172

I don't get the Base64 encryption.

If one can decrypt a Base64 string, what is it's purpose?

Why is it being used for HTTP Basic auth?

It's like telling to someone my password is reversed into OLLEH.

People seeing OLLEH will know the original password was HELLO.

Omar
  • 39,496
  • 45
  • 145
  • 213
ajsie
  • 77,632
  • 106
  • 276
  • 381
  • 1
    related: [Why Base64 in Basic Authentication](http://stackoverflow.com/questions/13661384/why-base64-in-basic-authentication) and [Base 64 encoding in HTTP Basic Auth](http://stackoverflow.com/questions/5597086/base-64-encoding-in-http-basic-auth) – Hawkeye Parker Nov 12 '14 at 07:43
  • https://security.stackexchange.com/questions/29916/why-does-http-basic-authentication-encode-the-username-and-password-with-base64 – n611x007 Nov 03 '15 at 10:13
  • 13
    base64 is not an encryption, it's an encoding – n611x007 Nov 03 '15 at 10:13

6 Answers6

293

Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text) characters.

See this paragraph from the wikipedia page for HTTP Basic Authentication:

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Matt Bridges
  • 48,277
  • 7
  • 47
  • 61
  • 4
    Also, it seems that the relevant character encoding to get the 'binary data' from string, should be [iso-8859-1](http://en.wikipedia.org/wiki/ISO/IEC_8859-1). ([source](http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication)) – Myobis Apr 24 '14 at 14:09
  • Base64 is a [cipher](https://en.wikipedia.org/wiki/Cipher) so it is "encryption" – Boris Verkhovskiy May 08 '23 at 23:48
66

It's normally called base64 encoding, not encryption! The nice thing about base64 encoding is it allows you to represent (binary) data using only a limited, common-subset of the available characters, far more efficiently than just writing a string of 1s and 0s as ASCII for example.

Flexo
  • 87,323
  • 22
  • 191
  • 272
  • 7
    +1, but comparison to storing data in 1s,0s stream is too exaggerated. It is better to compare it to storing data in hex format. Because hex would only make `x2` more bytes than original stream, and 1s,0s - makes `x8` times more bytes. (And Base64 makes `x1.3` more data than original byte array). So sometimes it is acceptable to encode binary stream as hex string, doubling byte amount - for example just to store password hash in database. – Agnius Vasiliauskas Oct 21 '11 at 21:56
34

Encryption requires a key (string or algorithm) in order to decrypt; hence the "crypt" (root:cryptography)

Encoding modifies/shifts/changes a character code into another. In this case, usual bytes of data can now be easily represented and transported using HTTP.

vol7ron
  • 40,809
  • 21
  • 119
  • 172
  • 7
    Encryption just means "to render hidden" - key-based cryptography is a very recent invention. Enciphering is a form of encoding that has been used as encryption (though not by anyone over 12 years old for hundreds of years). –  Nov 01 '10 at 16:31
  • 2
    Encryption in the vernacular is used to refer to recent modes of encryption, specifically computer encryption, which is key-based (public/private key). While true, it is unnecessary to point out a literal definition of a dated word; otherwise, you'd be arguing the historical definition of many english words used today. The vernacular (and sometimes colloquial) are what gives words context and thus definition. – vol7ron Nov 01 '10 at 18:16
  • 1
    I don't think you sounded rude; I agree with your point about modern context. Words and definitions are constantly evolving. I think "encode" and "encrypt" definitely have two very distinct definitions in modern computing and your answer makes a good effort at summarizing the differences. – Dan Bechard Jun 05 '15 at 13:26
  • Base64 encoding is a form of obfuscation, which simply means to render unclear. For many applications, this is sufficient encryption where the goal is simply to mangle any clear text sent over a wire, for example. – Dominic Cerisano Nov 19 '16 at 23:00
  • 8
    @DominicCerisano: No, base64 encoding does not count as encryption, and I hope you’re not using it to protect anything. – Ry- Nov 20 '16 at 02:34
  • @ryan, it certainly is not strong encryption, and I agree it should only be considered in situations calling for weak encryption. Care for an example? – Dominic Cerisano Nov 21 '16 at 02:37
22

Base-64 encoding is part of the MIME specifications. It provides a transport-safe encoding for data that won't get chewed on if/when it gets relayed through a host that uses a different encoding scheme than that used by the original client.

There are lots of different hosts out on the intertubes and you can't really assume support for anything other than 7-bit ASCII, without risking data loss/confusion.

IBM mainframes, for instance, use an encoding called EBCDIC (which comes in lots of different flavors). It's codepoints are completely different from the code points used by ASCII-based 'puters -- in ASCII, the letters A-Z are 0x41 - 0x5A; in EBCDIC the letters A - Z aren't even a contiguous range: the letters A-I live at 0xC1 - 0xC9, the letters J-R live at 0xD1 - 0xD9 and the letters S-Z live at 0xE2 - 0xE9.

Nicholas Carey
  • 71,308
  • 16
  • 93
  • 135
20

You might mean "Base 64 Encoding". Encryption is not the same as encoding.

Wikipedia: Encryption

Andy
  • 856
  • 9
  • 26
20

In everyday language, a “code” is something secret. In science and engineering, a code is simply an agreement, a set of rules, of how to write something.

That code may be secret. In that case, it’s called an encryption. But in general, a code is not secret. Take the genetic code. It simply states that our DNA is built from four different bases – A, C, G and T and that three bases taken together form one amino acid. There’s also a table of which three letters form which amino acid.

There’s nothing secret about this code.

Likewise, Base64 is not a secret code. Rather, it’s a code that allows storing data in six bits per character (thus there are 64 different entities, i.e. the “base” of the system is 64, just as the base of our decimal system is 10, since there are 10 different entities called “digits”).

Konrad Rudolph
  • 530,221
  • 131
  • 937
  • 1,214