Using Encryption and Authentication Correctly - Paragon Initiative Enterprises Blog
Jared Sperli stashed this in security
What's the Difference Between Encryption and Authentication?Encryption is the process of rendering a message such that it becomes unreadable without possessing the correct key. In the simple case of symmetric cryptography, the same key is used for encryption as is used for decryption. In asymmetric cryptography, it is possible to encrypt a message with a user's public key such that only possessing their private key can read it.
Authentication is the process of rendering a message tamper-resistant (typically within a certain very low probability, typically less than 1 divided by the number of particles in the known universe) while also proving it originated from the expected sender.
Note: When we say authenticity, we mean specifically message authenticity, not identity authenticity. That is a PKI and key management problem, which we may address in a future blog post.
In respect to the CIA triad: Encryption provides confidentiality. Authentication provides integrity.
Encryption does not provide integrity; a tampered message can (usually) still decrypt, but the result will usually be garbage. Encryption alone also does not inhibit malicious third parties from sending encrypted messages.
Authentication does not provide confidentiality; it is possible to provide tamper-resistance to a plaintext message.
A common mistake among programmers is to confuse the two. It is not uncommon to find a library or framework that encrypts cookie data and then trusts it wholesale after merely decrypting it.