1

If encoding is used for integrity someone can tamper it across the network because it is based on some publicly known scheme.

When do you use encoding and when do you use hashing for preserving the integrity?

my understanding is encoding is used to preserve integrity across heterogeneous system when confidentiality does not matter. Why do people still use bases64 (Basic authentication)to send the username/password even though authentication information is confidential ?

user1493834
  • 177
  • 1
  • 10
  • 3
    I don't understand the question, encoding and hashing are two different and completely orthogonal concepts... – Darkhogg Apr 15 '16 at 07:35
  • When you encode data, you bring it into a form, so a certain system can work properly, it has nothing to do with security. An example is the URL encoding, which can be used to bring an URL into a form, so the browser wont mix up control-characters and characters from the address. – martinstoeckli Apr 15 '16 at 07:40
  • my question was - when username/password supposed to transferred securely why does Basic authentication uses base64 encoding even when encoding does not offer security. – user1493834 Apr 15 '16 at 07:57
  • If you are using TLS (and you should if you are sending passwords), there is no need to transmit the password hashed since TLS already ensures confidentiality. – Anders Apr 15 '16 at 08:05
  • You use base64 because the character set of base64 is safer to use over internet transmission than the password character set.. – M'vy Apr 15 '16 at 08:07

3 Answers3

1

Encoding is not a mean to ensure integrity. Encoding is here for representation. You encode a string into base64 because it is easier/safer to use the symbols in the internet environment, e.g. URLs where some characters are difficult to convey and interpret correctly afterwards. UTF-8 is used because we need a wide space to represent foreign language characters and other new symbols.

Hashing some content is a mean to verify integrity. If the content C has has D = H(C), you can by transmitting C and D verify that the received message C' verifies D' = H(C') = D = H(C). If it does not, then the message has lost integrity.

M'vy
  • 13,053
  • 3
  • 48
  • 69
1

You rarely use encoding for integrity1. Encoding is used to transform some data in another format, usually because it is more suitable to the other system. For example, base64 is used because some systems may not react very well to some binary data. Encoding might only help you against transmission errors. (E.g. if the base64 data received contains an invalid character, you know something went wrong.)

Hash functions can be used for integrity to ensure that the data has not been tampered by an attacker. Keyed-hash message authentication code (HMAC) use a hash function, along with a key (known by the sender and receiver) to ensure that the data has been sent by the right person, thus performing authentication.

As you may see, encoding merely offers integrity and you not protect you against an attacker. Hash functions, if they are correctly used, can protect the integrity of the transmitted data against both transmission errors and attackers.

In the case of providing an username and a password to a website, basic authentication will encode your username and password with base64. This does not provide any security at all, because anyone can decrypt it. For example, we can easily recover the username/password used in the Wikipedia page about basic authentication:

# Encoding the username and password
$ echo -n "Aladdin:OpenSesame" | base64 
QWxhZGRpbjpPcGVuU2VzYW1l

# Retrieving the encoded username and password
$ echo -n "QWxhZGRpbjpPcGVuU2VzYW1l" | base64 -D
Aladdin:OpenSesame

The username/password are not encoded for security reason, but to escape special character.

1 See Error detection and correction (Wikipedia)

Community
  • 1
Yuriko
  • 1,478
  • 1
  • 11
  • 23
  • I read here about encoding - https://danielmiessler.com/study/infosec_interview_questions/ – user1493834 Apr 15 '16 at 07:53
  • Hash functions does not use keys. Hash based message authentication does. – M'vy Apr 15 '16 at 07:56
  • Thank you for the link. I've just edited my answer to provide more information about that. :-) – Yuriko Apr 15 '16 at 07:57
  • thanks but my question still the same - when username/password supposed to be transferred securely why does Basic authentication uses base64 encoding even when encoding does not offer security. – user1493834 Apr 15 '16 at 08:01
  • @M'vy: My paragraph was poorly written, I was thinking about HMAC and got confused. Thanks for correcting me! – Yuriko Apr 15 '16 at 08:04
  • @user1493834: [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (if you were speaking about that) will not offer you great protection! As you understood, anyone sniffing the communication will get your username and password. This is a real problem. The solution is to use [HTTPS,](https://en.wikipedia.org/wiki/HTTPS) this will *encrypt* the data transmitted to the server, and thus, the encoded version of your username:password! The server will decrypt the packet, and decode the data. – Yuriko Apr 15 '16 at 08:10
  • @user1493834: If you are wondering *why* basic authentication bothers encoding your password/username, take a look at [this question.](http://security.stackexchange.com/questions/29916/why-does-http-basic-authentication-encode-the-username-and-password-with-base64) – Yuriko Apr 15 '16 at 08:14
1

First of all, they are three different concepts. And let me paste this block from the site you linked:

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input. (source: danielmiessler.com)

So let me introduce some examples, as they might have confused you

ENCODING: Turning the string http://security.stackexchange.com/questions to http%3A%2F%2Fsecurity.stackexchange.com%2Fquestions is URL encoding. It has nothing to do with security, easily reversible, and helps transport.

ENCRYPTION: The string security.stackexchange.com with the encryption key example and AES-256 turns to g4jBsloWrMkqNJvPOkKvgOv9qQvLWcDgFqAih4LrQLs=. This is a secure form of data, as long as example is hard enough to guess. (In real life it should be more complicated)

HASHING: Hash functions are one-way functions, they truncate the output to a certain number of bits. So there's no way to reverse hashed values, their purpose is verification. It's only possible to get the raw value back from rainbow tables or via manual bruteforcing. An example of security.stackexchange.com hashed with md5 algorithm is a7711987f4696a33c69ea8e48dc616d5.

Rápli András
  • 2,144
  • 1
  • 11
  • 24