Encoding vs Encryption – They Aren’t the Same

While encryption does involve various methods of encoding data, the two are absolutely not interchangeable. In fact, if you get them mixed up it can result in serious data breaches and security vulnerabilities.

Encryption is a specific subset of encoding where the encoded messages can only be accessed by authorized parties (the ones holding the decryption keys).

Encoding is simply a way of representing data in a specific format. For example, raw binary data can be encoded and decoded using the ASCII format as shown in the table below.

encoding chart

Sorry to interrupt! I just wanted to mention that you should check out my new free Go cryptography course. It’s designed to teach you all the crypto fundamentals you’ll need to get started in cybersecurity.

In the context of programming and cybersecurity, encoding offers absolutely no security. Sometimes formats like JWTs or Base64 outputs can confuse entry-level programmers because they appear encrypted when in reality they aren’t! An attacker can easily figure out the protocol used to encode the data and reverse it. For example, in the case of ASCII encoding it’s as simple as looking up each bytecode in the table above.

Encoding formats are only useful because they give computers and humans protocols to view and process raw binary data in a meaningful way.

To illustrate this point, try the following tools to see how easy it is to decode messages that are just encoded (not encrypted):

Why you should ensure your encoded data is encrypted

At a job where I worked in the past, a developer before me built his own encoding scheme. It would take the raw binary data contained in a message and map specific bytes sequences to certain characters. It was totally made up, and the comment he left on the code was:

// Obfuscation technique. Base53 encoding for security
Code language: JSON / JSON with Comments (json)

While it may confuse an attacker for a couple of minutes, this obfuscation offers more potential bugs in terms of needless complexity than it does security benefits. With free and easy to use encryption libraries available in all major programming languages, there is no excuse to try to bake your own these days.

Elliptic curve cryptography, RSA, AES-256, or another secure algorithm should have been used in the situation above. Ironically, it also probably would have taken less time to implement.

Security can be hard. However, take the time to use best-practices. It will save you so much time and headaches in the long run. Good luck, and stay safe out there!

Have questions or feedback?

Follow and hit me up on Twitter @q_vault if you have any questions or comments. If I’ve made a mistake in the article, please let me know so I can get it corrected!

Related Articles

  – Rust vs Go – Which Is More Popular?
  – Thinking about Recursion: How to Recursively Traverse JSON Objects and the Filesystem 
  – How to Make a Custom Select Component in Vue.js