Today we’re going to take a quick look at encoding, as covered in Domain 3 of the CISSP common body of knowledge (CBK). There is often some confusion between encoding and encryption, so one of the purposes of this article is to look at how the CBK defines encoding.
Encoding is the action of changing a message into another format through the use of a code. This happens when various symbols or characters are used to represent words or phrases. A common example of this can be seen when using the code phrase “10-4”. If someone responds with “10-4”, they are acknowledging that they’ve received and understood the message or instructions passed to them.
This is one of the key differences between encoding and encryption. Encryption converts plain text to cipher text and is meant to hide the meaning or intent of a message, thereby providing confidentiality. However, encoding changes a message from one format to another, and is not always private. As in the example above, codes (or code phrases) can be public knowledge.
The practice of encoding is often seen when passing data from one place to another. For example, by using base64 encoding, special characters that may break an application or system (i.e. !, @, ‘, “, `), are encoded into a format that can be safely transmitted and decoded once they reach their destination.
Finally, while encoding data is important, especially when transmitting data or dealing with something like application output, it should never be used in place of securely encrypting or hashing sensitive information. In other words, do not take sensitive information (i.e. password) and change the format to a base64 code, thinking it will secure that information for you.
*For those who may be interested:
Since base64 encoding is such a frequently used encoding technique, below is a simplified walkthrough of what happens when something is encoded using base64. This uses a character set of A-Z, a-z, 0-9, and “=” for padding. The last two symbols used in b64 encoding (+, /), can sometimes be different, depending on what region you’re in.
- First, take the characters to be encoded, “Hello World!”
- Convert the character byte-values into an 8-bit binary equivalent
- Join them all together in 24-bit strings
- Then break those strings into 6-bit groups
- Lastly, convert the binary values back into ASCII characters
- The result of b64 encoding the phrase, “Hello World!”, is “SGVsbG8gV29ybGQh”
This has been a quick look at encoding. There is an audio/video version of this material, for anyone who prefers that format. If you’re interested in security fundamentals, we have a Professionally Evil Fundamentals (PEF) channel that covers a variety of technology topics. We also answer general basic questions in our Knowledge Center. Finally, if you’re looking for a penetration test, training for your organization, or just have general security questions please Contact Us.