28 September 2021

Hashing and encryption are both forms of cryptography, but they work quite differently. This article briefly describes how they are different.

Cryptography and encryption

Cryptography is used to enable secure communication. Nowadays the term is mostly used in the context of digital communication but its history goes back thousands of years. It is simply the practice of preventing third parties from reading private messages, and the messages don’t need to be emails.

Modern cryptography often involves encryption. Plain text, such as passwords, can be encrypted using an algorithm. Anyone looking at encrypted text just sees random gobbledegook. To read the encrypted text it first needs to be decrypted, using the same algorithm. However, not all cryptography involves encryption.

Hashing

Hashing is a form of cryptography that doesn’t involve encryption. When you hash plain text it is turned into a string of gibberish, but it can’t be decrypted. It is a one-way process.

That might not sound overly useful. What good is hashing plain text if you can’t decrypt it again? It is widely used though. For instance, passwords are typically stored securely as a hash. If you got a WordPress webite then your user password is stored in the database, but the string you see in the users table isn’t your password. It is a hashed version of you actual password.

As said, hashed passwords can’t be decrypted. When you log into the WordPress dashboard the password you enter is hashed and compared with the string in the users table. If it matches you are logged in, and if it doesn’t you get an error.

Algorithms and salt

WordPress uses the wp_hash_password function to hash password. By default, it uses the MD5 algorithm. This is somewhat problematic, as MD5 has known vulnerabilities. There are better ciphers, such as Blowfish and DES (among many others), and you can use those ciphers instead. The reason that WordPress uses MD5 by default is that it is available on all platforms. Not all operating systems support the latest and greatest ciphers, but MD5 is pretty much guaranteed to be installed.

To make the MD5 hashes more secure WordPress adds salt to hashes. Salting adds random data to the hashing function. This makes the hashes unique and protects against rainbow table attacks. A rainbow table is a list with known hashes that attackers can use to crack passwords.

Encryption

There are two types of encryption: symmetric and asymmetric encryption. The first type is fairly easy to understand. With symmetric encryption you use a single private key to encrypt and decrypt data. This type of encryption is widely used to secure files, directories or entire hard drives (using LUKS). To illustrate, here I create a file containing a secret message and then encrypt it with the gpg utility.

[c2@server ~]$ echo "The crow will fly tonight." > secret.txt
[c2@server ~]$ gpg --symmetric secret.txt

The gpg command prompts you for a password. It then creates an encrypted copy of the file:

[c2@server ~]$ file secret.txt*
secret.txt:     ASCII text
secret.txt.gpg: GPG symmetrically encrypted data (AES cipher)

Someone else can now decrypt the file if they know the password:

[cat@c2 ~]$ gpg2 --decrypt secret.txt.gpg
gpg: AES.CFB encrypted data
gpg: encrypted with 1 passphrase
The crow will fly tonight.

Asymmetric encryption

Asymmetric encryption uses a private and public key rather than a passphrase. Instead of adding a password you sign a file with a public key, and the message can only be decrypted with the matching private key. The advantage is that you don’t need to manage passwords, but a disadvantage is that you now need to manage keys.

The main thing to understand about asymmetric encryption is that encrypted messages need to be signed with the recipient’s public key. So, if you want to send a secret message to Jane then the message needs to be signed with Jane’s public key. This means that you and Jane can only share encrypted messages if you first exchange keys. You both need to have your own key-pair and give the public key to the other. The private keys are used to decrypt messages and need to be kept secret.