Davis, California - Quick, do you know the difference between encryption and hashing? Do you know what salting is? Do you want to? That’s a rhetorical question - I’m going to tell you anyway.
Encryption and hashing are sometimes confused with one another. Salting… not so much. But it’s worth taking a look at all three so that we can better understand encryption as a whole.
What is Encryption?
Encryption is the practice of scrambling information in a way that only someone with a corresponding key can unscramble and read it. Encryption is a two-way function. When you encrypt something, you’re doing so with the intention of decrypting it later.
This is a key distinction between encryption and hashing.
Encryption dates back to ancient Egypt (and possibly earlier, Egypt is the first time it appears in written record). Ancient Egyptian encryption was decidedly simpler than what encryption looks like today. As was Caesar’s encryption, which stands as one of the most important examples of encryption in history. Caesar used a simple cipher that simply changed letters around. It was extraordinarily useful though, making any information intercepted by Caesar’s opponents practically useless.
Let’s take a look at encryption using a simple cipher. In this case I’m going to encrypt the sentence, “Don’t be a doody-head” using a cipher that just replaces each letter with one that is sequentially three places ahead of it.
Don’t be a doody-head
Grq’w eh d grrgb-khdg
I’ve omitted the punctuation for the sake of simplicity (also I have no idea how to encrypt an apostrophe). Now, using the corresponding key, someone else could decrypt this message and read it. Obviously, the ciphers we use in digital encryption are much more complex, but you get the general idea behind it.
What is Hashing?
Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value. Whereas encryption is a two-way function, hashing is a one-way function. While it’s technically possible to reverse hash something, the computing power required makes it unfeasible. Hashing is one-way.
Now, whereas encryption is meant to protect data in transit, hashing is meant to verify that a file or piece of data hasn’t been altered—that it is authentic.
Here’s how it works, each hashing algorithm outputs at a fixed length. So for instance, you may hear about SHA-256, that means that the algorithm is going to output a hash value that is 256 characters long.
Every hash value is unique. But, if two different files produce the same unique hash value this is called a collision and it makes the algorithm essentially useless. Earlier this year, Google created a collision with the SHA-1 hashing algorithm to demonstrate that it’s vulnerable. SHA-1 was officially phased out in favor of SHA-2 in early 2016. But Google had a point to make so it devoted two years’ worth of funds, man hours and talent in a partnership with a lab in Amsterdam to make something that was to that point more of an abstraction into a reality. That’s a long way to go to prove a point. But Google went there.
Anyway, here’s an example of hashing, let’s say you want to digitally sign a piece of software and make it available for download on your website. To do this, you’re going to create a hash of the script or executable you’re signing, then after adding your digital signature you’ll hash that, too. Following this, the whole thing is encrypted so it can be downloaded.
When a customer downloads the software, their browser is going to decrypt the file, then inspect the two unique hash values. The browser will then run the same hash function, using the same algorithm, and hash both the file and the signature again. If the browser produces the same hash value then it knows that both the signature and the file are authentic—they have not been altered.
If it’s not, the browser issues a warning.
Remember, no two files can create the same hash value, so any alteration – even the tiniest tweak – will produce a different value.
What is Salting?
Salting is a concept that typically pertains to password hashing. Essentially, it’s a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks. A brute force attack is where a computer or botnet attempt every possible combination of letters and numbers until the password is found.
Anyway, when salting, the additional value is referred to as a “salt.”
The idea is that by adding a salt to the end of a password and then hashing it, you’ve essentially complicated the password cracking process.
Let’s look at a quick example.
Say the password I want to salt looks like this:
Your salt is just the word SALT
Before hashing, you add SALT to the end of the data. So, it would look like this:
The hash value is different than it would be for just the plain unsalted password. Remember, even the slightest variation to the data being hashed will result in a different unique hash value. By salting your password you’re essentially hiding its real hash value by adding an additional bit of data and altering the hash value.
Now, if a brute force attacker knows your salt, it’s essentially worthless. They can just add it to the end of every password variation they’re attempting and eventually find it.
We could write an entire article on password security and whether it’s still even a useful safeguard – and we will sometime – but for now that should be a passable definition of salting.
And a quick aside, if you hadn’t put two and two together by now, our name, Hashed Out, is a play on the popular idiom for discussing something and the hashing process involved in SSL encryption. Hey Patrick, that’s really clever. Thank you for noticing.