What is the difference between encryption, encryption and hash calculation?

Asked

Viewed 4,342 times

45

I see a lot of confusion on the site about the terms. In the context of security of data what would be encoding, Encrypting and hashing and in which contexts each should be used?

In particular, does coding serve as a security measure or is it used for something else? Example: use Base64.

Please read and understand the question, the subject has a specific context.

  • 3

    Related: http://answall.com/q/2402/101

3 answers

50


Encoding:

The purpose of Encoding is to ensure that data can be consumed by different system types, e.g.: send binary data by email or be able to do the encounter of special characters on a web page, etc... It is a process of putting a string of characters (letters, numbers, punctuation, and certain symbols) in a certain format.

Encoding transforms the information format, using publicly accessible methods so that it is easily reversed (decoded) and encoded (change the format) as needed. The information does not need a key to be decoded, the only thing that is needed is the algorithm used for itself encounter.

The goal NAY is to make the information secret, but to ensure that the information can be consumed correctly depending on the system/encoding we have/want.

Base64, belongs to this group.

So what’s the point of encoding data? It serves to, according to the needs, optimize the storage or transmition of this data, change the original format so that it can be used by some external process. Some of the cases where encoding/Decoding is used:

  • Compilation and implementation of a programme (ex: Plain text for binary)
  • networking Communication
  • File conversion
  • Reduce file size for storage or transmuting

Some of the best known encoding types are: UTF-8, UTF-16, ASCII, iso-8859-1, Unicode, ansi. For those who want to know more about these or other types.

Encoding is not encryption



For the other two points (since they are components of the same science) below I will begin by saying:

What is the Cryptography?

Speaking of the word itself, of its origin, Crypto means "hidden, secret," and graphy points to "writing, representation, recording, description, a way to draw etc...".

In its practice, as we all know, exists (not as assumed science of course) a few thousand years before the first computer, via letter by ex.

Encryption then, is the science that studies the techniques of communication/secret writing in the potential presence of third parties, that in this context it is who should not have access to information in a splendid/readable way. Several aspects of Information Security (information security), data confidentiality and its integrity, authentication are central points of modern cryptography.

And who needs it? All of us. In the simplest act of putting a password and send it to be validated by the server, this process must happen through HTTPS (in which the transport of information does not escape the HTTP protocol, but in which it will be encrypted) for ex. This ability to protect and secure information is vital (and will increasingly be) these days, where a lot of information is no longer stored on the machines of their owners, but in a public place (Clouds, for example), not to mention the exponential growth of money movements via internet.

Complementary readings:

https://en.wikipedia.org/wiki/Cryptography

http://www.brighthub.com/computing/enterprise-security/articles/65254.aspx

http://www.cyber-rights.org/crypto/cryptog.htm


Encryption

The purpose of encryption is to transform the information so that it becomes secret, to encode it so to speak, so that the "others" even if they have it in their power do not decipher/consume it, make it perceptible. Only for the legitimate entities receiving the information is that the information is decrypted and it is possible to consume it, read in a perceptible way the information.

To encryption transforms the information format into another format in such a way that only the specific entities (owners of the system) can reverse the transformation. Generally speaking, a/two key(s) is used that are secret, together with the text and encryption algorithm, both the algorithm and the key(s) (s) are accurate for both encryption and decryption.

An encryption key is a set of characters that in the encryption process is used to "mess up"/encode the data so that it is encrypted, the more randomized/inaccurate this key is, the harder it will be for someone outside the process to decrypt the information.

There are two main types of encryption:

Symmetric Encryption

Here the important thing is to know that both point A (where it is encrypted) and point B (where it is decrypted) need to have access to the same encryption key.

The operations based on the symmetric key are simpler than those with asymmetric (explained below), as there is a single key between the intervening ones. The key, in practice, represents a secret, shared between two or more parties, which can be used to maintain a confidential channel of information. A single key, shared by both interlocutors, is used on the premise that it is known only to them.

