Chapter 70 Β· Concepts

Protecting Data β€” Concept Reference

Protection technique comparison, encryption vs. hashing vs. tokenization, masking vs. tokenization, hashing use cases, geolocation methods, and a technique selection guide in structured reference form.

All Protection Techniques β€” Full Comparison

TechniqueReversible?Key Required?Primary GoalWhere Original LivesExam Trigger Words
EncryptionYes β€” two-way; requires key to reverseYes β€” algorithm + keyConfidentiality (data at rest, in transit)Encrypted wherever stored; plaintext only when decrypted with key"requires a key to decrypt," "two-way," "ciphertext," "AES," "plaintext"
HashingNo β€” one-way; mathematically irreversibleNo β€” deterministic functionIntegrity verification; password storageOnly the hash is stored; original cannot be recovered from hash"one-way," "message digest," "fingerprint," "SHA-256," "cannot recover original"
TokenizationYes β€” but only via token service lookupNo key β€” lookup table in token serviceReplace sensitive value in systems; minimize exposureOnly in token service (secure lookup); systems hold only the token"token," "no mathematical relationship," "mobile payment," "Apple Pay," "replace card number"
MaskingPartially β€” hides for display; original may still be storedNoRestrict what users see; reduce exposure in UIOriginal often still in database; masking is a view-layer control"last four digits," "**** ****," "hide part of data," "call center sees masked number"
ObfuscationYes β€” with effort; no key required by analystNoMake code/data hard to understand; IP protection; evasionObfuscated version exists; original can be reconstructed with analysis"code hard to read," "same functionality," "minified," "malware evasion," "not encryption"
SegmentationN/A β€” architecture approach, not transformationN/ALimit breach blast radius; tiered securityData distributed across multiple databases/systems"distribute data," "separate databases," "limit breach scope," "tiered security"
Permission RestrictionsN/A β€” access control approachN/A β€” credentials, not keysAuthentication + post-login authorizationData protected by who can access, not transformation of data itself"least privilege," "MFA," "groups," "separation of duties," "password policy"
GeofencingN/A β€” access control approachN/ALocation-based access controlData protected by where access is attempted from"inside building," "location-based," "country block," "impossible travel," "GPS"

Encryption vs. Hashing vs. Tokenization β€” The Critical Three

PropertyEncryptionHashingTokenization
DirectionTwo-way (encrypt and decrypt)One-way only (cannot reverse)Two-way via lookup β€” but no math to reverse it
Key involved?Yes β€” algorithm + key; key protects the transformNo β€” deterministic function; same algorithm always gives same resultNo key β€” lookup table in token service maps token ↔ original
Mathematical relationship between input and output?Yes β€” decryption algorithm undoes encryption given the keyYes β€” hash function is deterministic; same input always same outputNo β€” token is an arbitrary substitute; no math connects token to original
Can you recover the original?Yes β€” with the correct keyNo β€” the hash cannot be reversed; only matching can be doneYes β€” but only by querying the token service; mathematically impossible without it
Output formatCiphertext (variable length; usually binary or base64)Fixed-length digest (SHA-256: always 64 hex chars)Token (can be same format as original β€” same length SSN, same format card number)
Primary use casesProtecting confidential data at rest and in transit; files, disk, database, messagesPassword storage; file integrity verification; digital signaturesPayment card numbers (PCI DSS); SSNs; anywhere sensitive values transit multiple systems
OverheadCryptographic computation on every encrypt/decrypt operationCryptographic computation on every hash operationMinimal crypto β€” primarily a database lookup for mapping
If stolen from storageAttacker has ciphertext β€” useless without keyAttacker has hash β€” can only crack via dictionary/brute forceAttacker has token β€” mathematically useless; cannot reverse without token service

Data Masking vs. Tokenization β€” Detailed Comparison

AspectData MaskingTokenization
What it does to original valueHides part of the value for display; original may still exist in storage unchangedReplaces the entire value with a substitute token; original moved to secure token vault only
Where original data livesStill in the database (usually); masking is applied at the presentation layerOnly in the token service / token vault; the token is the only thing in transactional systems
ExampleCredit card **** **** **** 4532 displayed in UI; full number 4111-1111-1111-1532 still in databaseSSN 266-12-1112 replaced by token 691-61-8539 everywhere; 266-12-1112 only in token vault
If database is breachedFull original value may still be exposed β€” masking protects the UI view, not the stored recordAttacker gets only tokens β€” mathematically useless; token vault (separate, highly secured system) not compromised in typical database breach
Does it eliminate sensitive data from the system?No β€” data may still be present; only the view is controlledYes β€” the sensitive value is removed from transactional systems; only the token exists there
Best forDisplay restrictions: call center agents see enough to identify a card without seeing the full number; reports showing partial dataSystems that need to reference a sensitive value by ID without needing the actual value: merchant systems, PCI DSS scope reduction
PCI DSS scope reductionNo β€” the full card number is still in scope because it exists in storageYes β€” tokenized systems may be removed from PCI DSS scope; the card number no longer exists in merchant systems

