All Protection Techniques β Full Comparison
| Technique | Reversible? | Key Required? | Primary Goal | Where Original Lives | Exam Trigger Words |
|---|---|---|---|---|---|
| Encryption | Yes β two-way; requires key to reverse | Yes β algorithm + key | Confidentiality (data at rest, in transit) | Encrypted wherever stored; plaintext only when decrypted with key | "requires a key to decrypt," "two-way," "ciphertext," "AES," "plaintext" |
| Hashing | No β one-way; mathematically irreversible | No β deterministic function | Integrity verification; password storage | Only the hash is stored; original cannot be recovered from hash | "one-way," "message digest," "fingerprint," "SHA-256," "cannot recover original" |
| Tokenization | Yes β but only via token service lookup | No key β lookup table in token service | Replace sensitive value in systems; minimize exposure | Only in token service (secure lookup); systems hold only the token | "token," "no mathematical relationship," "mobile payment," "Apple Pay," "replace card number" |
| Masking | Partially β hides for display; original may still be stored | No | Restrict what users see; reduce exposure in UI | Original often still in database; masking is a view-layer control | "last four digits," "**** ****," "hide part of data," "call center sees masked number" |
| Obfuscation | Yes β with effort; no key required by analyst | No | Make code/data hard to understand; IP protection; evasion | Obfuscated version exists; original can be reconstructed with analysis | "code hard to read," "same functionality," "minified," "malware evasion," "not encryption" |
| Segmentation | N/A β architecture approach, not transformation | N/A | Limit breach blast radius; tiered security | Data distributed across multiple databases/systems | "distribute data," "separate databases," "limit breach scope," "tiered security" |
| Permission Restrictions | N/A β access control approach | N/A β credentials, not keys | Authentication + post-login authorization | Data protected by who can access, not transformation of data itself | "least privilege," "MFA," "groups," "separation of duties," "password policy" |
| Geofencing | N/A β access control approach | N/A | Location-based access control | Data protected by where access is attempted from | "inside building," "location-based," "country block," "impossible travel," "GPS" |
Encryption vs. Hashing vs. Tokenization β The Critical Three
| Property | Encryption | Hashing | Tokenization |
|---|---|---|---|
| Direction | Two-way (encrypt and decrypt) | One-way only (cannot reverse) | Two-way via lookup β but no math to reverse it |
| Key involved? | Yes β algorithm + key; key protects the transform | No β deterministic function; same algorithm always gives same result | No key β lookup table in token service maps token β original |
| Mathematical relationship between input and output? | Yes β decryption algorithm undoes encryption given the key | Yes β hash function is deterministic; same input always same output | No β token is an arbitrary substitute; no math connects token to original |
| Can you recover the original? | Yes β with the correct key | No β the hash cannot be reversed; only matching can be done | Yes β but only by querying the token service; mathematically impossible without it |
| Output format | Ciphertext (variable length; usually binary or base64) | Fixed-length digest (SHA-256: always 64 hex chars) | Token (can be same format as original β same length SSN, same format card number) |
| Primary use cases | Protecting confidential data at rest and in transit; files, disk, database, messages | Password storage; file integrity verification; digital signatures | Payment card numbers (PCI DSS); SSNs; anywhere sensitive values transit multiple systems |
| Overhead | Cryptographic computation on every encrypt/decrypt operation | Cryptographic computation on every hash operation | Minimal crypto β primarily a database lookup for mapping |
| If stolen from storage | Attacker has ciphertext β useless without key | Attacker has hash β can only crack via dictionary/brute force | Attacker has token β mathematically useless; cannot reverse without token service |
Data Masking vs. Tokenization β Detailed Comparison
| Aspect | Data Masking | Tokenization |
|---|---|---|
| What it does to original value | Hides part of the value for display; original may still exist in storage unchanged | Replaces the entire value with a substitute token; original moved to secure token vault only |
| Where original data lives | Still in the database (usually); masking is applied at the presentation layer | Only in the token service / token vault; the token is the only thing in transactional systems |
| Example | Credit card **** **** **** 4532 displayed in UI; full number 4111-1111-1111-1532 still in database | SSN 266-12-1112 replaced by token 691-61-8539 everywhere; 266-12-1112 only in token vault |
| If database is breached | Full original value may still be exposed β masking protects the UI view, not the stored record | Attacker gets only tokens β mathematically useless; token vault (separate, highly secured system) not compromised in typical database breach |
| Does it eliminate sensitive data from the system? | No β data may still be present; only the view is controlled | Yes β the sensitive value is removed from transactional systems; only the token exists there |
| Best for | Display restrictions: call center agents see enough to identify a card without seeing the full number; reports showing partial data | Systems that need to reference a sensitive value by ID without needing the actual value: merchant systems, PCI DSS scope reduction |
| PCI DSS scope reduction | No β the full card number is still in scope because it exists in storage | Yes β tokenized systems may be removed from PCI DSS scope; the card number no longer exists in merchant systems |
Hashing β Use Case Details
| Use Case | How Hashing Is Applied | What It Proves | Algorithm Used |
|---|---|---|---|
