What is the difference between Encryption/Confidentiality/Obfuscation?

Auth0 Blog post:

The discipline of cryptography, necessary for a variety of security applications, is no stranger to the arms race found in all other security disciplines. While modern cryptography aims to create mechanisms that protect information through the application of mathematical principles and computer science, cryptanalysis, by contrast, aims to defeat such mechanisms in order to obtain illegitimate access to the information.

Confidentiality is about protecting information from being accessed by unauthorized parties or, in other words, is about making sure that only those who are authorized have access to restricted data. Integrity refers to protecting information from being altered, and authenticity has to do with identifying the owner of the information.

These are the two most important takeaways. Confidentiality restricts it to allowed users. Data Integrity is the key here. How do you ensure that what you see on the screen is the accurate representation of what was intended?

Therefore, the encryption has to underpin the “trust factor”. We take the systems for granted and the trust factor is easy to breach into in the global supply systems. If you look backwards at recent events and the geopolitical tensions for AI supremacy battles, undermining the trust in the systems is the key here.

What is encryption?

Encryption is defined as the process of transforming data in such a way that guarantees confidentiality. To achieve that, encryption requires the use of a secret which, in cryptographic terms, we call a “key”.
Encryption is divided into two categories: symmetric and asymmetric, where the major difference is the number of keys needed. In symmetric encryption algorithms, a single secret (key) is used to both encrypt and decrypt data. Only those who are authorized to access the data should have the single shared key in their possession. On the other hand, in asymmetric encryption algorithms, there are two keys in use: one public and one private. As their names suggest, the private key must be kept secret, whereas the public can be known to everyone. When applying encryption, the public key is used, whereas decrypting requires the private key. Anyone should be able to send us encrypted data, but only we should be able to decrypt and read it! Asymmetric encryption is usually employed to securely establish a common secret (key) between two parties communicating over an insecure channel. With this shared key, both parties now switch to symmetric encryption, which is faster and more suitable for handling large amounts of data.

Asymmetric encryption flow diagram

Last but not the least is obfuscation. However, it is not an essential component of the discussion here.

Although not suitable to guarantee confidentiality, obfuscation has some valid use cases. It is used heavily to prevent tampering and protect intellectual property. The source code for mobile applications is often obfuscated before being packaged, since the code lives in the users’ mobile devices from where they can extract it. Obfuscating that code helps protect intellectual property by deterring Reverse Engineering because the code is not human-friendly. In turn, this deters tampering with the code and re-distributing it for malicious uses. However, obfuscation only makes it difficult for someone to read the obfuscated code — not impossible. 

These are various terms that are often used interchangeably. Therefore, I decided to do a blog post. Head over to the link for more accurate representation of the terms.