Security

Encryption vs Hashing: What’s The Difference for Federal Agencies?

As the federal government comes under attack by increasingly sophisticated threat actors, encrypting data, hashing passwords and salting hashes are becoming more important.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

According to Microsoft’s 2021 “Digital Defense Report,” from June 2020 to June 2021, the U.S. government was by far the biggest target of cyberattacks from nation-state actors, accounting for 46 percent of the observed attacks.

“I think the biggest takeaway from me is that the main adversaries of the United States — Russia, China, Iran, and North Korea — are not deterred in their mission to collect intelligence from the US Federal government, think tanks, NGOs, and policy and law firms. The demand for intelligence from US targets only grows,” Rick Wagner, president of Microsoft Federal, says in a company-sponsored post on Federal News Network. “The attacks are widespread, affecting many different industries.”

In addition to underscoring the need to adopt multifactor authentication and start shifting to a zero-trust architecture, as outlined in President Joe Biden’s May 2021 executive order on cybersecurity, the threat landscape requires that data be encrypted. The executive order mandated civilian agencies deploy encryption for “data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”

A recently issued memo on cybersecurity for national security systems that applies to Defense Department and intelligence agencies notes that agencies need to adopt encryption for NSS data at rest and data in transit, plus “all new systems to operate that do not use approved encryption algorithms and implementations, absent an exception authorized by the head of an agency.”

What does encryption mean for federal agencies? How does it differ from hashing, another tool in the cybersecurity toolkit?

Click the banner below to get access to customized cybersecurity content by becoming an Insider.

What Is Encryption in Federal Agencies?

According to the National Institute of Standards and Technology, encryption refers to the “cryptographic transformation of data (called plaintext) into a form (called ciphertext) that conceals the data’s original meaning to prevent it from being known or used.”

In layman’s terms, as Okta notes in a blog post, encryption basically “scrambles data that can be decoded with a key.” The goal of encryption is to send along encrypted data to a third party, who will then decrypt that information into a usable form with a decryption key.

“The method used to conduct the scrambling (encryption) and unscrambling (decryption) is known as a cryptographic algorithm, and the security of the ciphertext does not depend on the secrecy of the algorithm,” a CDW white paper notes. “In fact, the most trusted algorithms are those that have been publicly vetted to find weaknesses.”

According to Okta, there are at least three fundamental elements to modern encryption tools:

Advanced Encryption Standard (AES), often considered the gold standard for encryption, provides a sophisticated algorithm that “transforms plain text into a series of letters and numbers, and the process is repeated multiple times to ensure complete encryption.”
Twofish is a symmetric cipher that “uses a single key for both encryption and decryption.” NIST spurred the development of Twofish in the late 1990s by calling for the creation of more secure encryption. “Twofish is a fast system, and it’s made for network applications that require frequently changing keys,” Okta notes.
Pretty Good Privacy is a piece of software based on an open standard, and it “uses several steps to both encrypt and decrypt data,” with developers continuously working to improve the system and add new features in response to cyberthreats.

What Is Hashing in Cybersecurity?

Hashing is a concept related to encryption, but it focuses on a different set of priorities.

According to Okta, hashing involves “scrambling data at rest to ensure it’s not stolen or tampered with. Protection is the goal, but the technique isn’t built with decoding in mind.”

As SentinelOne notes in a blog post, “hashes are the output of a hashing algorithm like MD5 (Message Digest 5) or SHA (Secure Hash Algorithm),” which “aim to produce a unique, fixed-length string — the hash value, or ‘message digest’ — for any given piece of data or ‘message.’”

Organizations with vast numbers of usernames and passwords on file, such as federal agencies, are rightly very concerned with those usernames and passwords becoming compromised, increasing the risk that sensitive data will be exposed or exfiltrated. “A password hash system could protect all of those passwords from hackers while ensuring those points aren’t tampered with before they’re used again,” Okta notes. “Hash encryption like this doesn’t anonymize data, although plenty of people believe that it does. Instead, it’s used to protect this data from those who might misuse or alter it.”

Importantly, according to Okta, a “typical hashing protocol doesn’t come with an automatic translation key. Instead, the process is used to determine alterations, and the data is stored in a scrambled state.”

Hashing vs. Encryption: What’s the Difference?

Because encryption and hashing serve different purposes for federal IT security teams, it’s important to know the key differences.

While encryption is primarily used to protect data in transit, hashing is used for protecting data in storage. Encryption can be used to protect passwords in transit while hashing is used to protect passwords in storage.

Data that has been decrypted can be decoded, but data that has been hashed cannot.

In neither case is data anonymized. Encryption relies on both public and private decryption keys while hashing relies only on private keys.

Each approach has its vulnerabilities, Okta notes. “Breaking a hash means running a computer algorithm through the codes and developing theories about the key. It should be impossible, but experts say some programs can churn through 450 billion hashes per second, and that means hacking takes mere minutes,” the company notes. Meanwhile, encrypted files can be easily decrypted if attackers are skillful enough.

It’s important to note that agencies can combine hashing and encryption techniques. “You might use hashing to protect password data on your server, but then you lean on encryption to protect files users download once they have gained access,” Okta notes.

DIVE DEEPER: How do granular identity and access management controls enable zero trust?

What Are Salted Passwords and Password Hashing?

Since hashing can be defeated, there are other ways agencies can use the technique to secure data. This is known as “salting” the hash.

“Salting is the act of adding a series of random characters to a password before going through the hashing function,” Okta notes in a separate blog post.

By adding a series of random numbers and letters to the original password, agencies can achieve a different hash function each time, according to Okta. “This way, we protect against the flaw of the hash function by having a different hashed password each time,” the post notes.

Salt encryption must be stored in a database along with the user password, according to Okta, and it is recommended that salts be “random and unique per login to mitigate attacks using rainbow tables of pre-computed hashes.”

“While an attacker could still re-compute hashes of common password lists using a given salt for a password, a way to provide additional defense in depth is to encrypt password storage at rest, preferably backed” by a hardware security module or cloud key management service like Amazon Web Services’ Key Management Service, Okta notes.

EXPLORE: Create a zero-trust environment among users and on your network.

gopixa/Getty Images