Security Functions of Cryptography
Cryptography is most often associated with the confidentiality of information that it provides. However, cryptography can offer the following four basic functions:
Confidentiality Assurance that only authorized users can read or use confidential information. Without confidentiality, anyone with network access can use readily available tools to eavesdrop on network traffic and intercept valuable proprietary information. Intruders who gain illicit network rights and permissions can steal proprietary information that is transmitted or stored as plaintext. Therefore, cryptosystems use techniques and mechanisms to ensure information confidentiality. For example, unauthorized users might be able to intercept information, but the information is transmitted and stored as ciphertext and is useless without a decoding key that is known only to authorized users.
Authentication Verification of the identity of the entities that communicate over the network. Without authentication, anyone with network access can use readily available tools to forge originating Internet Protocol (IP) addresses and impersonate others. Therefore, cryptosystems use various techniques and mechanisms to authenticate both the originators and recipients of information. For example, online entities can choose to trust communications with other online entities based on the other entities ownership of valid digital authentication credentials.
Integrity Verification that the original contents of information have not been altered or corrupted. Without integrity, someone might alter information or information might become corrupted, and the alteration could be undetected. Therefore, many cryptosystems use techniques and mechanisms to verify the integrity of information. For example, an intruder might covertly alter a file, but change the unique digital thumbprint for the file, causing other users to detect the tampering by comparing the changed digital thumbprint to the digital thumbprint for the original contents.
Nonrepudiation Assurance that a party in a communication cannot falsely deny that a part of the actual communication occurred. Without nonrepudiation, someone can communicate and then later either falsely deny the communications entirely or claim that it occurred at a different time. For example, without nonrepudiation, an originator of information might falsely deny being the originator of that information. Likewise, without nonrepudiation, the recipient of a communication might falsely deny having received the communication.
To provide nonrepudiation, systems must provide evidence of communications and transactions, so that involved parties cannot easily refute the evidence. For example, someone might deny sending an e-mail message, but the messaging system adds a timestamp and digitally signs the message with the message originator's digital signature. Because the message contains a timestamp and a unique signature, there is strong evidence to identify both the message's originator and the date and time of origin. If the message originator later denies sending the message, the false claim is easily refuted. Likewise, to provide nonrepudiation for mail recipients, mail systems might generate mail receipts that are dated and signed by the recipients.
Cryptography-based security technologies commonly use one or more of these functions to provide network and information security. Additionally, the security functions provided by cryptosystems sometimes overlap. For example, cryptosystems that provide nonrepudiation often provide authentication as a byproduct. Your security goals and requirements determine which functions you need to provide.
What Cryptography Technology Cannot Do