HolyGhost logoHolyGhost
← cd ..
Learn

What Is Cryptography? Encryption, Hashing, Signing, and Encoding Untangled

Cryptography is more than encryption. A beginner friendly guide to what it actually covers, and the difference between encrypting, hashing, signing, and encoding that trips almost everyone up.

HolyGhost··10 min read

Imagine you are sending a sealed letter through the post. You might want three very different things from that letter. You might want nobody to be able to read it except the person you sent it to. You might want your friend to be able to tell if someone steamed it open and changed a word. And you might want them to be certain the letter really came from you and not from a stranger pretending to be you. Those are three separate wishes, and here is the surprise: no single trick grants all three. You need different tools for different jobs.

That is cryptography in a nutshell. Most people hear the word and think "encryption", the way most people hear "vehicle" and picture a car. But encryption is just one room in a much bigger house. This primer walks you through the whole house, then clears up the four terms that beginners mix up more than any others: encrypting, hashing, signing, and encoding. Once these four click into place, a huge amount of security stops feeling like magic and starts feeling like common sense.

Cryptography is the whole science

Cryptography is the study of protecting information using maths. Encryption is one of its tools, but cryptography as a whole tries to guarantee four different things. Think of them as four promises you might want to make about a piece of information.

  • Confidentiality: only the right people can read it. This is encryption's job, and it is the one everyone already knows about.
  • Integrity: you can tell if the information was changed, even by a single character, after it left your hands.
  • Authentication: you can prove who it really came from, so nobody can impersonate the sender.
  • Non repudiation: the sender cannot later deny they sent it. Once they put their name on it in a cryptographic sense, they are on the hook.

Different tools deliver different guarantees. Knowing which tool gives which guarantee is most of the battle. A brilliant lock on your front door does nothing to prove who posted a note through the letterbox, and a signature on that note does nothing to stop a passer by reading it. Same idea here.

Here is a small everyday way to feel the difference. When you download a banking app, three things quietly happen. The download is encrypted so nobody snoops on it (confidentiality). The app checks a fingerprint of the file so a tampered copy is rejected (integrity). And your phone verifies a signature proving the app genuinely came from your bank and not an impostor (authentication). Three promises, three different tools, all working together in the background.

The four terms people confuse

Here is the table to burn into memory, then we will go through each one slowly with examples.

TechniqueReversible?Uses a key?What it is for
EncodingYes, by anyoneNoFormatting data, not security
EncryptionYes, with the keyYesConfidentiality
HashingNoNoIntegrity, verification
SigningVerify onlyYes (private key)Authentication, integrity

Notice how each row differs in two crucial ways: whether it can be undone, and whether a secret key is involved. Those two questions alone tell you almost everything about what a technique can and cannot promise. Let us take them one at a time.

Encoding is not security

Encoding, like Base64 or URL encoding, just reshapes data into a format that travels well. Think of it as translating a message into a different alphabet that computers find easier to carry around, not into a secret language. There is no secret involved, and anyone can reverse it instantly with a tool that is built into every browser and programming language on earth.

"hello"  ->  base64  ->  "aGVsbG8="   (anyone can turn this straight back)

Why does encoding exist at all if it hides nothing? Because raw data sometimes contains characters that break the systems carrying it. An email attachment, for example, has to survive being sent through channels that only expected plain letters and numbers, so it gets Base64 encoded into a safe shape and decoded on arrival. Web addresses use URL encoding so that spaces and odd symbols do not confuse the browser. It is about compatibility, not confidentiality.

If someone says data is encoded for security, be sceptical

Encoding hides nothing. Base64 is not a secret code, it is a public reshaping that any tool can undo in a heartbeat. If you ever see a password or a token stored in Base64 and treated as if it were protected, that is a real weakness, not a safeguard. The moment a secret is needed to reverse something, you have left encoding and entered encryption.

Encryption gives confidentiality

Encryption uses a key to make data unreadable to anyone without that key, and it is reversible for whoever holds the key. This is the confidentiality tool, the sealed envelope that only the right person can open. Take away the key and the scrambled output is just noise. Hand over the key and the original message comes straight back.

There are two broad flavours worth knowing early. In symmetric encryption, the same key both locks and unlocks the data, like a single key that opens and closes one padlock. It is fast, which makes it ideal for large amounts of data. In asymmetric encryption there are two matched keys, a public one you can share with the world and a private one you keep secret, and what one locks only the other can unlock. That clever pairing is what lets total strangers set up a secret channel without ever meeting to swap a key first.

