Welcome to an ITSEC security explainer on password encryption, password hashing and password salting. In this article I am going to try and explain the difference between the three and explain how they help secure your passwords (while they are stored on servers somewhere). The cybersecurity world loves to name drop and use acronyms without really explaining what things mean, so I am going to discuss the difference between encryption and hashing first, then we will factor in salting and explain how it fits into the overall password puzzle.

Password Encryption Explained

Password encryption is a two way street, because when you encrypt something you almost always plan to decrypt it later, but what does this all mean? In short, encryption is the art of scrambling data in such a way that only someone who knows exactly how to unscramble it (decrypt it) can read it, typically that person will decrypt the information with the ‘encryption key’, they unlock the encryption with the key to decrypt it and read the data and it is the encryption key (and the quality of the encryption) which ultimately protects the data. An encryption key is an algorithm, a piece of math which explains how to unscramble (decrypt) the data you want to read.There are important differences between encryption and hashing. When you encrypt data you use what we call a cipher, also called an algorithm, to encrypt and decrypt information. An algorithm or encryption key is effectively a set of rules which tell your computer how to unscramble the encrypted data.

How Does Password Encryption Work?

Lets use a simple example to explain how encryption works using a simple cipher. I will encrypt a sentence using a ‘shift cipher’ that replaces each letter with one that is three places ahead of it. Obviously this is a very simplistic and insecure way to encrypt data, but that's fine for teaching the basic concepts. The sentence in its raw form is in what we call ‘plaintext’ which is unformatted and unencoded, the encrypted data will return to this state once it has been decrypted. Let’s go with the sentence, “be nice to people”. I’m going to apply the encryption algorithm/key, and turn it into ciphertext. The plaintext BE NICE TO PEOPLE becomes the ciphertext EHQLFHWRSHRSOH. Ciphertext is stored without spacing or punctuation in order to hide word lengths and make them harder to crack. If you wanted to decrypt the above text you would use the encryption key for this cipher, (the opposite of the algorithm that was used for encryption) to decrypt this message by shifting the letters back by three letters to read the message, providing of course you have the encryption key which explains to your computer how to decrypt the message.The ciphers and algorithms that we currently use to encrypt things digitally are MUCH more complex than this, but, hopefully, you get the general concept behind encryption and how we use algorithms.

Different Kinds Of Simple Encryption Algorithms

When we start to take a look at the different kinds of ciphers (encryption algorithms) we will start to get closer to the modern algorithms that we use in modern digital encryption.

Transposition Ciphers – A transposition cipher uses a set of rules to change the order of the text into different variations which are then encrypted. The same set of rules is then used to decrypt.

Substitution Ciphers – A substitution cipher replaces text with cipher text using a ‘fixed system algorithm’. In this case the encryption key is a set of instructions which shows the fixed system, which can then be used to decrypt the encrypted text to convert it into plain text.

Polyalphabetic Ciphers – A polyalphabetic cipher is a kind of ‘substitution cipher’ that uses multiple alphabets to complicate the encryption and make unauthorized decryption of the ciphertext harder than it would normally be with a single alphabet.

Shift Ciphers – As in the example I used above, this cipher chooses a number between 1-25, and shifts the letters X number of spaces in the alphabet to encrypt the text. In this case that shift number serves as the decryption key, allowing you to decrypt and read the data.

Nomenclator ciphers – Nomenclator ciphers are a type of substitution cipher that replaces common plaintext words with symbols to make them much harder to decrypt without the key.

Modern Encryption

Before I can properly explain modern encryption ciphers, it's important to talk about public and private keys and how encryption has been fundamentally changed by the digital revolution. All of the above examples can be classified as ‘private key cryptography’. This means that encryption and decryption are completely dependent on a private key, one which you have to share with another person if you want that person to be able to decrypt your messages. This is why private encryption keys should always be kept safe and secure, but by physically carrying an encryption key and having to give it to others just makes the who think much more risky from a security perspective.If your encryption key is compromised and discovered by an unauthorized person, the consequences could potentially be disastrous because they can then read your messages. Thanks to modern computer technology and the internet we can now enable what is called ‘public key cryptography’ where one public key is used to encrypt some text and a private key is used to decrypt it. This process solves the problem of physical key exchange by using a publicly available key to encrypt something, which is then sent to a server for decryption by a private key. In the digital age the most common forms of encryption are:

Asymmetric Encryption – This is the public key example we just gave where one key encrypts and the other decrypts. The encryption goes one way and this concept is the foundation of public key infrastructure, which is the trust model underpinning SSL/TLS.

Symmetric Encryption – This is closer to a form of private key encryption. Each party has its own key that can both encrypt and decrypt. In the above example the browser and server communicate using a symmetric session key that is passed along the internet.

Of the two types, asymmetric encryption offers stronger security because of its one-way encryption flow and the lack of need to have keys in two sets of hands which can both decrypt. When you look at an SSL certificate and see “2048-bit”, it refers to the private key length. When you see “256-bit” mentioned, it’s referring to the size of the symmetric session keys that are used during communication. This doesn’t mean that symmetric encryption is less safe because it would still take a supercomputer thousands of years to decrypt 256-bit encryption (in 2020).

