How to learn the basics of encryption for API testing?

As a tester, we might have to test the functionality of APIs which involve some kind of encryption such as SHA. The encryption can be used to generate the Authentication for the API call or to protect the request body. We might also have to automate the encryption process.

I only need to learn encryption to make API calls. I am NOT doing any security testing, testing if a software encrypts something correctly or trying to defeat some encryption. I don’t have a CS degree and I don’t want to get a course/resource which gives us theoretical concepts which we are unlikely to need at work.

I have these questions -

1 - Where can I learn the basics of encryption for practical purposes?
I prefer a hands on video course for this, but books are ok too. Again, these must have practical & actionable knowledge instead of theory which is never/rarely used at work.

2 - Which libraries are recommended for encryption?
I’d like Java libraries which are popular, have plenty of tutorials, are open source (preferably).

Thank you!

1 Like

It is a little hard for me to understand exactly what you need. If by practical purpose you want to know how to generate a SHA256 hash from a text I suggest you just google “online sha256” and you will find utility pages link SHA256 Online where you can generate a hash from a arbitrary input:
“where you can enter a text to generate a hash” → dc1edca9a8fd88fe90cdb5022f419f078de6d73bda719c08311f182b367c47c6

If you want to produce hashes in Java here is a resource that provide a few ways of doing it from the built in library to different external libraries. SHA-256 Hashing in Java | Baeldung

I guess you are asking for some place to find out more about this and I cannot provide it. But I can provide a few pointers on hashing and encryption. Encryption is a two way operation. You take a message and a key and you produce a “secret” message, and anyone with the key can revert the operation to produce the clear message. Useful for scrambling data in transit where both parties have the key. Hashing is a one way operation i.e. there do not need to be a way to restore the clear message from a scrambled message, in security you very specifically do not what there to be such a way. Commonly used for password storing and digitally signing things when talking about security. Also used in a lot of other computer science fields.
Specifically when it comes to passwords a common method is for you to type your password, the server then produces a hash of that password. So if someone get hold of the stored data they do not actually know what your password is. When you then want to authenticate with your password the server just create a hash again from what you wrote and compare the scrambled text with the stored hash. This have the weakness of if two people have the same password they will also store the same hash which is where you can introduce a salt. Where the server adds some additional characters to your password before generating the hash thus giving you a unique hash. But if you want to send hashes over an API you probably are not using a salt.

I hope this helps you. Good luck!

2 Likes

@ola.sundin has already covered a great deal of detail on encryption. This is all correct so do read it.

In my personal experience, Testing APIs you might not actually need to understand Encryption, but in fact Authentication.

Or to put it simply how to do a login and then save the security token to use on subsequent API calls.

There are many methods for Authentication, so it’s worth you finding out some more details about the API you are testing and how the authentication will work. There is not one answer but many, until you know this.

Then you can ask the next question. That might be “how do I do an oAuth login in Java as part of my REST Assured test” this kind of question will I’m sure have an answer you can search for, without needing to learn encryption.

Hope that helps.

3 Likes