Cleartext vs. Plaintext vs. Ciphertext vs. Plaintext vs. Clear Text

By Kevin W.

This came up a few times during the last round of security reports we at Denim have been writing, so I wanted ensure everyone understood the distinction.  Granted, it is a subtle distinction, but it does exist even thought it sounds like a Dr. Seuss book at times.

 

  • Cleartext  is readable data transmitted or stored “in the clear” (i.e. unencrypted)
  • Plaintext is the input to an encryption algorithm
  • Ciphertext is the unreadable output of an encryption algorithm 
  • Plain text means its text that hasn’t been formatted (i.e., a plain text file)
  • And clear text… well, this is just text that is easy to comprehend (added to be thorough)

 

  • Something that is cleartext may be in plain text, could be used as plaintext, but definitely isn’t ciphertext.
  • Something that is plaintext should be in plain text, could be cleartext, and will become ciphertext.
  • Something that is ciphertext should be in plain text, could be used as plaintext, but definitely isn’t cleartext.

To non-security folks, this makes about as much sense as “key encryption keys” and “ticket granting tickets” (They’re real, look them up!), but the distinction comes down to when you are describing the text in question.  Let’s use the scenario of storing credentials in a database, which is where I came across during our security reports.

If you store a password in a database, you would store it as either cleartext or ciphertext, usually in plain text, meaning the password is either encrypted or unencrypted, usually without formatting. Since while just sitting in a database it isn’t an input to an encryption algorithm, it is not plaintext.

Now you can correctly say something like “The cleartext password was queried from the database and used as plaintext by the encryption method to produce ciphertext, protecting our proprietary clear text formula.”

One last important distinction to understand is that plaintext is not necessarily readable, as you could take the ciphertext from one algorithm, feed it to another (i.e., plaintext), and produce more ciphertext.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

2 Responses to “Cleartext vs. Plaintext vs. Ciphertext vs. Plaintext vs. Clear Text”

  1. Juli

    Thanks for explaining this!

    …Even though it’s still a bit confusing. Ah well.

  2. John Tangney

    I got a good laugh out of the Seussean logic, but you really helped me learn the correct terminology. With security, precision is important, so it’s important to get the worms – uh, I mean words – right. ;-)

Leave a Reply

Your email address will not be published. Required fields are marked *