Do you teach students that encoding is the same as encrypting?

[Hank Cox]

Topic 3A in the 701 course uses "encoding" and "encryption" as synonyms. I think students should understand the difference between the two terms.

I would appreciate knowing what other instructors think about these terms. Does encoding = encryption?

I would also appreciate feedback from a CompTIA SME. What is CompTIA's definition of encoding, and CompTIA's definition of encryption?


My notes on the use of "encoding" in Topic 3A [edited 2/15/2024 to distinguish my opinions from the CompTIA course content]:

The Official CompTIA Security+ Instructor Guide (Exam SY0-701)​

Lesson 3: Explain Cryptographic Solutions, Topic 3A, Slide 4

CompTIA content:
"Cryptographic Concepts
Encryption and decryption—encoding and decoding
Plaintext is the unencoded message
Ciphertext is the coded message"

I think this content is misleading, unhelpful, or inaccurate because:
Students need to learn the difference between encoding and encryption. This slide should not confuse encryption and decryption with encoding and decoding. If encoding is mentioned at all, the slide should point out that encoding is not cryptography or encryption.

Lesson 3: Explain Cryptographic Solutions, Topic 3A, Page 38, first paragraph

CompTIA content:
“A cryptographic algorithm is the particular operations performed to encode or decode data.”

I think this content is not accurate because:
Encoding is not the same as encrypting.
Encryption uses a cryptographic key as one of the inputs to a cryptographic algorithm. Encoding does not use a cryptographic algorithm or require the use of a cryptographic key. Geeks for Geeks has an explanation of the difference.
One example of encoding is the use of ASCII codes to represent letters of the alphabet. No cryptographic algorithm or cryptographic key is used.

Page 38, second paragraph:

CompTIA content:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘

I think this content is not accurate because:
Cryptography is “transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.” Encryption and hashing can provide this confidentiality or integrity, however encoding does not.
Using ASCII or Morse code are examples of encoding; however they are not examples of cryptography.

Lesson 11: Enhance Application Security Capabilities | Topic 11A, page 317, Question 2

CompTIA content:
“the session key does the actual data encoding”

I think this content is not accurate because:
First, the answer should say “encryption,” not “encoding.”
Second, the key does not do the actual encryption. The encryption algorithm does the encryption, using the key as one of the inputs.

 

[Brian Callahan]

As an instructor (not a CompTIA SME), I would make the following tweaks:

Change:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘
to:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encrypting it. ‘ Or, if you don't want to define the word cryptography using the word encryption, you could say it makes information secure by preventing useful reading and useful copying of the data except by the intended recipients. Or something like that.

Yes, I think you're right that “the session key does the actual data encoding” should at least be “the session key does the actual data encrypting” otherwise you are muddying the waters. I could be convinced that the wording otherwise could be left as-is, depending on the text around it. If it's just a standalone sentence, then you are right it needs to be framed in the context of the algorithm doing the encryption. If it's in context with something like "the algorithm provides the steps needed to produce the ciphertext from the original input; the session key does the actual data encrypting" then I don't think I love it but I don't know how much it matters in the context of the Security+. The Security+ isn't making cryptographers, and it isn't wanting to do so.

It appears based on what you've presented that CompTIA very much wants to produce a distinction between encoding and encryption, which is good. It just also appears that yes they should be a little tighter with language to ensure that distinction is best retained by students.

 

[Fanuel]

Topic 3A in the 701 course uses "encoding" and "encryption" as synonyms. I think students should understand the difference between the two terms.

I would appreciate knowing what other instructors think about these terms. Does encoding = encryption?

I would also appreciate feedback from a CompTIA SME. What is CompTIA's definition of encoding, and CompTIA's definition of encryption?


My notes on the use of "encoding" in Topic 3A:

The Official CompTIA Security+ Instructor Guide (Exam SY0-701)​

Lesson 3: Explain Cryptographic Solutions, Topic 3A, Slide 4

Students need to learn the difference between encoding and encryption. This slide, “Cryptographic Concepts,” should not confuse encryption and decryption with encoding and decoding. If encoding is mentioned at all, the slide should point out that encoding is not cryptography or encryption.

Lesson 3: Explain Cryptographic Solutions, Topic 3A, Page 38, first paragraph:

“A cryptographic algorithm is the particular operations performed to encode or decode data.”

Encoding is not the same as encrypting.
Encryption uses a cryptographic key as one of the inputs to a cryptographic algorithm. Encoding does not use a cryptographic algorithm or require the use of a cryptographic key. Geeks for Geeks has an explanation of the difference.
One example of encoding is the use of ASCII codes to represent letters of the alphabet. No cryptographic algorithm or cryptographic key is used.

Page 38, second paragraph:

‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘

Cryptography is “transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.” Encryption and hashing can provide this confidentiality or integrity, however encoding does not.
Using ASCII or Morse code are examples of encoding; however they are not examples of cryptography.

Lesson 11: Enhance Application Security Capabilities | Topic 11A, page 317, Question 2

“the session key does the actual data encoding”

First, the answer should say “encryption,” not “encoding.”
Second, the key does not do the actual encryption. The encryption algorithm does the encryption, using the key as one of the inputs.