| Password storage | Hash the password on registration; store the hash. On login: hash the entered password; compare to stored hash. Match = correct password. | User knows the correct password β without the system ever storing or transmitting the actual password | bcrypt, Argon2, PBKDF2 (not raw SHA-256 β these add salting and work factor); SHA-256 sometimes used but less ideal without salting |
| File integrity verification | Publisher computes hash of legitimate file and publishes it. User downloads file, computes hash, compares to published hash. Match = file not tampered. | The file received is identical to the file the publisher signed β no bytes changed in transit or at rest | SHA-256 (most common), SHA-512; MD5 sometimes still used for non-security checksums despite deprecation |
| Digital signatures | Sender hashes message β encrypts hash with private key = signature. Receiver decrypts signature with public key β gets hash; independently hashes message; compares. | Authentication (only key holder could sign) + Integrity (any change β hash mismatch) + Non-repudiation (sender cannot deny) | SHA-256 in RSA-PKCS1v15, ECDSA, or EdDSA signatures; SHA-1 deprecated for signatures |
| Message authentication codes (HMACs) | Hash computed with a shared secret key mixed in. Recipient with the same key verifies the hash. | The message was created by someone with the shared key and has not been altered | HMAC-SHA256 (most common); HMAC-SHA512 |
| Blockchain / ledger integrity | Each block contains the hash of the previous block. Any alteration to a historical block changes its hash, invalidating all subsequent blocks. | The chain of records has not been tampered with since each block was added | SHA-256 (Bitcoin), Keccak-256 (Ethereum) |
Geolocation Technologies β Accuracy and Use
| Technology | How It Works | Accuracy | Works Indoors? | Spoofable? | Best For |
|---|---|---|---|---|---|
| GPS (Global Positioning System) | Device receives signals from satellite constellation; calculates position by time-of-flight triangulation | Meters β highly accurate outdoors | Poor β satellites not visible inside buildings | Yes β GPS spoofing hardware exists; significant effort required | Mobile device geofencing; vehicle tracking; high-accuracy outdoor positioning |
| 802.11 Wi-Fi Positioning | Device scans for visible Wi-Fi access points; maps to known AP locations from survey database; calculates position | Meters to tens of meters β building-level accuracy | Yes β works anywhere Wi-Fi APs are visible | Harder than IP β requires knowledge of AP locations | Building-level access control ("inside corporate building"); indoor positioning; campus security |
| Cell Tower Triangulation | Device signal triangulated from multiple cell towers; position estimated based on signal strength and timing | Hundreds of meters in urban areas; kilometers in rural areas | Partial β depends on building penetration of cell signals | Theoretically possible; uncommon in practice | General mobile device location; country/region determination; wide-area tracking |
| IP Address Geolocation | IP address mapped to geographic region via ISP registration and geolocation databases (MaxMind, IP2Location) | City level at best; unreliable for specific building or address | Yes β works whenever IP address is known | Yes β VPNs and proxies easily change apparent location | Country-level access restriction; rough geographic filtering; less accurate use cases |
Protection Technique Selection Guide
| Requirement / Scenario | Best Technique | Why |
|---|---|---|
| Store passwords in a database β users must be able to authenticate but passwords must not be recoverable | Hashing (with salt and work factor) | One-way: system can verify entered password by hashing and comparing; cannot recover original. Encryption not appropriate β requires key management, and decryption is unnecessary since only verification is needed. |
| Protect a credit card number so that payment systems never hold the real card number β reduce PCI DSS scope | Tokenization | Replaces real card number with a token everywhere in merchant systems; real number only in token vault. Masking would not help β the real number would still be stored. Encryption would still require the merchant to handle the decryption key, keeping them in PCI scope. |
| Call center agent should be able to identify which credit card a customer is asking about without seeing the full number | Data masking | Show only last 4 digits; agent can identify the card; the full number remains in the backend for payment processing. Tokenization is also possible here but masking is the simpler, more targeted solution for this display restriction use case. |
| Verify that a downloaded software package has not been tampered with | Hashing (integrity verification) | Publisher publishes SHA-256 hash of the legitimate file; user computes hash of downloaded file; match confirms integrity. Encryption would be over-engineered β no confidentiality needed; only integrity verification. |
| Protect the contents of a file so that unauthorized parties who access the storage cannot read it | Encryption | Two-way encryption protects the content; authorized parties with the key decrypt and read. Hashing would not work β it is one-way and the content cannot be recovered. Masking only applies to display, not storage. |
| Distribute sensitive data across multiple systems to limit the damage of any single breach | Data segmentation | Architectural control; putting all sensitive data in one database creates a single-point breach. Segmentation limits what an attacker gets from any one compromise. |
| Allow access to a building's most sensitive system only when users are physically inside the building | Geofencing (802.11 / network segment) | Location-based access control; 802.11 or network VLAN can confirm the user is on the corporate network inside the building. Permission restrictions control who can access; geofencing controls from where. |
| Make proprietary software difficult for a competitor to reverse-engineer after distribution | Obfuscation | Scrambles code structure while preserving function; legitimate IP protection. Not perfect β can be reversed with effort β but raises the cost of analysis. Encryption of the binary would prevent execution; obfuscation allows the code to run normally. |