When it comes to security, you will hear a lot of people talking about things like hashing and encryption. But what are they? What are the differences? What are the practical approaches when it comes to choose which one to use? In this post, I will try to give a brief explanation about both concepts and try to briefly state the differences.
Hashing is, by the simplest explanation, taking a big piece of data and producing a smaller, fixed-length piece of data. When input data is hashed, a smaller “identifier” of that data is generated. But for this identifier to be as accurate as possible, the generated hash for every single input data should be unique for as many different input data as possible. When the same hash is generated for 2 different inputs that is called a collision. The more the probability of a collusion, the worse the hashing algorithm you are using. A good hash function maps its input to its output in a way that is as unpredictable as possible i.e. in simple terms it is a repeatable random looking function.
There are 2 common purposes hashing is used for:
- Storing passwords
One of the basic problems of computing is finding something that you have stored somewhere. Hashing is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value. Hashing is also used in many encryption algorithms.
Without hashing, any passwords that are stored in your application’s database can be stolen if the database is compromised. By storing passwords in hash format, it’s very difficult for someone with access to the raw data to reverse it (assuming a strong hashing algorithm and appropriate salt has been used to generate it). When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.
What is a salt?
We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing.
Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. Encryption turns data into a series of unreadable characters, that aren’t of a fixed length. The key difference between encryption and hashing is that encrypted strings can be reversed back into their original decrypted form if you have the right key. Encryption should only ever be used over hashing when it is a necessity to decrypt the resulting message.
Uses of Hashing and Encryption:
Encryption is good if you say have a message to send to someone. You encrypt the message with a key and the recipient decrypts with the same (or maybe even a different) key to get back the original message.
Use hashing when there is no need to go back to the original value. Hashing can be used to check if a file has been modified before received by a recipient, to hash passwords before storing them in a database therefore securing users’ passwords in case they are stolen, to create faster search routines in databases etc.
Help the people in need.