption. The first variant is symmetric encryption. This form of encryption requires the sender to exchange a key with the recipient in advance. That key converts all data from readable to unreadable text, and you can only reverse this with the same key. The key is often a data set, that works best when it is completely random.
The problem with symmetric encryption is that you have to store the key somewhere, and it can only be available for the person who needs the key. The best-known example is the use of a password on the computer: with the right combination of letters and numbers you can access the computer yourself. But someone else - who does not know the password - cannot. The big disadvantage of this of course is that if someone else gets this key (the password), the security becomes completely useless.
You come across symmetric encryption in services that store encrypted data for a user, for example (such as a backup in the cloud). The key remains in the hands of the user.
Asymmetric encryption does more or less the same thing: it makes data unreadable, and makes them readable again with the right key. The difference, however, is that the recipient's key is not the same as that of the sender. So they do not have to share the key with each other. This is because the data are made illegible with a public key, and a recipient uses his private key to make the data readable again. For two-way communication you therefore need two key pairs. Each party gives its public half to the other.
A quick example to clarify this system. Suppose Alice wants to send a message to Bob. Bob is in possession of a public key and a private key. Alice then receives the public key from Bob. She uses this to encrypt the message and then sends it to Bob. Bob decrypts the message with his private key and can read it.
You can make the public key public. You can publish it on a homepage or on a 'key server'. This makes it easy for anyone who wants to encrypt a message to get the right public key. You keep the private key for yourself, just like a password.
In some cases, asymmetric encryption can also allow data to be signed. In such cases, a signature is created using the private key, and the public key is then used to verify it. This makes it virtually impossible to send an email under someone else's name.
Asymmetric encryption is especially useful on the internet, for example for setting up a secure (https) connection between a browser and a website. It is also possible to use this to establish a secure connection with remote servers. A computer uses this form of encryption when software updates require a signature. This enables the system to be certain that the software originates from a trusted party.
Of course, asymmetric encryption also has disadvantages. For example, it is possible to break into an encrypted connection via a so-called man-in-the-middle (MITM) attack. This works as follows: when you want to send a message, you receive a public key to set up a secure connection. But in an MITM attack, you are communicating with a party other than your intended recipient. This party gives you their own public key , then gives the party you want to communicate with another public key and pretends that this is yours. The data you then send can then be intercepted and read. This could cause a lot of problems when you send your bank details, for example. The only thing you can do to prevent this is to make sure that you have the right public key. Do you want to know how we solved this problem at ZIVVER? We would be happy to explain it to you. Send your question to email@example.com and we will get back to you!
Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]
If you want to prevent the wrong people from gaining access to an email with sensitive personal data, you cannot do without encryption. An interesting subject, but a complex one for those who do not come into contact with it on a daily basis. That is why we gave you a short introduction earlier (Encryption for Beginners 1) in which we discussed symmetric and asymmetric […]