If you want the full picture of how all this fits together, see what is encryption. It is also the beating heart of secure websites, which we untangle in how HTTPS actually works.

Hashing gives integrity

A hash is a one way fingerprint of data. The same input always produces the same fixed size output, and, crucially, you cannot run it backwards to recover the original. Change one character of the input, even swapping a full stop for a comma, and the fingerprint changes completely and unpredictably. That last property has a name, the avalanche effect, and it is what makes hashing so useful.

"report.pdf"  ->  hash  ->  3a7bd3e2360a...

Why is a one way fingerprint handy? Suppose a website offers a large file to download and publishes its hash alongside. After downloading, you compute the hash of your copy and compare. If the two fingerprints match, your copy is bit for bit identical to the original. If a single byte was corrupted in transit or tampered with along the way, the fingerprints will disagree and you will know instantly. That is integrity in action: not keeping a secret, but detecting change.

The same trick is exactly how passwords should be stored, so a stolen database does not hand over everyone's actual password. Hashing is the subject of its own primer, password hashing explained, which shows why the choice of hash matters enormously for that particular job.

A fingerprint, not a lock

The point of a hash is not to keep data secret. Anyone can compute the same hash from the same input. The point is that the hash is a compact, tamper evident summary. If the data changes, the summary changes, so a hash lets you check whether something is exactly what it should be. There is no key and no unlocking, only comparing.

Signing gives authentication

A digital signature uses someone's private key to produce a stamp that anyone can verify with their matching public key. It proves two things at once. First, the message really came from the holder of that private key, because only they could have produced a stamp that verifies against their public key. Second, the message has not been tampered with, because the signature is calculated over the exact contents and would fail to verify if even one character changed.

This is how software updates prove they are genuine before your device installs them, how the certificates behind secure websites prove they are trustworthy, and how secure emails prove they really came from the sender. Under the hood, signing usually hashes the message first and then encrypts that hash with the private key, which is why a signature quietly gives you integrity as a bonus alongside authentication.

Encryption and signing are mirror images

Encryption locks with a public key so only the private key can open it, giving secrecy. Signing does the reverse: it stamps with the private key so anyone with the public key can verify it, giving proof of origin. Same key pair, opposite direction, different goal. If you can hold those two directions in your head, public key cryptography stops feeling mysterious.

Why this matters in the real world

Most security bugs at the beginner level come from picking the wrong tool for the guarantee you actually need. It is a bit like using a hammer to turn a screw. The tool is fine, it is just the wrong job. Here are the classic mix ups, and they show up in real breaches again and again.

  • Storing passwords with reversible encryption instead of hashing. If a system can decrypt its own password store, so can an attacker who steals both the data and the key. Passwords should be hashed, not encrypted, precisely because you never need to read them back, only compare them.
  • Trusting Base64 as if it hid something. Tokens and secrets left in plain Base64 are effectively in the open. Encoding is not a lock.
  • Encrypting data but never checking it was not tampered with. Confidentiality without integrity means an attacker who cannot read your data may still be able to garble it in useful ways. This is why modern systems pair encryption with an integrity check, often called authenticated encryption.

Match the tool to the guarantee and most of these vanish:

  • Need to hide data and read it back later? Encryption.
  • Need to check data was not changed, or store a password? Hashing.
  • Need to prove who sent something, and that it was not altered? Signing.
  • Just need to move data around cleanly? Encoding, and do not call it security.

Ask two questions about any technique

When you meet a new security feature, ask: can it be reversed, and does it need a secret key? Those two answers place it almost perfectly. Reversible with a key is encryption. Reversible by anyone is encoding. Not reversible at all is hashing. Verifiable with a public key but produced with a private one is signing. This little test will carry you a long way.

The takeaway

Cryptography is the whole science of protecting information, and it delivers four guarantees: confidentiality, integrity, authentication, and non repudiation. Encryption is only the confidentiality piece, one room in a much larger house. Encoding is not security at all, it is just formatting. Hashing is a one way fingerprint that proves nothing changed. Signing uses a private key to prove who sent something and that it arrived intact.

Get the difference between encrypting, hashing, signing, and encoding straight, and a surprising amount of security suddenly makes sense. You will read a headline about a breach and immediately spot the wrong tool that caused it. That instinct, matching the tool to the promise you actually need, is the foundation everything else in security is built on.