What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?

security encryption base64

87,373

Solution 1

Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text) characters.

See this paragraph from the wikipedia page for HTTP Basic Authentication:

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Solution 2

It's normally called base64 encoding, not encryption! The nice thing about base64 encoding is it allows you to represent (binary) data using only a limited, common-subset of the available characters, far more efficiently than just writing a string of 1s and 0s as ASCII for example.

Solution 3

Encryption requires a key (string or algorithm) in order to decrypt; hence the "crypt" (root:cryptography)

Encoding modifies/shifts/changes a character code into another. In this case, usual bytes of data can now be easily represented and transported using HTTP.

Solution 4

Base-64 encoding is part of the MIME specifications. It provides a transport-safe encoding for data that won't get chewed on if/when it gets relayed through a host that uses a different encoding scheme than that used by the original client.

There are lots of different hosts out on the intertubes and you can't really assume support for anything other than 7-bit ASCII, without risking data loss/confusion.

IBM mainframes, for instance, use an encoding called EBCDIC (which comes in lots of different flavors). It's codepoints are completely different from the code points used by ASCII-based 'puters -- in ASCII, the letters A-Z are 0x41 - 0x5A; in EBCDIC the letters A - Z aren't even a contiguous range: the letters A-I live at 0xC1 - 0xC9, the letters J-R live at 0xD1 - 0xD9 and the letters S-Z live at 0xE2 - 0xE9.

Solution 5

You might mean "Base 64 Encoding". Encryption is not the same as encoding.

Wikipedia: Encryption

View more solutions

87,373

ajsie

please delete me

Updated on June 27, 2020

Comments

ajsie almost 4 years

I don't get the Base64 encryption.

If one can decrypt a Base64 string, what is it's purpose?

Why is it being used for HTTP Basic auth?

It's like telling to someone my password is reversed into OLLEH.

People seeing OLLEH will know the original password was HELLO.
- Hawkeye Parker over 9 years
  
  related: Why Base64 in Basic Authentication and Base 64 encoding in HTTP Basic Auth
- n611x007 over 8 years
  
  security.stackexchange.com/questions/29916/…
- n611x007 over 8 years
  
  base64 is not an encryption, it's an encoding
Admin over 13 years

Encryption just means "to render hidden" - key-based cryptography is a very recent invention. Enciphering is a form of encoding that has been used as encryption (though not by anyone over 12 years old for hundreds of years).
vol7ron over 13 years

Encryption in the vernacular is used to refer to recent modes of encryption, specifically computer encryption, which is key-based (public/private key). While true, it is unnecessary to point out a literal definition of a dated word; otherwise, you'd be arguing the historical definition of many english words used today. The vernacular (and sometimes colloquial) are what gives words context and thus definition.
Agnius Vasiliauskas over 12 years

+1, but comparison to storing data in 1s,0s stream is too exaggerated. It is better to compare it to storing data in hex format. Because hex would only make x2 more bytes than original stream, and 1s,0s - makes x8 times more bytes. (And Base64 makes x1.3 more data than original byte array). So sometimes it is acceptable to encode binary stream as hex string, doubling byte amount - for example just to store password hash in database.
Myobis about 10 years

Also, it seems that the relevant character encoding to get the 'binary data' from string, should be iso-8859-1. (source)
Dan Bechard almost 9 years

I don't think you sounded rude; I agree with your point about modern context. Words and definitions are constantly evolving. I think "encode" and "encrypt" definitely have two very distinct definitions in modern computing and your answer makes a good effort at summarizing the differences.
Dominic Cerisano over 7 years

Base64 encoding is a form of obfuscation, which simply means to render unclear. For many applications, this is sufficient encryption where the goal is simply to mangle any clear text sent over a wire, for example.
Ry- over 7 years

@DominicCerisano: No, base64 encoding does not count as encryption, and I hope you’re not using it to protect anything.
Dominic Cerisano over 7 years

@ryan, it certainly is not strong encryption, and I agree it should only be considered in situations calling for weak encryption. Care for an example?