The main purpose of cryptography is to meet one or more of these security principles: confidentiality, integrity, authenticity, and nonrepudiation.
These principles are known as security services, and greatly reflect the security triad. Confidentiality is the original and main purpose of cryptography; however, integrity, authenticity, and nonrepudiation are also used in cryptography applications to enhance data and message protection. Let’s take a closer look at how cryptography enables each of these principles.
1 Confidentiality
Cryptography was invented for one purpose—secrecy (i.e., confidentiality). The primary use of cryptography over the centuries has been to hide messages, and that is no different now. To date, the confidentiality principle of security is one of the most used security principles in cryptography.
Attackers have access to very sophisticated tools to steal or expose data, and today encryption is used more than ever. Encryption provides confidentiality to the data at rest, data in transit, and data in use. Encrypted data provides a very high degree of confidentiality because, once encrypted, only people with authorized encryption keys can decrypt and access the data. This makes it very difficult for any unauthorized users or attackers to access the data.
Confidentiality can be compromised by insider threats, data leaks, data breaches, eavesdropping, and man-in-the-middle attacks, but various forms of encryption can protect data from these attacks.
2 Integrity
Cryptography is also used to protect the integrity of data and information. Data integrity can be compromised intentionally or unintentionally. It’s compromised when attackers intercept the data in transmission and change the value or infect the storage device with a malicious virus. It can also be compromised unintentionally when a user accidentally deletes a part of the data or changes the value unknowingly. Device malfunction is another means by which data can be compromised unintentionally.
Cryptography helps verify data integrity in transit and in storage. Cryptography uses hash algorithms (introduced previously) to generate a fixed size value or digest for the message or the data. This hash value is also known as a hash digest or just hash. The hash digest is attached to the message. The receiver uses the same hash algorithm to re-create the hash digest. The generated digest will be the same as the receiver if the value isn’t altered.
3 Authenticity
A digital signature uses asymmetric cryptography to prove the authenticity of a sender. The sender generates a hash digest and encrypts the digest with a private key. The encrypted hash digest is appended to the message. The receiver uses the sender’s public key to decrypt the digest of the message. Once decrypted, the receiver runs the message through the same hash function and compares the value of the hash digest. The process is the same as occurs for integrity. However, using a public key of the sender confirms that the message was sent (or signed) by the sender. This basically confirms the authenticity of the sender.
4 Nonrepudiation
Nonrepudiation is the process of confirming the sender and preventing the sender from denying that they sent the message. The nonrepudiation process uses the digital signature for authenticity.
Remember the Purpose
It’s important to note that using cryptography for integrity, authenticity, and nonrepudiation doesn’t provide secrecy or confidentiality. The message or data itself isn’t encrypted; only the hash digest is encrypted while using the digital signature. However, to keep the message confidential, it’s possible to encrypt the data or message. Keep in mind that it’s a separate process, and integrity, authenticity, and nonrepudiation don’t provide confidentiality.
Editor’s note: This post has been adapted from a section of the book Modern Cryptography: The Practical Guide by Sandip Dholakia.
Comments