Has COVID-19 made local government less cyber secure?
If you want to prevent the wrong people from gaining access to an email with sensitive personal data, you cannot do without encryption. An interesting subject, but a complex one for those who do not come into contact with it on a daily basis. That is why we gave you a short introduction earlier (Encryption for Beginners 1) in which we discussed symmetric and asymmetric encryption. This blog will provide you with an explanation of two terms that regularly occur in this context: PGP and hashing.
Encryption and PGP
For a long time, email was only suitable for sending text, not for images, videos or encrypted messages. Most email programs therefore did not offer good support for encryption. Of course, this made it very difficult to secure messages.
This changed around 1992, with the arrival of the program PGP (Pretty Good Privacy). This not only provided a sound method of asymmetric encryption of messages, but also ensured that those encrypted messages could be included in an email. You can use PGP to encrypt emails for several people at once, provide messages with digital signatures and encrypt images and other files.
In the version of PGP for companies there is a kind of back door: you can set up the program so that it also encrypts each message with the public key of the company. If an employee leaves the company, dies or simply loses his key, the company can decrypt and view his/her messages. This construction prevents valuable data from being lost.
Because PGP was distributed free of charge and with source code, everyone could install it on their computer. This meant it quickly grew to become the standard for email security, and is probably the best-known encryption program in the world. A worldwide network of key servers has been set up, where people can offer their public key and request the public keys of others. In this way one can always send a secure message with the right public key.
Then there is hashing. This is not actually an encryption, but an algorithm that scrambles data so that it is no longer possible to see what the original data was. With encryption it is possible to make data readable again, but with hashing this is not the case. Once made unreadable, it remains so.
Hashing is a three-part process: the input (a password), the algorithm (a mathematical formula) and the outcome (the hash). The system knows the algorithm and the hash. With each new input, the system compares the outcome with the original. If the original and the outcome match, then the same data have served as the basis.
The main application of hashing is the protection of passwords. If you enter a password on your computer, the system hashes the password. If the outcome is the same as the outcome that was already stored, you get access.
For example, Bob's password is '0l1fant'. After hashing, this is ‘$2a$04$o1K5mF8j.cj4rnzNuTD.Neaf8PpfbHVWt1oabbVIc5j/GDBaFPXfa’. The computer compares this hash with the hash it stored when the password was set. If they match, Bob gets access.
The biggest advantage of hashing is that a hacker cannot steal the stored password. The only thing the hacker can do is steal the hash. But it is not possible to use the hashed outcome to gain access. If you enter it, the result is again mixed up by the algorithm. If a hacker steals the hash from a computer, he cannot do anything with it.