paint-brush
Stop With the Obfuscation: Encoding and Encryption are Not the Sameby@wagslane
482 reads
482 reads

Stop With the Obfuscation: Encoding and Encryption are Not the Same

by Lane WagnerFebruary 27th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Encoding is simply a way of representing data in a specific format. Encoding formats are only useful because they give computers and humans protocols to view and process raw binary data. With free and easy to use encryption libraries available in all major programming languages, there is no excuse to try to bake your own. Encryption is a specific subset of encoding where the encoded messages can only be accessed by authorized parties (the ones holding the decryption keys) Encoding schemes offer absolutely no security. Ironically, it also probably would have taken less time to implement.

People Mentioned

Mention Thumbnail

Company Mentioned

Mention Thumbnail
featured image - Stop With the Obfuscation: Encoding and Encryption are Not the Same
Lane Wagner HackerNoon profile picture

This is a topic that has been talked about quite a bit, but I think it's an important one to reiterate to our users.

Encoding is not Encryption!

Encryption is a specific subset of encoding where the encoded messages can only be accessed by authorized parties (the ones holding the decryption keys).

Encoding is simply a way of representing data in a specific format. For example, we can encode raw binary data using the ASCII format to visually display english text.

In the context of programming, pure encoding schemes offer absolutely no security. Sometimes formats like JWTs or Base64 outputs can confuse entry-level programmers because they appear encrypted... They aren't! Encoding formats are only useful because they give computers and humans protocols to view and process raw binary data in a meaningful way.

To illustrate this point, try the following tools to see how easy it is to decode messages that are just encoded (not encrypted):

Obligatory XKCD

https://xkcd.com/257/

Story Time

At a job where I worked in the past, a developer who was there before me built his own encoding scheme. It would take the raw binary data contained in a message and map specific bytes sequences to certain characters. It was totally made up, and the comment he left on the code was:

// Obfuscation technique. Base53 encoding for security

While it may confuse an attacker for a couple minutes, this obfuscation offers more potential bugs in terms of needless complexity than it does security benefits. With free and easy to use encryption libraries available in all major programming languages, there is no excuse to try to bake your own these days.

ECC, RSA, AES-256, or another secure algorithm should have been used in the situation above. Ironically, it also probably would have taken less time to implement.

Security can be hard. However, take the time to use best-practices. It will save you so much time and headaches in the long run. Good luck, and stay safe out there!

By Lane Wagner @wagslane

Previously published at https://qvault.io/2019/08/14/stop-with-the-obfuscation-encoding-and-encryption-are-not-the-same/