Encryption

Encryption is a method of transforming information (referred to as plaintext) into an unreadable format known as ciphertext, using a mathematical algorithm (cipher) and a secret value known as a key. The primary goal of encryption is to ensure confidentiality, allowing only authorized parties who possess the correct key to decipher or decrypt the information back into its original plaintext form.

In contrast, Password Hashing is a one-way process used predominantly for securely storing user credentials. It transforms a password into a fixed-length string (the hash) that cannot be feasibly reversed to obtain the original password. Its goal is verification – confirming a user knows the correct password without needing to store the password itself. Modern systems typically combine hashing with salting for enhanced security.

Encryption

Encryption makes data unintelligible to unauthorized users, crucial for protecting sensitive information during transmission or storage.

Definition

The core components of encryption are:

• Plaintext: The original, readable data or message.
• Ciphertext: The scrambled, unreadable data produced after encryption.
• Algorithm (or Cipher): The specific mathematical procedure used to transform plaintext to ciphertext and vice versa. The security of modern systems usually relies on the key's secrecy, not the algorithm's.
• Key: A piece of secret information (like a password or a generated string) used by the algorithm to perform encryption and decryption. The same plaintext encrypted with the same algorithm but different keys will result in different ciphertext.

Purpose

The primary purpose of encryption is confidentiality. It prevents unauthorized access to sensitive information, such as financial details, personal messages, or proprietary data.

Key Concepts

• Reversibility: Encryption is designed to be reversible. Ciphertext can be decrypted back to the original plaintext only if the correct key is used.
• Key Secrecy: The strength of most modern encryption methods relies on keeping the key(s) secret. Algorithms like AES or RSA are publicly known and analyzed.

Types of Encryption

Symmetric Encryption

• Uses the same secret key for both encryption and decryption.
• Both the sender and receiver must have access to the same shared key.
• Analogy: A locked box where both parties share the same physical key to lock and unlock it.
• Advantages: Generally faster and computationally less intensive than asymmetric encryption.
• Examples: AES, DES (now insecure), Blowfish.
• Use Cases: Encrypting large volumes of data, like hard drive encryption or database encryption.

Asymmetric Encryption

• Also known as Public-key cryptography.
• Uses a pair of mathematically related keys: a public key and a private key.
• The public key can be shared openly without compromising security.
• The private key must be kept secret by the owner.
• Data encrypted with the public key can only be decrypted with the corresponding private key. Conversely, data signed (a form of encryption) with the private key can be verified using the public key (used for digital signatures).
• Analogy: A mailbox with a public slot (anyone can drop mail in – encrypt with public key) but only the owner has the private key to open it (decrypt).
• Advantages: Facilitates secure communication without pre-sharing a secret key, enables digital signatures.
• Examples: RSA, ECC.
• Use Cases: Secure key exchange (like in TLS/SSL for HTTPS), digital signatures, email encryption (e.g., PGP).

Password Hashing

Secure systems do not use reversible encryption to store passwords, as compromise of the encryption key would reveal all passwords. Instead, they use one-way cryptographic hash functions combined with salting.

Purpose

The goal is secure storage and verification of user credentials without storing the actual password. The system only needs to confirm if the password provided during login matches the stored credentials, which can be done using the hash.

Key Concepts

Hash Function

A hash function takes an input (the password, usually combined with a salt) and produces a fixed-size output string (the hash or digest). Key properties include:

• One-way: Computationally infeasible to determine the original input password from its hash.
• Deterministic: The same input will always produce the same hash output (using the same function).
• Collision Resistance: Extremely difficult to find two different inputs that produce the same hash output.
• Avalanche Effect: A small change in the input should result in a significantly different hash output.

For passwords, specific hash functions designed to be slow and computationally intensive are preferred to hinder brute-force attacks. Examples include:

• bcrypt
• scrypt
• Argon2 (winner of the Password Hashing Competition)

Salting

• A salt is a unique, random string generated for each user's password before hashing.
• The salt is typically stored alongside the password hash in the database.
• Purpose:

   * Ensures that identical passwords used by different users will have different hashes (because their salts are different).
   * Prevents attackers from using precomputed tables of hashes for common passwords (Rainbow tables).

Typical Process (Illustrative Example)

This outlines the standard industry practice, such as might be employed by a service like PulsedMedia or other secure online platforms.

User Signup

1. User provides a password (e.g., MySecretPa$$w0rd).
2. The system generates a unique random salt for the user (e.g., aJk7$!pQ).
3. The system concatenates the password and the salt (e.g., MySecretPa$$w0rd + aJk7$!pQ).
4. The system applies a strong, slow hash function (like bcrypt) to the combined string. Result: $2a$12$SomeHashValueLooksLikeThis...........
5. The system stores the username, the salt (aJk7$!pQ), and the resulting hash ($2a$12$SomeHashValue...) in its database.
6. The original password (MySecretPa$$w0rd) is discarded and never stored.

User Login (Verification)

1. User enters their username and password (MySecretPa$$w0rd).
2. The system retrieves the stored salt (aJk7$!pQ) and the stored hash ($2a$12$SomeHashValue...) associated with the username.
3. The system concatenates the entered password with the retrieved salt (MySecretPa$$w0rd + aJk7$!pQ).
4. The system applies the same hash function (bcrypt) to this combination.
5. The system compares the newly generated hash with the hash retrieved from the database.
6. If the hashes match exactly, the password is correct, and the login succeeds. Otherwise, it fails.

Security Benefits

• Original Password Protection: The actual password is never stored, significantly reducing risk if the database is compromised.
• Mitigation of Rainbow Tables: Unique salts per user render precomputed hash tables ineffective.
• Brute-force Resistance: Using slow, computationally expensive hash functions makes it very time-consuming for attackers to guess passwords, even if they obtain the database of salts and hashes.

See Also

• Cryptography
• Key management
• Password strength
• Password policy
• Data security