Types of symmetric key algorithms:

  • Symmetric key algorithms can be divided into flow ciphers (or continuous) and ciphers per block.
    • Stream ciphers encrypt message bits one by one, while ciphers per block take a number of bits and encrypt as a single unit.
    • Ciphertext blocks accept a number of bits and cipher in units. A 64-bit block is common. The NIST-approved AES algorithm in December 2001 uses 128-bit blocks.

Examples of popular and well-known symmetric algorithms include:

This type of encryption is used:

  • On services that store data on behalf of users, Clouds, backups
  • Create a secure channel between a point A and a point B of a network, starting from the principle that there is a viable/secure and separate way to send the encryption key.

Limitations:

The disadvantage of symmetric key algorithms is the requirement of a single shared secret key, with a copy at each end. Keys are subject to potential discovery by a cryptographic adversary, so they need to be changed frequently and kept secure during distribution and service. This requirement to choose, distribute and store keys without error and loss is known as "key management".

In order to ensure safe communication between a whole population of n people, a total of (n(n-1))/2 keys are necessary. Often asymmetric algorithms are much slower, are used at the beginning of a session to distribute symmetric keys, so higher symmetric key algorithms increase their speed. The same trust key distribution problems still exist at the asymmetric level, but are somewhat more treatable. However, the symmetric key is almost always generated in real time. Symmetric key algorithms cannot be used for authentication purposes. For authentication purposes, usually hash functions are used, for example MD5 (already obsolete at the date of this reply).

Further reading


Asymmetric Encryption: (or public key cryptography)

This differs from Symmetric Encryption in the way it works in relation to the encryption/decryption key, because it uses two keys, one to encrypt the other to decrypt, while in Symmetric the same key is used. Here the encryption key in general is public but the decryption key is private/secret that coexists in the place where decryption will be processed.

This type of cryptography, Asymmetric or public key, is often used to ensure the security of electronic communication over an open interconnected environment such as the Internet, without relying on a hidden channel even for a key exchange. Open interconnected environments are susceptible to a variety of communication security issues such as man-in-the-middle (man in the Middle) and other security threats. Security properties required for communication typically include that the communication being sent should not be readable during the transition (preserving confidentiality), the communication should not be modified during the transition (preserving the integrity of the communication), the communication must originate from an identified party (authenticity of the sender) and to ensure non-repudiation (non-repudiation of the message). Combine public key encryption with an Enveloped Public Key Encryption (ECPE),3 allows the secure sending of a communication about an open interconnected environment.

An analogy for public key encryption is that of a mailbox. The mailbox is exposed and accessible to the public - its location (the street address) is, in essence, the public key. Anyone who knows the address can come and put a written message in the mailbox. However, only the person who holds the key can open the box and read the message.

Is used in:

  • Digital signatures, where the message is signed with the sender’s private key and can be verified by anyone who has access to the sender’s public key. This verification proves that the sender had access to the private key, so he’s probably the person associated with the public key. This also ensures that the message has not been tampered with, since any manipulation of the message will result in modifications to the encoded message summary (Digest), which otherwise remains immutable between sender and recipient.
  • Public key encryption, in which the message is encrypted with the recipient’s public key. The message cannot be decrypted by anyone who does not have the corresponding private key, which is presumably the key owner and the person associated with the public key. This is used in an attempt to ensure confidentiality.
  • SSL for secure connections between browser and website, and other services of network (deepening)
  • SSH for security of login sessions with remote servers
  • Signaling software updates to let computers know they will receive data from a secure source

Limitations:

A central problem with the use of public key cryptography is the trust/proof that a specific public key is authentic, i.e., that it is correct and belongs to the claimed person or entity, and has not been tampered with or replaced by a malicious third party. The most common approach to this problem is to use a public key infrastructure (ICP), in which one or more third parties - known as certification authorities – certify ownership of key pairs. Very Good Privacy (PGP), in addition to being a certified authority structure, uses a scheme generally called the "web of truth" (from the English "web of trust"), which decentralizes this authentic public key by a central mechanism, and replaces individual endorsements of the link between user and public key. So far, no completely satisfactory solution to the "public key authentication problem" has been found.

