A Deep Cybersecurity View of Hashing, Encryption, and Encoding
Source: Dev.to
Encoding: Format Change Only
Encoding only changes data format. It does not provide security.
Examples
- Base64
- URL encoding
- ASCII
- UTF‑8
Encoding is used for transport or compatibility, not protection.
Hashing: One Way Protection
Hashing creates a fixed‑size output called a message digest.
Important hashing terms
- Message digest – the result of a hash function
- Collision – two different inputs produce the same hash
- Collision resistance – how hard it is to create a collision
Hash algorithms
- MD5 – broken, collisions are easy
- SHA‑1 – old, weak
- SHA‑2 (SHA‑256, SHA‑512) – strong
- SHA‑3 – new design, safe
SHA‑256 is like a strong metal door.
SHA‑512 is the same door but thicker.
Salt and Pepper
- Salt – random value added before hashing to stop rainbow‑table attacks
- Pepper – secret value stored outside the database
Rainbow tables
Huge pre‑computed hash lists. Salting fully defeats this attack.
Key Derivation Functions (KDF)
- KDF2 – generates a strong key from a weak secret
- PBKDF2 – intentionally slows hashing; hashes password + salt many times using HMAC, making brute‑force attacks harder
- bcrypt – slow hashing algorithm with auto‑salt; still very strong today
- Argon2 – next‑generation KDF; slow + memory‑hard, very hard for GPU/ASIC cracking
Uses of hashing
- Password storage
- Integrity checks
- Digital signatures
Encryption: Two Way Protection
Encryption turns readable data into unreadable ciphertext. With the correct key it can be reversed.
A. Symmetric Encryption
One key is used for both lock and unlock.
Examples
- AES – modern and very strong
- DES – broken
- 3DES – outdated and weak
Used in
- Wi‑Fi
- VPN
- Disk encryption
- TLS sessions
B. Asymmetric Encryption
Two keys: a public key encrypts, a private key decrypts.
Examples
- RSA – older, large keys
- ECC – smaller keys, faster, equally strong
Used in
- HTTPS
- Digital signatures
- Identity verification
- Secure email
Cipher Modes (How Block Encryption Works)
Block ciphers like AES need a mode to operate.
- CBC (Cipher Block Chaining) – each block depends on the previous one; old and has weaknesses
- GCM (Galois Counter Mode) – better than CBC; provides encryption, integrity, and authenticity; used in modern TLS
TLS, Certificates, Keys, Trust
TLS
Secure encrypted connection between client and server. Uses AES, RSA, and certificates together.
- SSL – old version of TLS; not safe anymore
TLS Handshake
- Client and server agree on encryption
- Exchange public keys
- Verify certificates
- Create a temporary symmetric key
Cipher suites
A “recipe” that specifies:
- Which AES mode
- Which RSA/ECC type
- Which hashing algorithm
- How the handshake works
Example suite components
- ECDHE for key exchange
- AES‑GCM for encryption
- SHA‑256 for integrity
Diffie‑Hellman (DH) & Elliptic Curve DH (ECDH)
Methods to create a shared secret key over a public network. ECDH is faster and offers stronger security per bit.
PKI (Public Key Infrastructure)
The full system that allows browsers to trust websites. It includes:
- Certificates
- Certificate Authorities (CAs)
- Trust chain
- OCSP (Online Certificate Status Protocol)
- Revocation lists
Root Trust
Devices have a built‑in list of trusted CAs. If a CA is trusted, all its certificates are trusted.
Certificate Authority (CA)
Trusted organization that issues certificates.
CRL (Certificate Revocation List)
List of certificates that are no longer valid.
OCSP
Real‑time check if a certificate is valid.
Certificate Chain
Server certificate → intermediate certificate → root certificate.
EV Certificates
Extended Validation – stronger identity checks but same security level.
Certificate Pinning
App trusts only a specific certificate or key, preventing fake certificates.
Key Lifecycle
Keys must be:
- Generated
- Stored securely
- Rotated
- Expired
- Destroyed
Code Signing
Software is signed with a private key; systems verify the signature before execution, preventing malware masquerading as legitimate software.
Authentication and Identity Security
- Kerberos – authentication protocol used in Windows networks
- WPA3 – modern secure Wi‑Fi protocol
- PB (Password Based) – general term for password‑based systems
- SAML – older enterprise identity protocol
- OAuth 2 – authorization system used in modern apps
- OIDC – identity layer built on top of OAuth 2
- Identity Provider (IdP) – service that confirms user identity
- SSO (Single Sign‑On) – user logs in once and gains access to many apps
- JWT – token format used by web systems
- Access Tokens – short‑lived tokens for API access
- Federation – identity sharing between systems
Threat Modeling and Risk Terms
STRIDE
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
DREAD
Older threat‑scoring model.
Attack Trees
Visual model of how an attacker can reach a goal.
Kill Chain
Stages of an attack.
MITRE ATT&CK
Database of attacker techniques.
Attack Surface
All possible points where an attacker can try to enter.
Vulnerabilities and Risk Metrics
- CVE – public identifier for vulnerabilities
- CVSS – score indicating how dangerous a vulnerability is
- NVD – database of official vulnerability records
- Threat Agents – who might attack you
- Risk Scoring – how dangerous a situation is
Infrastructure and Access Control
- IAM – Identity and Access Management
- ACLs – Access Control Lists
- DMZ – network zone between the public internet and internal network
Disaster Recovery Terms
- RTO – maximum acceptable downtime
- RPO – maximum acceptable data loss
- DR Site – backup location for disasters
- Backup Testing – verifying that backups actually work
Final Summary
This article covered hashing, encryption, encoding, and the many cybersecurity components that rely on them.
- Hashing protects passwords and ensures data integrity.
- Encryption protects data in transit and at rest.
- Encoding merely changes data format for transport or compatibility.
TLS, certificates, RSA, AES, salts, KDFs, cipher suites, and identity systems all combine these concepts to secure modern systems. Understanding these fundamentals provides a strong foundation for becoming a cybersecurity engineer.