From the course: CompTIA Security+ (SY0-701) Cert Prep: 1 General Security Concepts

Goals of cryptography

From the course: CompTIA Security+ (SY0-701) Cert Prep: 1 General Security Concepts

Start my 1-month free trial

Goals of cryptography

Security professionals use cryptography for several different reasons. We can describe those reasons using the five goals of cryptography. First, the most common goal of cryptography is to preserve confidentiality. Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. If Alice and Bob are communicating with each other using encryption, they want to ensure that their communication remains private. And even if a third party, Mal, intercepts their communication, she is unable to read the contents of those messages. When we use cryptography to protect the confidentiality of information, we consider three different states of data where it might be exposed to prying eyes. Data at rest is data stored on a hard drive or other storage device. We can use encryption to protect stored data so that it remains protected even if the device is lost or stolen. Data in transit is being sent over a network between two systems. We use encryption to protect data in transit so that it remains protected even if someone eavesdrops on the network communication. And finally, data in use is in memory, where it is being actively used by an application. We can use encryption to protect this data from access by other processes or individuals. The second goal of cryptography is integrity. Integrity protects messages against unauthorized modification. If Alice and Bob are communicating with each other, they want to make sure that Mal is not able to tamper with the message either. Bob wants to know that the message he received claiming to be from Alice is actually the message that Alice sent. The third goal of cryptography is authentication. Many systems that verify the identity of users rely upon the use of encryption. We'll talk more about the use of encryption to provide authentication when we discuss identity and access management. The fourth goal of cryptography is obfuscation. Sometimes we want to make data unintelligible to anyone, including ourselves. For example, we might want to replace Social Security numbers with a unique value created from the SSN that is much less sensitive. This type of action where we make data unintelligible is obfuscation. The final goal of cryptography is non-repudiation. Non-repudiation means that the recipient of a message can prove to an independent third party that the message actually came from the alleged sender. For example, if Alice sends a message to Bob using an encryption algorithm that supports non-repudiation, Bob could then show the message to Charlie and prove that the message actually came from Alice, and that Bob didn't simply create it himself. The technology that we use to achieve non-repudiation is called digital signatures. We'll discuss those later in this course. Non-repudiation is only possible with asymmetric encryption algorithms. Remember, in symmetric cryptography, the sender and receiver both know and use the same key. In this approach, it would be easy for Bob to forge a message from Alice, because Bob knows the same secret key that Alice does. If Bob received a message encrypted with that key, he knows that it came from Alice because she is the only other person with the key. Bob can't, however, prove to Charlie that the message came from Alice because Bob could just as easily have created it himself. As we work with cryptography, we also have to remember that cryptographic operations are mathematically complex and take computing time to process. This leaves us making a tradeoff between resource constraints and a level of security that we achieve. Generally speaking, the stronger our encryption algorithms, the more processing power we will need to encrypt and decrypt data.

Contents