Difference between Encryption, Encoding, Hashing

It's important to keep our (and our users') data safe.

To do this, it is important to know the most common methods for this, and their differences:

  • Encoding (Coding)
  • Encryption (Encryption)
  • Hashing

Many times the mistake is made of using these terms as if they were the same thing.

And that can lead to many problems.

That is why:

In this article, Let's review each of these methods, and how they work, through examples.

What is Encoding?

Encoding data is a process that consists (simply) of changing the format of the data.

that is,:

  • Encoding is a reversible process.
  • Data can be encoded to a new format, and decoded to its original format.

As it is easily reversible, encoding should not be used to protect data.

On the contrary, these algorithms are usually public, so that everyone can easily encode and decode.

In which cases it is used?

Generally to communicate data between systems and applications, using a more convenient format.

Examples of encoding: ASCII, URL Encoding, Base64.

What is Encryption?

Encryption, or encryption, is a more secure process to protect data:

In such a way that only the Authorized Users (with a key or password) can decrypt the result and access the original content.

Because encoding is a more general term:

  • It is often said that encryption is a "secure encryption".".
  • However, the right thing to do is to be precise and distinguish encryption from encoding.

We have 2 types of encryption: with a symmetric key, and with a public key.

  • With a symmetric key, it means that the same password is used to encrypt and decrypt data.
  • With a public encryption key, a different password is used to decrypt.

Encryption examples: AES 256, Blowfish.

AES stands for Advanced Encryption Standard, and uses a symmetric key.

The name indicates that a 256-bit key is used.

That is, there are 2 to the power of 256 possible keys that can be used.

¿What is Hashing?

Hashing is a one-way process, where data is transformed into an alphanumeric string, with a fixed length of characters.

  • The resulting string is known as a hash.
  • This hash cannot be reversed, since it is a one-way operation.
  • Hashing is generally used to Verify data integrity.

It is important to note that:

  • If 2 identical data are hashed, i.e., they pass through the same Hash function, The result will be the same.
  • For different inputs, the resulting hashes will be different and unique.
  • A good hashing algorithm will cause a minimal change in input to produce a very different output.

Hash function examples: SHA-512, MD5 (deprecated).

Password Hashing

Hashing is the Recommended method for authentication processes:

  • It is important to never save passwords.
  • Instead, save the resulting hash of the "salted password").
  • The salt is a random string, which is added to the password, and which only the authentication process knows.
  • This ensures that even if 2 users have the same password, the saved hashes are different.

¿How it works?

  • When a user enters their password into an application, it is sent to the server.
  • The server adds the "salt" to the password and executes the hashing function.
  • Finally, it compares the resulting hash with the hash saved in the database.
  • If the hashes match for that user, the login is successful.

Using hashing ensures that, In the event of a data breach (It has even happened with Big Tech Companies):

  • Attackers can't determine users' passwords.
  • Or which users have the same password.

Message integrity

Hashing is also used to validate that a message has not been altered, in conjunction with a Digital signature.

  • The message to be sent is hashed, and signed with the sender's secret key.
  • When the recipient opens the message, it can validate the hash signature with the sender's public key,
  • and hash the message itself, to finally compare the resulting hash with the one sent by the sender.
  • If the hashes match, the message was sent by the correct person and not modified.

Process of sending a hashed and digitally signed message

Bonus: What is Obfuscation?

Obfuscating is about doing something more difficult to understand.

Usually to prevent it from being attacked, or copied.

A very common use is Obfuscate source code:

In such a way that it is difficult to plagiarise or reverse engineer a product.

It is important to note that:

  • Obfuscation doesn't protect data exactly. It is rather an obstacle.
  • You can reverse engineer obfuscated code, but it will require a lot of time and effort, as well as being a manual process.

There is no limitation on how much a code can be obfuscated:

When it comes to source code, the important thing is that the result can still be consumed by a computer, or the application will stop working.

Obfuscated code

Examples of Obfuscators: JavaScript Obfuscator, ProGuard.

Summary

  • Encoding: Transform data to a new format. It is reversible.
  • Encryption: Data protected, with a decryption password.
  • Hashing: One-way process (non-reversible). Used to validate data integrity.
  • Obfuscation: It makes it difficult to understand the meaning. Generally used for computer code.