We’ve all encountered mysterious hashed passwords and encrypted texts. We’ve heard mysterious terms like “salted” and “SHA256” and wondered what they meant. This week I decided it was finally time for me to learn about encryption!
The first distinction we need to learn is the difference between encryption and encoding. Encoding simply means transforming data into a form that’s easier to transfer. URL encoding is a simple type of encoding. Here’s an example: the Coderbyte website has a challenge called “Binary Reversal”. The URL for the page is https://coderbyte.com/information/Binary%20Reversal; the space between “Binary” and “Reversal” is replaced with “%20”. There are other symbols, such as !, that are replaced in URL encoding as well. If you’d like to learn more about URL encoding, you can play around with an encoding/decoding tool such as this one.
Another common type of encoding is Base64 encoding. Base64 encoding is often used to send data; the encoding keeps the bytes from getting corrupted. This type of encoding is also used in Basic authentication. You may have seen a username and password encoded in this way when you’ve logged into a website. It’s important to know that Basic authentication is not secure! Let’s say a malicious actor has intercepted my login with Basic auth, and they’ve grabbed the authentication string: a2phY2t2b255OnBhc3N3b3JkMTIz. That looks pretty secure, right? Nope! All the hacker needs to do is go to a site like this and decode my username and password. Try it for yourself!
Now that we know the difference between encoding and encryption, and we know that encoding is not secure, let’s learn about encryption. Encryption transforms data in order to keep it secret.
A common method of password encryption is hashing, which is a mathematical way of encrypting that is impossible to decrypt. This seems puzzling- if a string is impossible to decrypt, how will an application ever know that a user’s password is correct? What happens is that the hashed password is saved in the application’s authentication database. When a user logs in, their submitted password is encrypted with the same hashing algorithm that was used to store the password. If the hashed passwords match, then the password is correct.
What about if two users have the same password? If a user somehow was able to access the authentication database to view the hashed passwords and they saw that another user had the same hashed password as they did, that user would now know someone else’s password. We solve this problem through salting. A salt is a short string that is added to the end of a user’s password before it is encrypted. Each password has a different salt added to it, and that salt is saved in the database along with the hashed password. This way if a hacker gets the list of stored passwords, they won’t be able to find any two that are the same.
A common hashing algorithm is SHA256. SHA stands for “Secure Hash Algorithm”. The 256 value refers to the number of bits used in the encoding.
There are other types of encryption that can be decoded. Two examples are AES encryption
and RSA encryption
stands for Advanced Encryption Standard. This type of encryption is called symmetric key encryption
. In symmetric key encryption, the data is encoded with a key, and the receiver of the data needs to have the same key to decrypt the data. AES encryption is commonly used to transfer data over a VPN
stands for Rivest-Shamir-Adleman, who are the three inventors of this encryption method. RSA uses asymmetric encryption
, also called public key encryption
, where there is a public key to encode the data and a private key to decode it. This can work in couple of ways: if the sender of the message knows the receiver’s public key, they can encrypt the message and send it; then the receiver decrypts the message with the private key. Or the sender of the message can sign the message with their private key, and then the receiver of the message can decode it with the sender’s public key. In the second example, the private key is used to show that the message is authentic. How does the receiver know that the message is authentic if they don’t know what the private key is? They know because if the private key is tampered with, it will be flagged to show that it has been manipulated. A very common use of RSA encryption is TSL, which is what is used to send data to and from websites. I wrote about TSL in this post
if you’d like to learn more.
Encryption involves very complicated mathematical algorithms. Fortunately, we don’t have to learn them to understand how encryption works! In next week’s post, I’ll talk about how encoding and encryption are used in JWTs.