Although public key distribution is more practical than secret key asymmetric cipher algorithms are computationally more complex than symmetric cipher, 100 to 1000 times slower.

Reference (en)
Further reading
Additional information (en)


Hybrid Encryption (here put a third type that is not as used as the two above, is a mixture of both, the answer of Inkeliz already makes reference and explains how it works).

Pdf as good introduction to the three types said above


Hashing

Hashing is often said to be a form of encryption, but it’s not and is not.

Hashing serves to ensure the integrity, in which the algorithms of hash sane one-way, i.e., it is irreversible/unidirectional, e.g.: format in passwords are stored, are hashes, where the verification is made not on the basis of password user’s original, but rather confirming that the password that the user placed generates the same hash that is stored or not.

Here the purpose of the hash is obvious, even if someone has access, legitimate or not, to the passwords of the users who are stored, this person will never really know the passwords because all they have in their hands are hashes irreversible, in which all the tools to try to decipher them (conventionally called password crackers) only use a large list of possible passwords and compare, making hash one by one and comparing with the hashes that they have to decipher.

That is to say, hashing is great for use at any time when we want to compare one value with another we have stored but without storing the true value for security reasons.

A hash has three important properties:

  • The same character set will always produce the same hash
  • Irreversible (cannot be 'decrypted') (as explained above)
  • The same hash is/should be impossible for two different strings, this is called collision in the context of cryptography

Another answer very complete at SOPT about this.

Some of the best known Hash methods are: MD5 (obsolete), SHA-1, SHA-256. For those who want to know some more ways


Sources:

http://www.securityinnovationeurope.com/blog/whats-the-difference-between-hashing-and-encrypting

https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/#Gs.Ns30xvu

https://spin.atomicobject.com/2014/11/20/encryption-symmetric-asymmetric-hashing/

And a little bit of me.

  • 1

    then you can add a few little details there, but in general already responds well. + 1

  • 1

    In fact, I think all the answers might be a little better, but this one’s right and it’s on point. For acceptance I would expect more details, especially in the same encryption part.

  • 1

    SSL uses symmetric encryption, SSH also. However, they do a key exchange (using ECDH, or ECDHE specifically in the case of TLS).

11

Encodings are 'languages' used to represent information through well-defined and known bit patterns.

Just as you know that the sequence of letters’m-a-ç-ã' represents a fruit in English, a program knows that the sequence 0x6D 0x61 0xE7 0xE3 represents the same word in UTF-8.

Using enconding for security would be like writing a message in Russian and hoping that no one but the person to whom you sent the message can speak that language.

Encryption is a means to ensure that only authorized persons read a message.

In the context of computation one usually uses a 'key' to lock a message. Depending on the algorithm, the same key (symmetric algorithm) or a different key (asymmetric algorithm) is used to retrieve the original content.

Hashing is a technique used to associate any content to a value. The relevance of this family of algorithms to security is the set of characteristics that (good) algorithms present:

  • Hashing content is fast. Finding content that has hashed is computationally difficult/impossible.
  • Changing any part of the content completely changes the hash produced for the content.

These features are very useful to store sensitive information and ensure the integrity of a content respectively.

6

Coding:

The encoding is simply to give a new "meaning" to some byte. UTF-8, for example, is an encoding that converts a byte (or a sequence of bytes) into Unicode characters. Base64 is another encoding, converts an arbitrary sequence of bytes to some other specific bytes, usually it is widely used so that it can transfer binary data as if they were texts.

It has no relationship to cryptography, their purpose is not to make the data unreadable or unrecoverable.

Encryption:

Encryption is making information unreadable for everyone who doesn’t have the right key, only. Encryption causes an arbitrary datum, in combination with a key (a uniformly random value, kept secret and large enough) and a nonce (a single value per use), to result in a new set of bytes that is unreadable for all, except those who hold the key.

