Zivver achieves DCB0129 status for NHS Clinical Safety Risk Assesment
Most people don't realise how easily an email can be sent to the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name from the email address book: they are all simple, yet common, mistakes. And there is always the risk of hackers attacking a provider's email server and thus gaining access to the email of all the users on that system. You should therefore always use encryption to reduce the chance that the wrong person gains access to a message that contains sensitive (personal) data. We explain more in this post on the importance of encryption when it comes to data protection.
What is encryption?
Encryption is the encoding and decoding of data. It is the best way to make messages unreadable with the help of mathematical techniques (algorithms). Only the person who has the correct mathematical formula can make the original message readable again. We call such a mathematical formula the 'key'.
What is symmetric encryption?
To start with, it is good to be aware that there are different forms of encryption. The first variant is symmetric encryption. This form of encryption requires the sender to exchange a key with the recipient in advance. That key converts all data from readable to unreadable text, and you can only reverse this with the same key. The key is often a data set, that works best when it is completely random.
The problem with symmetric encryption is that you have to store the key somewhere, and it can only be available for the person who needs the key. The best-known example is the use of a password on the computer: with the right combination of letters and numbers you can access the computer yourself. But someone else - who does not know the password - cannot. The big disadvantage of this of course is that if someone else gets this key (the password), the security becomes completely useless.
You come across symmetric encryption in services that store encrypted data for a user, for example (such as a backup in the cloud). The key remains in the hands of the user.
What is asymmetric encryption?
Asymmetric encryption does more or less the same thing: it makes data unreadable, and makes them readable again with the right key. The difference, however, is that the recipient's key is not the same as that of the sender. So they do not have to share the key with each other. This is because the data are made illegible with a public key, and a recipient uses his private key to make the data readable again. For two-way communication you therefore need two key pairs. Each party gives its public half to the other.
A quick example to clarify this system. Suppose Alice wants to send a message to Bob. Bob is in possession of a public key and a private key. Alice then receives the public key from Bob. She uses this to encrypt the message and then sends it to Bob. Bob decrypts the message with his private key and can read it.
You can make the public key public. You can publish it on a homepage or on a 'key server'. This makes it easy for anyone who wants to encrypt a message to get the right public key. You keep the private key for yourself, just like a password.
In some cases, asymmetric encryption can also allow data to be signed. In such cases, a signature is created using the private key, and the public key is then used to verify it. This makes it virtually impossible to send an email under someone else's name.
Asymmetric encryption is especially useful on the internet, for example for setting up a secure (https) connection between a browser and a website. It is also possible to use this to establish a secure connection with remote servers. A computer uses this form of encryption when software updates require a signature. This enables the system to be certain that the software originates from a trusted party.
Of course, asymmetric encryption also has disadvantages. For example, it is possible to break into an encrypted connection via a so-called man-in-the-middle (MITM) attack. This works as follows: when you want to send a message, you receive a public key to set up a secure connection. But in an MITM attack, you are communicating with a party other than your intended recipient. This party gives you their own public key , then gives the party you want to communicate with another public key and pretends that this is yours. The data you then send can then be intercepted and read. This could cause a lot of problems when you send your bank details, for example. The only thing you can do to prevent this is to make sure that you have the right public key.
Do you want to know how we solved this problem at Zivver? We would be happy to explain it to you. Send your question to firstname.lastname@example.org and we will get back to you!
You can also read about our secure email and file transfer solution to learn more.