Security triad (CIA triad)
Confidentiality
Confidentiality measures are designed to prevent disclosure of information from unauthorised intended or unintended access attempts. The information is access only by authorised individuals or entities. Confidentiality can be achieved through encryption, access controls, authentication mechanisms, and data classification.
Integrity
The consistency, accuracy and trustworthiness of data must be maintained over its entire lifecycle. The modification to the data are not made by unauthorised personnel or processes. Unauthorised modifications are not made to data by authorised personnel or processes. The data is consistent among all sub-entities and the internal information is consistent with the real-world. Integrity mechanisms such as hash algorithms, checksums, digital signatures, and access controls help verify the authenticity and reliability of data.
Availability
Information should be consistently and readily accessible for authorised parties. This involves maintaining hardware and technical infrastructure and systems that hold and display the information. Measures such as redundancy, backups, disaster recovery plans, and resilient network architectures are employed to maintain availability and mitigate the impact of attacks or system failures.
Other security aspects
Authenticity
Authorisation
Kerckhoffs principle
A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.
The Kerckhoffs Principle is a fundamental concept in cryptography. The principle states that the security of a cryptographic system should not rely on the secrecy of the algorithm but rather on the secrecy of the key.
Why security should not solely rely on the algorithms? Algorithms may become known over time due to various reasons such as reverse engineering, accidental disclosure, etc. Once an algorithm is exposed, the security of the system would rely solely on the secrecy of the key.
Secret key
Key is short string, easier to hide; but strong enough to be unguessable.
By relying on the secrecy of the key to provide security, the key can be changed or rotated as needed for further enhance the security. To construct a robust key, the key has to have the following characteristics:
- Unpredictable
- Random
These involve the concept of hashing and random key generator.
Trapdoor properties
We are looking for a function with the following properties:
- Computationally fast to compute the function value
- Computationally infeasible to compute the inverse function
- Unless we are in possession of a piece of information that allows to speed it up dramatically.
- Corollary: It must be computationally infeasible to compute the private key from the public key (without the trapdoor information), even though public and private keys are mathematically related.
Body’s theorem
Assuming the absence of a secure channel, two entities cannot establish an authenticated session without the existence of an entity that can mediate between the two and which both parties trust and have a secure channel with.
Rephrasing
- Alice and Bob cannot securely establish keys between them if they do not already have existing, established keys
- Only way is ‘introduction’ via a third party, with which both Alice and Bob have established keys already
- The third party serves as an introducer that can vouch for both Alice and Bob’s identities and securely facilitate key exchange
Back to parent page: Cyber Security and Security Engineering
Reference: