Security controls based on cryptography 

Throughout this Digital stage, you will have seen references to many security threats to information.  

• Unauthorised access to information
• Unauthorised disclosure
• Unauthorised modification
• Misrepresentation of a message
• Repudiation of a message

Many security controls are based on cryptographic systems and cryptography can assist in countering all these threats.

Security services  

Security services are processing or communication services that improve the security of data processing and information transfer systems of an organisation. These services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.

The security services that cryptography can provide are:

Confidentiality, which is the protection of information so that only the originator and intended recipients can see it. This means encrypting data which could be travelling around a network, like an email in transit. Only authorised users will be able to decrypt the messages or files.

Steve is going to send some data to Milly over the internet. Obviously, we should ensure that nobody else, including Ralph, can access the data items. Ideally, when Steve sends some data to Milly, Ralph should not be able to read the message. When Steve sends an encrypted message, Ralph will not be able to see what is in the message. However, if Steve sends plain text to Milly, and this message is intercepted by Ralph, he will be able to read it. Therefore, encryption is one of the ways we can achieve data confidentiality.

Authentication, which is where the identity of an entity (like logging into a computer) is verified. The entity could be a user, a message, or a device.

User authentication normally relates to the verification of a user’s claimed identity when accessing a system, whilst message authenticity generally involves the recipient of a message verifying the identity of the originator.

For example, we already know that Steve is going to send some data to Milly, when this message is received, how will Milly confirm that this message is actually from Steve, and not from Ralph? Milly will use the authentication service to verify that the message is from Steve, and not from anyone else. This is authentication in a nutshell.  

Integrity involves mechanisms which ensure that, if data has been modified, changed, or deleted, the modification can be detected. This includes detection of any attempt to insert data into communications traffic.

There may be attackers such as Ralph on the network who might insert, modify, delete, or replay the data items. Therefore, your system should ensure that it is providing data integrity as one of your security services.

Non-repudiation prevents a party in a communication exchange from claiming that the transaction didn’t happen. There are various forms of non-repudiation, including non-repudiation of origin and non-repudiation of receipt.

Milly has received some data from Steve. Steve has denied sending the data to Milly. The security system needs to prove that Steve has sent the message. Further to this, when the message is received by Milly, she should not deny that she successfully received the message. If any of the entities denies that they have not sent, or not received messages, it can be proved.

What’s next?

You have learned that cryptography provides many of the security services you will be familiar with today. You’re now probably wondering how exactly cryptography provides this level of protection to your assets and systems. This is what you’ll explore in the next step.