DEV Community

Lane Wagner
Lane Wagner

Posted on • Originally published at qvault.io on

Stop with the Obfuscation: Encoding and Encryption are Not the Same

This is a topic that has been talked about quite a bit, but I think it’s an important one to reiterate to our users.

Encoding is not Encryption!

Encryption is a specific subset of encoding where the encoded messages can only be accessed by authorized parties (the ones holding the decryption keys).

Encoding is simply a way of representing data in a specific format. For example, raw binary data can be encoded using the ASCII format to visually display english text.

In the context of programming, pure encoding schemes offer absolutely no security. Sometimes formats like JWTs or Base64 outputs can confuse entry-level programmers because they appear encrypted… They aren’t! Encoding formats are only useful because they give computers and humans protocols to view and process raw binary data in a meaningful way.

To illustrate this point, try the following tools to see how easy it is to decode messages that are just encoded (not encrypted):

https://jwt.io/

https://www.base64encode.org

Obligatory XKCD

https://xkcd.com/257/

Story Time

At a job where I worked in the past, a developer who was there before me built his own encoding scheme. It would take the raw binary data contained in a message and map specific bytes sequences to certain characters. It was totally made up, and the comment he left on the code was:

// Obfuscation technique. Base53 encoding for security
Enter fullscreen mode Exit fullscreen mode

While it may confuse an attacker for a couple minutes, this obfuscation offers more potential bugs in terms of needless complexity than it does security benefits. With free and easy to use encryption libraries available in all major programming languages, there is no excuse to try to bake your own these days.

ECC, RSA, AES-256, or another secure algorithm should have been used in the situation above. Ironically, it also probably would have taken less time to implement.

Security can be hard, but if you take the time to use best-practices it will save you so much time and headaches in the long run. Good luck, and stay safe out there!

By Lane Wagner

The post Stop with the Obfuscation: Encoding and Encryption are Not the Same appeared first on Qvault.

Top comments (1)

Collapse
 
dpaine20 profile image
David Paine20

Thanks a lot for explaining the difference between encoding and encryption. For the base64 encoding, there is another alternative url-decode.com/tool/base64-encode. And also agree with your statement that security can be hard, but if you take the time to use best-practices it will save you so much time and headaches in the long run.