What’s the difference between encryption, hashing, and salting?
In the world of cybersecurity, you'll come across words like encryption, hashing, and salting. While it makes perfect sense to security professionals, most of us on the outside don't know what they mean.
When you dive deep into the world of cybersecurity, you’ll come across terms like encryption, hashing, and salting. But what do they mean? Is it the same thing? Or are they all completely different? Do you need to use all of them?
The short answer is that all these terms are related. However, they differ when it comes to their properties, processes, and purpose.
What is encryption?
Encryption is the practice of scrambling sensitive data to protect it. The encrypted data is unscrambled with a corresponding decryption key, making it a two-way function. The main difference between encryption and hashing is that data is encrypted to decrypt it later.
When you encrypt data, it’s done by an algorithm called a cipher. This algorithm is also sometimes referred to as an encryption key that can be used to unlock the secured data stored inside.
Popular encryption algorithms are as follows:
Advanced Encryption Standard (AES): is a complicated symmetric-key algorithm leveraged to secure data. It’s a combination of several sophisticated steps used to protect data in motion and at rest. AES is popular among security services and financial institutions because of its proven resilience against cyberattacks.
Rivest-Shamir-Adleman (RSA): is the original cipher that was used in public-key cryptography. It’s widely used in many different security protocols like Pretty Good Privacy (PGP) and Transport Layer Security (TLS).
XEX Tweakable Block Ciphertext Stealing (XTS): is a block cipher like AES. It divides the data into 128-bit blocks before scrambling it with 256-bit keys. Storage disks are divided into disk sectors and then divided into blocks that are the same size as the blocks encrypted by a block cipher. When companies leverage XTS block cipher mode, they achieve guaranteed full disk encryption.
256-Bit Encryption: uses every bit added and doubles the possible (encryption/decryption) keys to achieve an infinite number of key variations. To break it, you need a tremendous amount of computing power. As it stands, with the technology available today, it’ll take billions of years to crack a 256-bit key.
What is hashing?
Hashing is the process of leveraging an algorithm to map data of any size to fixed-length. This is known as a hash value or hash code. While encryption is a two-way function, hashing is a one-way function.
Technically, we can reverse-hash the data. However, the computing power needed to achieve it makes it almost impossible. Sometimes referred to as a check-sum as hashing is used to verify that an encrypted file hasn’t been altered while in transit.
Some popular cryptographic hash functions still used today:
SHA-3: is the latest addition to the Secure Hash Algorithm family. However, unlike its predecessors, it’s built differently to ensure security. While it hasn’t completely replaced SHA-2, it’s popularity proliferates.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD): was developed by the academic community based on past hashing functions to attain more security. For example, the Bitcoin standard uses multiple bit configurations with a 160-bit RIPEMD algorithm, and so do other cryptocurrencies.
Whirlpool: was born into the hash function from the square block cipher family. It’s based on an adaptation of AES and is considered highly secure but slower than competing options.
The algorithms known to create the most secure hashes are called Avalanche effect and the Merkle-Damgard hash functions.
What is salting?
Salting is essentially an additional step in the hashing process. It’s the practice of adding a unique value at the end of a password to create a different hash value. It’s done to add an extra level of security to the hashing process to protect against brute force attacks.
The primary goal here is to add “salt” to the end of a password before hashing it to make it much harder to crack. So if you’re hashing passwords, you must always add a bit of “salt” to better secure it.
If not, threat actors can use tools like the rainbow table to get around the hashing algorithm. Furthermore, they might even be able to steal a database filled with hashed passwords to try and reverse them.
In this scenario, an attacker leverages a list of several million statistically common passwords and then runs it through the hashing algorithm to compare both lists. Whenever there’s a match between both lists, the attacker has managed to find an active password.
So hashing is not the most secure option without salting.
As you can see from the above, these terms are often used in the cybersecurity space; they aren’t referring to the same thing.
To learn more about encryption, hashing, and salting, schedule a commitment-free consultation with one of our in-house experts.