When CoCCA or a registrar creates or edits an domain or contact authorisation code, the code is one-way hashed and only the hash is stored in the database. A hash function scrambles data to encrypt it, hash functions are one-way encryption.
CoCCA no longer stores authocdes in clear text or provides a utility to decrypt the authcodes, the only option for a TLD manager or a registrar who wants to know the code - if they dont have a record of it, is to re-set the authcode.
Authorization codes can only be re-set in the web portal or via EPP by the TLD manager or the controlling registrar.
When requesting the current authcode over EPP CoCCA will return the hash value, not the actual authorisation code.
If a registrar does not know the existing code and needs to provide one to a registrant to enable a transfer, the recomended process would be to re-set the authorisation code to a known value and provide that to the registrant.