Modern Encryption Algorithms

Now that we have covered both symmetric and asymmetric encryption, let’s take a closer look at modern encryption algorithms and the different kinds that we use.

AES – AES stands for Advanced Encryption Standard and it’s a specification for encryption published by the National Institute for Standards and Technology (NIST). It puts plaintext through a number of “transformation rounds” determined by key size, each round consists of several processing steps. AES is a common algorithm used on the internet in both SSL and TLS. RSA – RSA stands for Rivest-Shamir-Adlemen (after its creators), it is a public key encryption algorithm (asymmetric) that has been around since 1978 and is still widely used today. It uses the factorization of prime numbers to encrypt plaintext.

ECC – ECC stands for Elliptic Curve Cryptography, which relies on the algebraic structure of elliptic curves over finite fields. ECC has distinct advantages over RSA and you can expect it to play a more prominent role in the future of modern SSL and TLS encryption.

PGP – PGP stands for Pretty Good Privacy and was created in 1991 by Phil Zimmerman. It’s a collection of algorithms rather than a single one, all for hashing, data compression and both public and private key cryptography. Each step uses a different algorithm and despite being secure it has been criticized for being difficult to use and also for the length of its keys.

Password Hashing Explained

Now we have covered encryption, let's move on to ‘hashing’. Where encryption is designed to secure data, hashing is meant to verify that a piece of data hasn’t been altered. It serves as a check-sum for anything that you download from the internet when you want to ensure that the file you have downloaded has not been tampered with by a ‘man in the middle’.

Hashing uses an algorithm to map data of any size to a fixed length called a hash value. Whereas encryption is a two-way function, hashing is a one-way function. Here’s how it works, each hashing algorithm outputs at a fixed length. So for instance, you may hear about SHA-256, that means that the algorithm is going to output a hash value that is 256 bits. Every hash value is unique but if two different files produce the same unique hash value this is called a collision and it makes the hash algorithm useless. When Google created a collision with the SHA-1 hashing algorithm to demonstrate it’s vulnerability SHA-1 was phased out in favor of SHA-2.

Anyway, here’s an example of hashing, let’s say you want to digitally sign a piece of software and make it available for download on your website. To do this, you’re going to create a hash of the script or executable you’re signing, then after adding your digital signature you’ll hash that, too.

Following this, the whole thing is encrypted so it can be downloaded. When a customer downloads the software, their browser decrypts the file, then inspects the two unique hash values. The browser will then run the same hash function, using the same algorithm, and hash both the file and the signature again. If the browser produces the same hash value then it knows that the signature and the file are authentic and that they have not been altered. If the file has been altered then the browser issues a warning and that’s actually how code signing works. No two files can create the same hash value so any alteration, even the tiniest change in the code, will produce a different hash value to the original hash value.

Common Password Hashing Algorithms

Let’s take a closer look at some of the most common hashing algorithms we use today.

MD4 – MD4 is a 'self-loathing' hash algorithm, created in 1990, even its creator, Ronald Rivest, admits it has security problems. The 128-bit hashing algorithm made an impact though, it’s influence can be felt in more recent algorithms like WMD5, WRIPEMD and the WHSA family.

MD5 – MD5 is another hashing algorithm made by Ray Rivest that is known to suffer vulnerabilities. It was created in 1992 as the successor to MD4. Currently MD6 is in the works, but as of 2009 Rivest had removed it from NIST consideration for SHA-3.

SHA – SHA stands for Security Hashing Algorithm and it’s probably best known as the hashing algorithm used in most SSL/TLS cipher suites. A cipher suite is a collection of ciphers and algorithms that are used for SSL/TLS connections. SHA handles the hashing aspects. SHA-1, as we mentioned earlier, is now deprecated. SHA-2 is now mandatory. SHA-2 is sometimes known as SHA-256, though variants with longer bit lengths are also available.

Password Salting Explained

Salting is closely related to password hashing in that it is a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, especially against brute force attacks. A brute force attack is where a computer or botnet attempts every possible combination of letters and numbers until the password is found. When you salt a password the additional value is referred to as a “salt. When you add salt to the end of a password and then hash it, you dramatically complicate the password cracking process. Say the password you want to salt looks like ‘7X57CKG72JVNSSS9’ and your salt is just the word SALT. Before hashing, you add SALT to the end of the data.

So, it would look like this ‘7X57CKG72JVNSSS9SALT’.

By salting the password you are changing its hash value to something different than it would be with a plain unsalted password. Even the slightest variation to the data being hashed will result in a completely different hash value and by salting your password you hide its real hash value. If a brute force attacker knows your salt then it becomes worthless because they can add it to the end of every password variation they’re attempting and will eventually find your password. Hopefully this article has clearly explained the difference between password encryption, hashing and salting. If you feel it hasn’t and have more questions then get in touch with us!