Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
3 <strong>Security</strong> Services<br />
Cryptography may be used to perform several basic security services: confidentiality, data<br />
integrity, authentication, authorization and non-repudiation. These services may also be required<br />
to protect cryptographic keying material. In addition, there are other cryptographic and noncryptographic<br />
mechanisms that are used to support these security services. In general, a single<br />
cryptographic mechanism may provide more than one service (e.g., the use of digital signatures<br />
can provide integrity, authentication and non-repudiation) but not all services.<br />
3.1 Confidentiality<br />
Confidentiality is the property whereby information is not disclosed to unauthorized parties.<br />
Secrecy is a term that is often used synonymously with confidentiality. Confidentiality is<br />
achieved using encryption to render the information unintelligible except by authorized entities.<br />
The information may become intelligible again by using decryption. In order for encryption to<br />
provide confidentiality, the cryptographic algorithm and mode of operation must be designed and<br />
implemented so that an unauthorized party cannot determine the secret or private keys associated<br />
with the encryption or be able to derive the plaintext directly without deriving any keys.<br />
3.2 Data Integrity<br />
Data integrity is a property whereby data has not been altered in an unauthorized manner since it<br />
was created, transmitted or stored. This includes the insertion, deletion and substitution of data.<br />
Cryptographic mechanisms, such as message authentication codes or digital signatures, can be<br />
used to detect (with a high probability) both accidental modifications (e.g., modifications that<br />
sometimes occur during noisy transmissions or by hardware memory failures), and deliberate<br />
modifications by an adversary with a very high probability. Non-cryptographic mechanisms are<br />
also often used to detect accidental modifications, but cannot be relied upon to detect deliberate<br />
modifications. A more detailed treatment of this subject is provided in Appendix A.1.<br />
In this recommendation, the statement that a cryptographic algorithm "provides data integrity"<br />
means that the algorithm is used to detect unauthorized alterations.<br />
3.3 Authentication<br />
Authentication is a service that is used to establish the origin of information. That is,<br />
authentication services verify the identity of the user or system that created information (e.g., a<br />
transaction or message). This service supports the receiver in security relevant decisions, such as<br />
“Is the sender an authorized user of this system?” or “Is the sender permitted to read sensitive<br />
information?” Several cryptographic mechanisms may be used to provide authentication<br />
services. Most commonly, authentication is provided by digital signatures or message<br />
authentication codes; some key agreement techniques also provide authentication. When<br />
multiple individuals are permitted to share the same authentication information (such as a<br />
password or cryptographic key), it is sometimes called role-based authentication. See [FIPS140-<br />
2].<br />
30