In cryptography, there are different functions to be performed depending on your use case, and in this article, we will cover encryption vs hashing vs salting and when to use each one. Namely encryption, hashing, and salting. This article will attempt to demonstrate when why and how you should use each function. Each function is critical for the security of your data whether it be in transit or at rest.
Encryption
Question: What is encryption and why do we need to encrypt our data?
Answer: Encryption is a cryptographic operation used to secure your data in a manner that encodes your plain text in an unreadable and illegible manner. It conceals sensitive information from a malicious actor, yet is recoverable to be used and read when needed. That is a key point, encryption is a two operation. If data is encrypted, it is intended to also be decrypted later. If you do not need to decrypt the data, then you should not encrypt it but rather hash it to be discussed later in this article. Encryption is reversible, hashing is not.
Encryption examples in practice:
Asymmetric Encryption vs Symmetric Encryption
When encrypting data it is important to understand what type of algorithm to use. Is the encryption key shared among parties or should a key pair be used where the encryption key is made public so that any party can encrypt the data but only the private party can decrypt with the private key? Let’s attempt to explain which method of encryption you should use.
What is asymmetric encryption?
Asymmetric encryption is the method of encryption used when there is a private and public key pair. The public key is the encryption key and the private key is the decryption key. A Public Key Infrastructure (PKI) is the trust model to support this method of encryption and is used across the web. Publicly trusted SSL certificates are issued by a CA and exposed to identify a web server. A client then encrypts its data in transit to the server with the server’s public key, and the server then decrypts the data.
Common asymmetric encryption algorithms include RSA and ECC.
What is symmetric encryption?
Symmetric encryption uses a single key that both encrypts and decrypts the same data. Is is much faster than asymmetric encryption and can be used to encrypt large amounts of data such as a database. Symmetric encryption may also be used to encrypt data that is not shared beyond the scope of a system or application. For example, if passwords or credit card information needs to be recoverable, it may be encrypted with a symmetric algorithm that only the process that both encrypts and decrypts the data has access to. It is usually bad practice to share an encryption key outside of the single system that uses it.
The most common symmetric encryption algorithm is AES.
Hashing
The most important takeaway from understanding hashing is that it is a one-way operation. Hashing cannot be reversed, unlike encryption, hence our focus on encryption vs hashing. You may then ask under what circumstances would someone hash data and not need to “unhash” later? The answer is when you care about the authenticity of data such as a software package not being modified or any file for that matter. Another popular use case for hashing is that of passwords.
A strong hashing algorithm will ensure that no two pieces of data will create the hash. If it does, then the hashing algorithm is no longer secure. SHA-1 is the perfect example of this since Google was able to produce a collision.
The most common hashing algorithm in use today is the SHA family. While SHA-1 has been phased out, SHA-256 is the minimum standard although you may see some SHA-384 and SHA-512 hashes in the wild.
Hashing examples in practice:
Salting
Question: What is Salting?
Answer: Salting is usually done in congruence with hashing, specifically password hashing. A salt should be unique to each password and kept private. If an attacker knows the salt, then the salt is deemed useless. For example, if the password is “password01”, then the salt is “1234”, then the pre hashed value will be “password011234”. To sum things up, a salt is a value added to the password being hashed to ensure uniqueness and increase the complexity of the persisted password hash, providing an extra level of security to the storage of the password.
Conclusion
In this article we have covered Encryption vs Hashing vs Salting and contrasted the difference between them. To sum things up:
- Encryption is a two way operation that can be reversed.
- Hashing is a one way operation used for ensuring the integrity of data via a checksum hash and for authentication with passwords.
- Salting is an additional piece of password hashing, adding a salt value to the password before hashing.
Leave us a comment if you would like
If you read the answer to “Question: What is Salting?” carefully, you will realise you’ve done everything but answer the question.
A concluding statement defining “salting” has been added. Let us know if you would like us to go in more depth.
Answer: Salting is usually done in congruence with hashing, specifically password hashing. A salt should be unique to each password and kept private. If an attacker knows the salt, then the salt is deemed useless. For example, if the password is “password01”, then the salt is “1234”, then the pre hashed value will be “password011234”. To sum things up, a salt is a value added to the password being hashed to ensure uniqueness and increase the complexity of the persisted password hash, providing an extra level of security to the storage of the password.