Login/Register
What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
Asked Answered
Solved securityencryptionbase64
B

6

175

I don't get the Base64 encryption.

If one can decrypt a Base64 string, what is it's purpose?

Why is it being used for HTTP Basic auth?

It's like telling to someone my password is reversed into OLLEH.

People seeing OLLEH will know the original password was HELLO.

Booby answered 1/11, 2010 at 16:9 Comment(3)
related: Why Base64 in Basic Authentication and Base 64 encoding in HTTP Basic AuthWhiteman
security.stackexchange.com/questions/29916/…Galligaskins
base64 is not an encryption, it's an encodingGalligaskins
Z
298

Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text) characters.

See this paragraph from the wikipedia page for HTTP Basic Authentication:

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Zorine answered 1/11, 2010 at 16:10 Comment(2)
Also, it seems that the relevant character encoding to get the 'binary data' from string, should be iso-8859-1. (source)Lucre
Base64 is a cipher so it is "encryption"Karole
D
67

It's normally called base64 encoding, not encryption! The nice thing about base64 encoding is it allows you to represent (binary) data using only a limited, common-subset of the available characters, far more efficiently than just writing a string of 1s and 0s as ASCII for example.

Dorsett answered 1/11, 2010 at 16:11 Comment(1)
+1, but comparison to storing data in 1s,0s stream is too exaggerated. It is better to compare it to storing data in hex format. Because hex would only make x2 more bytes than original stream, and 1s,0s - makes x8 times more bytes. (And Base64 makes x1.3 more data than original byte array). So sometimes it is acceptable to encode binary stream as hex string, doubling byte amount - for example just to store password hash in database.Baugh
O
35

Encryption requires a key (string or algorithm) in order to decrypt; hence the "crypt" (root:cryptography)

Encoding modifies/shifts/changes a character code into another. In this case, usual bytes of data can now be easily represented and transported using HTTP.

Oneidaoneil answered 1/11, 2010 at 16:22 Comment(6)
Encryption just means "to render hidden" - key-based cryptography is a very recent invention. Enciphering is a form of encoding that has been used as encryption (though not by anyone over 12 years old for hundreds of years).Aeriell
Encryption in the vernacular is used to refer to recent modes of encryption, specifically computer encryption, which is key-based (public/private key). While true, it is unnecessary to point out a literal definition of a dated word; otherwise, you'd be arguing the historical definition of many english words used today. The vernacular (and sometimes colloquial) are what gives words context and thus definition.Oneidaoneil
I don't think you sounded rude; I agree with your point about modern context. Words and definitions are constantly evolving. I think "encode" and "encrypt" definitely have two very distinct definitions in modern computing and your answer makes a good effort at summarizing the differences.Carlisle
Base64 encoding is a form of obfuscation, which simply means to render unclear. For many applications, this is sufficient encryption where the goal is simply to mangle any clear text sent over a wire, for example.Buiron
@DominicCerisano: No, base64 encoding does not count as encryption, and I hope you’re not using it to protect anything.Arkansas
@ryan, it certainly is not strong encryption, and I agree it should only be considered in situations calling for weak encryption. Care for an example?Buiron
P
23

Base-64 encoding is part of the MIME specifications. It provides a transport-safe encoding for data that won't get chewed on if/when it gets relayed through a host that uses a different encoding scheme than that used by the original client.

There are lots of different hosts out on the intertubes and you can't really assume support for anything other than 7-bit ASCII, without risking data loss/confusion.

IBM mainframes, for instance, use an encoding called EBCDIC (which comes in lots of different flavors). It's codepoints are completely different from the code points used by ASCII-based 'puters -- in ASCII, the letters A-Z are 0x41 - 0x5A; in EBCDIC the letters A - Z aren't even a contiguous range: the letters A-I live at 0xC1 - 0xC9, the letters J-R live at 0xD1 - 0xD9 and the letters S-Z live at 0xE2 - 0xE9.

Pursuer answered 1/11, 2010 at 19:23 Comment(0)
M
20

You might mean "Base 64 Encoding". Encryption is not the same as encoding.

Wikipedia: Encryption

Miscreance answered 1/11, 2010 at 16:11 Comment(0)
K
20

In everyday language, a “code” is something secret. In science and engineering, a code is simply an agreement, a set of rules, of how to write something.

That code may be secret. In that case, it’s called an encryption. But in general, a code is not secret. Take the genetic code. It simply states that our DNA is built from four different bases – A, C, G and T and that three bases taken together form one amino acid. There’s also a table of which three letters form which amino acid.

There’s nothing secret about this code.

Likewise, Base64 is not a secret code. Rather, it’s a code that allows storing data in six bits per character (thus there are 64 different entities, i.e. the “base” of the system is 64, just as the base of our decimal system is 10, since there are 10 different entities called “digits”).

Kp answered 1/11, 2010 at 16:29 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.