Encoding IS NOT Encryption! And neither is hashing. [The Confused Developer]

OktaDev

14 Feb 202312:23

Summary

TLDRThis video clarifies the key differences between encoding, encryption, and hashing, helping viewers understand their distinct roles in securing data. Encoding transforms data for system interoperability without security benefits, encryption ensures data confidentiality by making it unreadable to unauthorized users, and hashing guarantees data integrity by creating a unique, irreversible string. The video emphasizes common misconceptions, such as confusing encryption with encoding, and highlights best practices, like using hashing for password storage rather than encryption, to avoid security vulnerabilities. This high-level overview helps viewers make informed decisions on applying these techniques in their applications.

Takeaways

😀 Encoding is a technique used to transform data from one format to another to ensure interoperability between systems without the intent of security.
😀 Unlike encryption, encoding is a reversible process, meaning data can be transformed back to its original form without loss of information.
😀 Common encoding mechanisms include ASCII, Unicode, Base64, and URL encoding, each serving specific use cases such as text representation or web data handling.
😀 Encryption transforms data into an unreadable format to protect it from unauthorized access, ensuring data confidentiality.
😀 Unlike encoding, encryption is meant to make data unreadable to unauthorized parties and is generally a reversible process only for authorized users with the decryption key.
😀 Unlike encoding, encryption algorithms are kept secret to prevent unauthorized parties from decrypting the data, although strong encryption relies on well-known, public algorithms.
😀 Encryption mechanisms are divided into two families: symmetric encryption (same key for both encryption and decryption) and asymmetric encryption (two related keys for encryption and decryption).
😀 Hashing is used to generate a unique, fixed-length string (hash) for a specific input, ensuring data integrity but is not reversible, unlike encoding and encryption.
😀 Hashing guarantees that any change to the input data, even a small one, will produce a completely different hash value, which helps detect data tampering.
😀 Unlike encryption and encoding, hashing is not suitable for scenarios where data needs to be reversed or restored. It is used for verifying data integrity rather than confidentiality.
😀 A common mistake in security is confusing encryption and hashing, as both alter data, but hashing should be used for verifying data integrity, not protecting sensitive data like passwords.

Q & A

What is the main difference between encoding and encryption?
-Encoding is a process that transforms data into a different format for compatibility between systems, while encryption is a technique that makes data unreadable to unauthorized parties, ensuring confidentiality.
Why is encoding not considered a security measure?
-Encoding does not involve any secrecy or protection of data; it is simply a method of converting data into a format that can be easily understood by different systems. Its purpose is interoperability, not security.
How does encryption work to secure data?
-Encryption transforms data into an unreadable format using algorithms and keys. It ensures that only authorized users with the decryption key can access the original data, maintaining confidentiality.
What are symmetric and asymmetric encryption algorithms?
-Symmetric encryption uses the same key for both encryption and decryption (e.g., AES), while asymmetric encryption uses a pair of keys—one for encryption and the other for decryption (e.g., RSA).
Why is it not recommended to create your own encryption algorithm?
-Creating your own encryption algorithm is risky because it may lack the necessary mathematical rigor, security testing, and resistance to attacks. It is best to rely on well-known, widely tested algorithms.
What is hashing, and how is it different from encryption?
-Hashing is a process that generates a fixed-length string (hash) from input data. It is designed for verifying data integrity, not for keeping data secret, and it is irreversible, unlike encryption, which is reversible with the correct key.
Why is hashing considered a better option than encryption for storing passwords?
-Hashing is ideal for passwords because it is irreversible, making it difficult for attackers to retrieve the original password from the hash. In contrast, encryption is reversible and could potentially expose passwords if the key is compromised.
What mistake did Adobe engineers make regarding password storage in the 2013 data breach?
-Adobe engineers mistakenly encrypted user passwords instead of hashing them. This allowed attackers to potentially decrypt passwords, compromising users' security on other websites where the same password might have been used.
What assumptions should a good hashing algorithm follow?
-A good hashing algorithm should: 1) produce a fixed-length hash, 2) always produce the same output for the same input, 3) ensure that different inputs produce different outputs, 4) not allow the input data to be obtained from the hash, and 5) ensure that any change in input produces a different hash.
What is the purpose of using salt in password hashing?
-Salt is used to add a random value to each password before hashing, making it harder for attackers to crack multiple passwords at once using precomputed hash values (rainbow tables), thereby enhancing security.