All practical algorithms (AES, Serpent, Chacha20, Salsa20...) are vulnerable to exhaustive searches, but this is insignificant, since there is no computational power for it.

Note that encryption does not guarantee integrity, it only guarantees confidentiality. Some algorithms additionally include a MAC, to prevent modification of the encrypted text.

There are three types of encryption:

  • Symmetrical:
    All users involved need to share the same key, both to encrypt and to decrypt, example of use is SSL, which uses symmetric encryption (AES, Chacha20...) based on a temporary key using DH.
  • Asymmetrical:
    Each user has two keys, of different uses, the private key is responsible for creating a public key and also able to decipher the text. Meanwhile, a public key is only able to encrypt arbitrary data. This allows us to share the public key to anyone and only the holder of the private key can decipher. It is used in Openpgp, for example, where it uses RSA.
  • Hybridity:
    A user creates the same symmetric private key and encrypts the text using it. Then he encrypts this private key using each person’s public key, which he’s authorized to decrypt. This is widely used to save computational power, as symmetric encryption is faster and also allows you to encrypt the same text to several people in an even shorter way. This is also used by Openpgp.

Symmetric and asymmetric cryptography is not only used for encryption, public key cryptography (asymmetric) is also used for digital signatures and key agreement, for example. But, that’s off topic here.

If there are concerns against "quantum computers", the symmetric algorithms (AES-256, Serpent-256, Chacha20, Salsa20...) are safe, the public key algorithms do not have the same luxury, both elliptic curves and RSA are at risk.

Hashing:

Specifically in the context of cryptography, the hash is a function that aims to be collision resistant, pre-image resistant and pre-second image attacks. Although this is not a rule, good hash functions are also indistinguishable from a random result, and of course they are unpredictable as a consequence.

The hash is one of the most versatile and simple functions of cryptography. In general, it has a single input, an arbitrary datum, and will have a fixed size output. Again, exhaustive searches will always work to create collisions, but we assume this is insignificant, since there is no computational power for it.

Their uses are as diverse as possible, they are used to check file modifications (as in Git), they are used in intrusion detection systems (HIDS), they are used as proof of work (as in Bitcoin)... But it can also be part of something much bigger, hence the greatest confusion of all.

A hash algorithm can be used for other purposes, if not check for file modifications and etc:

  • Create new key based on one key (KBKDF):
    You can create a new N keys even using a single key. by using HMAC or HKDF, for example. Bitcoin uses this to create keys for "deterministic wallets", TLS uses HMAC as a PRF to create keys.
  • Create new password-based key (PBKDF):
    Having a low entropy data is possible to make it strong and indistinguishable from a random result using higher computational power and hashes. PBKDF2 uses an iteration of HMAC to delay exhaustive search attacks, Scrypt works similarly and Argon2 is also based on another hash function, Blake2. Any decent site uses password derivations to store user password securely.
  • Create guarantees of integrity:
    You can ensure that an information has already been verified by you and that the information is integrates using HMAC, it a key is combined with a text. This is often used to complement encryption, since you can send encrypted and immutable messages, but you also need both to have the same key.
  • Create proof of work:
    You can only use the computational effort using the hash algorithms. You can, for example, send an X value and ask the user to return an N value, where H(X || N) is greater than Y. Checking is fast, while finding the value may not be. ...

Note, there are noncryptographic hashes, where it does not guarantee collision resistance etc. One example is Siphash, which was developed to mitigate a Dos in Hash-Tables, called Hash Dos.

Hash functions participate in several other use cases, but their misuse can create serious errors. Always be aware of the requirements of each algorithm and what objectives they meet.

The latest hash functions (such as Blake2, SHA-3...) have additional features, including features equivalent to HMAC, where there are two inputs. Also, these algorithms allow you to use different sizes, not patterns, so you can get an 8-byte hash result or a 256GB result, using Blake2xof.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.