Zivver achieves DCB0129 status for NHS Clinical Safety Risk Assesment
If you want to prevent unintended recipients from gaining access to emails containing sensitive personal data, it is imperative to use encryption. Encryption is an interesting and yet complex subject, not widely understood by the general public. We started covering the topic with the encryption for beginners 1 blog post, in which we highlighted the differences between both symmetrical and asymmetrical encryption. In this follow up post, we go a step further and introduce two additional terms that frequently appear in the context of email encryption: PGP and hashing.
Encryption and PGP
For many years, at the beginning of the internet era, email was only suitable for text message exchange, it was not ideal for sending images, videos, or encrypted messages. Most email clients did not provide adequate support for encryption. This made it very challenging to ensure that messages could be adequately secured.
The situation started to evolve in 1992 with the arrival of the PGP (Pretty Good Privacy) program which addressed an important issue regarding online data protection. This program offered a sound technique for asymmetric encryption of messages, while also ensuring that those encrypted messages could be included in an email. With PGP, you can encrypt emails for several people at the same time, provide messages with digital signatures or images, as well as encrypt other files.
There is a type of PGP for companies that include a form of back door access: the system can be set to encrypt every message with the company's public key. If an employee leaves the job (for whatever reason), or simply loses their key, the company will have the ability to decrypt and view their messages. A system designed this way prevents valuable data from being inadvertently lost under those circumstances.
Because PGP was initially distributed for free and included the source code, anyone could install it on their computer. Consequently, it quickly became the standard for email security and is probably still the best-known encryption program in the world. A worldwide network of servers was set up, where people can offer their public keys and request the public keys from others. This way, one can always send a message securely by using the correct public key.
Another familiar term is hashing. This is not actually a form of encryption. Instead, it's a cryptographic function, which is a fancy way of saying it's a method of coding an email for data security. Hashing takes a piece of data, like an email address or password, and converts it to a 32-character hexadecimal string. Email addresses and passwords become an unrecognizable jumble of numbers and letters. Every time this email address or password is run through the hashing algorithm, the same result is delivered.
A hashing algorithm transforms pieces of data into strings. Each email address becomes an unrecognizable jumble of numbers and letters. In other words, a hashed email can be used to obtain data about an individual's online behavior without obtaining the email address.
Hashing is a three-part process:
1) The input (a password or email address)
2) The algorithm (a mathematical formula)
3) The outcome (the hash)
The system is always aware of both the algorithm and the hash. With each new entry, the system compares the result with the original. If the original and the outcome are the same, the same data is used.
The most powerful application of hashing is in the protection of passwords. If you enter a password on your computer, the system retains it. If the result entered is the same as what is currently saved, access will be granted.
For example: Bob's password is "0lfant". After hashing the paswword becomes "$ 2a $ 04 $ o1K5mF8j.cj4rnzNuTD.Neaf8PpfbHVWt1oabbVIc5j / GDBaFPXfa".
The computer compares this hash with the hash saved when the password was initially set. If there is a match, Bob's password will be accepted, and he will be able to log-in to the system.
The most significant advantage of hashing is that a hacker is unable to steal a saved password. The only action that could possibly be done do is stealing the hash. However, the hashed outcome is rendered useless and cannot be used to breach access to any stored data. If the hash information is entered again, the result will be scrambled by the algorithm. Essentially if hackers are in possession of a computer's hash, it's entirely useless to them.
Encryption and privacy by design of Zivver
Would you like to know how Zivver uses asymmetric encryption and our approach to privacy by design? Download the whitepaper below to find out technical and detail information regarding our innovative security solutions for email communication.