Encoding vs Encryption vs Hashing vs Obfuscation

I recently had to explain some concepts around encryption, encoding, hashing, and obfuscation and there is often?significant confusion?around the differences.

In this post, I like to go over each one:

Encoding

By the end of Reception, children are expected to be able to write each letter of the alphabet and know what sound each one represents. The alphabetic principle is the understanding that there are systematic and predictable relationships between written letters and spoken sounds.

The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it’s able to be properly consumed. Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it.

Examples: HTML Encoding, URL Encoding, Unicode Encoding, Base64 Encoding Hex Encoding, ASCII Encoding, base64 Encoding.

Tool for encoding and decoding: CyberChef

Encryption

The Caesar Cipher is a classic example of ancient cryptography and is said to have been used by Julius Caesar to encrypt messages. The Caesar Cipher is based on transposition and involves shifting each letter of the plaintext message by a certain number of letters,

With the Caesar Shift Cipher, each letter of the alphabet is “shifted” some fixed number. The shift is named a “ROT,” which stands for “rotation.” for example, with a ROT1 shift A becomes B, B becomes C, and so on.

With a ROT13 shift, on the other hand, A becomes N, B becomes O, C becomes P, etc. To decode a message sent using the Caesar Shift Cipher the person must be aware of what shift has been used.

The purpose of encryption is to transform data to keep it secret from others, e.g. sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet. Rather than focusing on usability, the goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s)

Examples: Blowfish (symmetrical) RSA (asymmetrical),AES (symmetrical),ECC (namely ed25519) (asymmetric),Chacha/Salsa (symmetric). Note (Asymmetric is slow but good for establishing a trusted connection. Symmetric has a shared key and is faster. Protocols often use asymmetric to transfer symmetric key. Perfect forward secrecy - eg Signal uses this).

Tools encryption: GPG and bcrypt.

Hashing

Hashing is an algorithm to map data of any size to a fixed length. A hash is not ‘encryption’ – it cannot be decrypted back to the original text (it is a ‘one-way’ cryptographic function, Whereas encryption is a two-way function, hashing is a one-way function. Hashing is used in conjunction with authentication to produce strong evidence that a given message has not been modified and serves the purpose of ensuring integrity, i.e. making it so that if something is changed you can know that it’s changed.

Examples: You often hear about SHA-256, that means that the algorithm is going to output a hash value that is 256 bits, usually represented by a 64 character hexadecimal string.?

Note ; Salting is a concept that typically pertains to password hashing. Essentially, it’s a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process,

Examples: Hash; CRC-16- CRC32 ,MD2 -MD5 (now obsolete), SH-2-SHA512/256 ,Keccak-224 -Keccak-512, Shake-128-Shake-256

Tools CyberChef

Obfuscation

Obfuscation?is a technique that is normally used to hide the meaning of some software by rearranging the operations, but it can also be used to add weak watermarks to the code. In both cases, the algorithms rely on a collection of transformations that change the apparent operation of the software without changing the results. An obfuscated program should produce exactly the same results as an unobfuscated one.

The purpose of obfuscation is to make something harder to understand, usually for the purposes of making it more difficult to attack or to copy.

One common use is the obfuscation of source code so that it’s harder to replicate a given product if it is reverse engineered.

It’s important to note that obfuscation is not a strong control (like properly employed encryption) but rather an obstacle. It, like encoding, can often be reversed by using the same technique that obfuscated it. Other times it is simply a manual process that takes time to work through.

Examples: proguard

Conclusion

• Encoding?is for maintaining data?usability?and can be reversed by employing the same algorithm that encoded the content, i.e. no key is used.
• Encryption?is for maintaining data?confidentiality?and requires the use of a key (kept secret) in order to return to plaintext.
• Hashing?is for validating the?integrity?of content by detecting all modification thereof via obvious changes to the hash output.
• Obfuscation?is used to?prevent people from understanding?the meaning of something and is often used with computer code to help prevent successful reverse engineering and/or theft of a product’s functionality.

Disclaimer

Tools are mentioned in this series to illustrate concepts and techniques, not to indicate that a particular tool is best suited to a particular purpose.