Some confused concepts in InfoSeC

1. Encryption vs. Encoding

• Encryption
  
  : Transforms data into ciphertext using a key to ensure confidentiality. Only authorized parties can decrypt it.
• Example: AES, RSA
• Encoding
  
  : Converts data into a different format (e.g., Base64, URL encoding) without security—easily reversible.

2. Authentication (AuthN) vs. Authorization (AuthZ)

• Authentication
  
  : Verifies identity ("Who are you?").
• Example: Passwords, biometrics
• Authorization
  
  : Determines access rights ("What can you do?").
• Example: Role-based access control (RBAC)

3. Vulnerability vs. Threat vs. Risk

• Vulnerability
  
  : A weakness in a system (e.g., software bug).
• Threat
  
  : A potential attacker or event that exploits vulnerabilities (e.g., hackers).
• Risk
  
  : The potential impact if a threat exploits a vulnerability.

4. Symmetric Encryption vs. Asymmetric Encryption

• Symmetric
  
  : Uses a single key (fast, but key distribution is hard).
• Example: AES
• Asymmetric
  
  : Uses public/private key pairs (secure key exchange, but slower).
• Example: RSA

5. Hashing vs. Encryption

• Hashing
  
  : One-way function (e.g., SHA-256) for integrity checks.
• Encryption
  
  : Reversible (e.g., AES) for confidentiality.

6. Firewall vs. IDS vs. IPS

• Firewall
  
  : Blocks/allows traffic based on rules.
• IDS (Intrusion Detection System)
  
  : Monitors and alerts.
• IPS (Intrusion Prevention System)
  
  : Detects and blocks attacks.

7. Penetration Testing vs. Vulnerability Scanning

• Vulnerability Scanning
  
  : Automated detection of known flaws.
• Penetration Testing
  
  : Simulates attacks to test exploitability.

8. Data Masking vs. Data Encryption

• Data Masking
  
  : Irreversibly obscures data (e.g., for testing).
• Data Encryption
  
  : Reversible protection (requires a key).

原文始发于微信公众号（信息安全笔记）：Some confused concepts in InfoSeC