Good observation

 

[Rick Butler]

I've never used the term 'encoding' when talking about encryption, myself. I see encoding as taking data in one format and converting it into another, like an website upload being encoded as Base64 for transmission. While the use of the term encoding it's use could be considered analogous to encryption, it's really not, since encryption refers to data that has been securely encoded. Encoding, by itself, is not a secure, since encoding can be easily reversed. Encryption...not so much.

Kind of reminds me of those cyber challenges where you get a blob of data and you have to find the encoding schema. You decode it and find it's an encoding of another encoded message.

Actually, I've seen this recently - this happens with malware, when a string of code is encoded a few times over, with a malicious HTM type attachment, posing as something benign. You open it up and find that the HTM code has been encoded and encoded again, so as to hide the intent of the code. But if the user opens the HTM, the malware triggers. (can't recall what the technique is called off the top of my head, but that's a great example of encoding vs. encryption)

/r

 

[BrianFord]

As an instructor (not a CompTIA SME), I would make the following tweaks:

Change:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘
to:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encrypting it. ‘ Or, if you don't want to define the word cryptography using the word encryption, you could say it makes information secure by preventing useful reading and useful copying of the data except by the intended recipients. Or something like that.

Yes, I think you're right that “the session key does the actual data encoding” should at least be “the session key does the actual data encrypting” otherwise you are muddying the waters. I could be convinced that the wording otherwise could be left as-is, depending on the text around it. If it's just a standalone sentence, then you are right it needs to be framed in the context of the algorithm doing the encryption. If it's in context with something like "the algorithm provides the steps needed to produce the ciphertext from the original input; the session key does the actual data encrypting" then I don't think I love it but I don't know how much it matters in the context of the Security+. The Security+ isn't making cryptographers, and it isn't wanting to do so.

It appears based on what you've presented that CompTIA very much wants to produce a distinction between encoding and encryption, which is good. It just also appears that yes they should be a little tighter with language to ensure that distinction is best retained by students.

Nope. Encoding implies that the process is reversible and changes the information formatting for some technical reason. One common technical reason when you encode ASCII text into octal or binary for transmission over a network. You encode data written to storage. That data can be easily retrieved and decoded. Encryption is also a reversible process that uses ciphers specifically to hide the original information. Information that has been encrypted can't be unencrypted without knowing the cipher used and a key. It's important that students understand and appreciate the differences.

 

[Rick Butler]

(can't recall what the technique is called off the top of my head, but that's a great example of encoding vs. encryption)

Found it. It's called "Code Obfuscation" and there are a few de-obfuscator sites out there where you can drop an obfuscated JS blob. That coupled with things like Code Compression and Code Encryption are very common techniques for hiding malevolent code in emails and such.

/r

 

[BrianFord]

As an instructor (not a CompTIA SME), I would make the following tweaks:

Change:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘
to:
‘Cryptography, which literally means “secret writing,” is the art of making information secure by encrypting it. ‘ Or, if you don't want to define the word cryptography using the word encryption, you could say it makes information secure by preventing useful reading and useful copying of the data except by the intended recipients. Or something like that.

Yes, I think you're right that “the session key does the actual data encoding” should at least be “the session key does the actual data encrypting” otherwise you are muddying the waters. I could be convinced that the wording otherwise could be left as-is, depending on the text around it. If it's just a standalone sentence, then you are right it needs to be framed in the context of the algorithm doing the encryption. If it's in context with something like "the algorithm provides the steps needed to produce the ciphertext from the original input; the session key does the actual data encrypting" then I don't think I love it but I don't know how much it matters in the context of the Security+. The Security+ isn't making cryptographers, and it isn't wanting to do so.

It appears based on what you've presented that CompTIA very much wants to produce a distinction between encoding and encryption, which is good. It just also appears that yes they should be a little tighter with language to ensure that distinction is best retained by students.

Nope. Session keys don't do any encoding. Session keys are used by cryptographic algorithms / ciphers to encode data. The process of taking some plaintext and using a cipher and a key to produce ciphertext is encryption. When this happens in a computer or on a network that data is encoded.

 

[Brian Callahan]

Nope. Session keys don't do any encoding. Session keys are used by cryptographic algorithms / ciphers to encode data. The process of taking some plaintext and using a cipher and a key to produce ciphertext is encryption. When this happens in a computer or on a network that data is encoded.

I suppose we will have to agree to disagree. Both the book's and your definitions are correct (and I wasn't debating that, in fact I made that exact point). My point is I don't think it matters over the course of what the Security+ is trying to accomplish, and I still don't. I think there is a better way to introduce and work with those two concepts initially (and perhaps throughout all of the Security+ curriculum), and only later have students put two and two together. Security+ isn't a cryptography course. When students struggle to differentiate the concepts, I'm more inclined to find ways to get those concepts solidified separately first.

 

[Hank Cox]

I appreciate everyone's responses.

We seem to agree that these two statements in the official SY0-701 materials are not accurate:
1.) “A cryptographic algorithm is the particular operations performed to encode or decode data.”
2.) ‘Cryptography, which literally means “secret writing,” is the art of making information secure by encoding it. ‘

We seem to agree that these changes would make the statements less inaccurate:
change "encode" to "encrypt"
change "decode" to "decrypt"
change "encoding" to "encrypting"

The official Security+ materials have included these errors since 2020. I hope we don't have to correct these errors in class until 2026.

Does anyone know how instructors can get CompTIA to correct inaccurate content?