Encryption for beginners 2: PGP and hashing

If you want to prevent the wrong people from gaining access to an email with sensitive personal data, you cannot do without encryption. An interesting subject, but a complex one for those who do not come into contact with it on a daily basis. That is why we gave you a short introduction earlier (Encryption for Beginners 1) in which we discussed symmetric and asymmetric encryption. This blog will provide you with an explanation of two terms that regularly occur in this context: PGP and hashing.


Encryption and PGP


For a long time, email was only suitable for sending text, not for images, videos or encrypted messages. Most email programs therefore did not offer good support for encryption. Of course, this made it very difficult to secure messages.

This changed around 1992, with the arrival of the program PGP (Pretty Good Privacy). This not only provided a sound method of asymmetric encryption of messages, but also ensured that those encrypted messages could be included in an email. You can use PGP to encrypt emails for several people at once, provide messages with digital signatures and encrypt images and other files.

In the version of PGP for companies there is a kind of back door: you can set up the program so that it also encrypts each message with the public key of the company. If an employee leaves the company, dies or simply loses his key, the company can decrypt and view his/her messages. This construction prevents valuable data from being lost.

Because PGP was distributed free of charge and with source code, everyone could install it on their computer. This meant it quickly grew to become the standard for email security, and is probably the best-known encryption program in the world. A worldwide network of key servers has been set up, where people can offer their public key and request the public keys of others. In this way one can always send a secure message with the right public key.


Hashing


Then there is hashing. This is not actually an encryption, but an algorithm that scrambles data so that it is no longer possible to see what the original data was. With encryption it is possible to make data readable again, but with hashing this is not the case. Once made unreadable, it remains so.

Hashing is a three-part process: the input (a password), the algorithm (a mathematical formula) and the outcome (the hash). The system knows the algorithm and the hash. With each new input, the system compares the outcome with the original. If the original and the outcome match, then the same data have served as the basis.

The main application of hashing is the protection of passwords. If you enter a password on your computer, the system hashes the password. If the outcome is the same as the outcome that was already stored, you get access.

For example, Bob's password is '0l1fant'. After hashing, this is ‘$2a$04$o1K5mF8j.cj4rnzNuTD.Neaf8PpfbHVWt1oabbVIc5j/GDBaFPXfa’. The computer compares this hash with the hash it stored when the password was set. If they match, Bob gets access.

The biggest advantage of hashing is that a hacker cannot steal the stored password. The only thing the hacker can do is steal the hash. But it is not possible to use the hashed outcome to gain access. If you enter it, the result is again mixed up by the algorithm. If a hacker steals the hash from a computer, he cannot do anything with it.

RELATED
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more
shutterstock_274821560 (1)

How to make your employees aware of the importance of secure information processing

Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]

Read more
Untitled design (1)

Encryption for beginners 1: (A)symmetric encryption

Most people do not realise how easily an email can arrive at the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name from the address book: they are all simple mistakes. And there is always the risk of hackers breaking into a provider's email server and thus gaining access to the email of all the users on that system. You […]

Read more