Hashing β€” Use Case Details

Use CaseHow Hashing Is AppliedWhat It ProvesAlgorithm Used
Password storageHash the password on registration; store the hash. On login: hash the entered password; compare to stored hash. Match = correct password.User knows the correct password β€” without the system ever storing or transmitting the actual passwordbcrypt, Argon2, PBKDF2 (not raw SHA-256 β€” these add salting and work factor); SHA-256 sometimes used but less ideal without salting
File integrity verificationPublisher computes hash of legitimate file and publishes it. User downloads file, computes hash, compares to published hash. Match = file not tampered.The file received is identical to the file the publisher signed β€” no bytes changed in transit or at restSHA-256 (most common), SHA-512; MD5 sometimes still used for non-security checksums despite deprecation
Digital signaturesSender hashes message β†’ encrypts hash with private key = signature. Receiver decrypts signature with public key β†’ gets hash; independently hashes message; compares.Authentication (only key holder could sign) + Integrity (any change β†’ hash mismatch) + Non-repudiation (sender cannot deny)SHA-256 in RSA-PKCS1v15, ECDSA, or EdDSA signatures; SHA-1 deprecated for signatures
Message authentication codes (HMACs)Hash computed with a shared secret key mixed in. Recipient with the same key verifies the hash.The message was created by someone with the shared key and has not been alteredHMAC-SHA256 (most common); HMAC-SHA512
Blockchain / ledger integrityEach block contains the hash of the previous block. Any alteration to a historical block changes its hash, invalidating all subsequent blocks.The chain of records has not been tampered with since each block was addedSHA-256 (Bitcoin), Keccak-256 (Ethereum)

Geolocation Technologies β€” Accuracy and Use

TechnologyHow It WorksAccuracyWorks Indoors?Spoofable?Best For
GPS (Global Positioning System)Device receives signals from satellite constellation; calculates position by time-of-flight triangulationMeters β€” highly accurate outdoorsPoor β€” satellites not visible inside buildingsYes β€” GPS spoofing hardware exists; significant effort requiredMobile device geofencing; vehicle tracking; high-accuracy outdoor positioning
802.11 Wi-Fi PositioningDevice scans for visible Wi-Fi access points; maps to known AP locations from survey database; calculates positionMeters to tens of meters β€” building-level accuracyYes β€” works anywhere Wi-Fi APs are visibleHarder than IP β€” requires knowledge of AP locationsBuilding-level access control ("inside corporate building"); indoor positioning; campus security
Cell Tower TriangulationDevice signal triangulated from multiple cell towers; position estimated based on signal strength and timingHundreds of meters in urban areas; kilometers in rural areasPartial β€” depends on building penetration of cell signalsTheoretically possible; uncommon in practiceGeneral mobile device location; country/region determination; wide-area tracking
IP Address GeolocationIP address mapped to geographic region via ISP registration and geolocation databases (MaxMind, IP2Location)City level at best; unreliable for specific building or addressYes β€” works whenever IP address is knownYes β€” VPNs and proxies easily change apparent locationCountry-level access restriction; rough geographic filtering; less accurate use cases

Protection Technique Selection Guide

Requirement / ScenarioBest TechniqueWhy
Store passwords in a database β€” users must be able to authenticate but passwords must not be recoverableHashing (with salt and work factor)One-way: system can verify entered password by hashing and comparing; cannot recover original. Encryption not appropriate β€” requires key management, and decryption is unnecessary since only verification is needed.
Protect a credit card number so that payment systems never hold the real card number β€” reduce PCI DSS scopeTokenizationReplaces real card number with a token everywhere in merchant systems; real number only in token vault. Masking would not help β€” the real number would still be stored. Encryption would still require the merchant to handle the decryption key, keeping them in PCI scope.
Call center agent should be able to identify which credit card a customer is asking about without seeing the full numberData maskingShow only last 4 digits; agent can identify the card; the full number remains in the backend for payment processing. Tokenization is also possible here but masking is the simpler, more targeted solution for this display restriction use case.
Verify that a downloaded software package has not been tampered withHashing (integrity verification)Publisher publishes SHA-256 hash of the legitimate file; user computes hash of downloaded file; match confirms integrity. Encryption would be over-engineered β€” no confidentiality needed; only integrity verification.
Protect the contents of a file so that unauthorized parties who access the storage cannot read itEncryptionTwo-way encryption protects the content; authorized parties with the key decrypt and read. Hashing would not work β€” it is one-way and the content cannot be recovered. Masking only applies to display, not storage.
Distribute sensitive data across multiple systems to limit the damage of any single breachData segmentationArchitectural control; putting all sensitive data in one database creates a single-point breach. Segmentation limits what an attacker gets from any one compromise.
Allow access to a building's most sensitive system only when users are physically inside the buildingGeofencing (802.11 / network segment)Location-based access control; 802.11 or network VLAN can confirm the user is on the corporate network inside the building. Permission restrictions control who can access; geofencing controls from where.
Make proprietary software difficult for a competitor to reverse-engineer after distributionObfuscationScrambles code structure while preserving function; legitimate IP protection. Not perfect β€” can be reversed with effort β€” but raises the cost of analysis. Encryption of the binary would prevent execution; obfuscation allows the code to run normally.