Bonsoir,
Is anyone could please explain the relationship between authentication and encryption.
Traffic can be authenticated without being encrypted. Is it possible to have encryption without authentication?
I read that, in OSI 17799: "the cryptographic techniques protect the confidentiality, integrity and authenticity of information".
So, it seems that encryption couldn't exist without authentication.
Is it possible to clarify that. Thanks for your advice, Michelot
the security "PAIN" acronym
P - privacy (sometimes as CAIN ... confidentiality) A - authentication I - integrity N - non-repudiation
so encryption technology can be used for hiding information, achieving security "privacy" (or "confidentiality).
given that you know that only specific entities have access to a specific encryption keys ... then it can be possible for encryption to also imply authentication (because part of the encryption business process requires that only specific entities have access to the associated encryption key).
so as part of a cryptographic business process, a secure hash of information can be taken and also encrypted. if the recomputed hash of a decrypted message is the same as the decrypted original hash ... then the implication is that the message has not been modified ... providing for integrity.
and example is asymmetric key cryptography technology.
using asymmetric key cryptography technology, a public/private key business process is defined ... where the public key is widely publicized and the corresponding private key is kept confidential and never divulged.
it is possible to take an entity's public key and encode a message. privacy/confidentiality is presumed because the decoding of the message can only be done by the entity with access to the corresponding private key.
a digital signature business process is defined utilizing the public/private key business process.
the secure hash of some information is calculated and encoding with the entity's private key.
a relying party processing the information can recalculate the secure hash and compare it with the original secure hash decoded with the corresponding public key.
from 3-factor authentication model
the relying party, on matching the two secure hash (in the digital signature business process), can infer that
1) the information has not changed (integrity) 2) "something you have" authentication, aka the original digital signature was done by an entity with exclusive and unique access to the corresponding private key, which has been kept confidential and never divulged.if you combine digital signature (for integirty and authentication) with public key encryption of the information (for privacy/confidentiality) ... you can achieve three of the four PAIN characteristics.
note that "N" in PAIN is a lot harder. there is some unfortunate semantic confusion that the term "digital signature" and the term "human signature" both contain the word "signature". there has sometimes been the misbelief that the "digital signature" business process (integrity and authentication) can assume to be equivalent to the "human signature" process which implies that the person had read, understood, agrees, approves, and/or authorizes the information. however there is actually a vast chasm between "digital signature" and "human signature". misc. posts discussing various signature characteristics
the risk is that just divulging the account number can result in fraudulent transactions ... various posts regarding shared secret based business processes
the account number scenario with SSL is that the planet needs to buried under miles of cryptography for hiding in order to prevent fraudulent transactions (aka enormous amounts of privacy/confidentiality).
in x9.59, the fraud risk related to divulging account numbers is eliminated ... and therefor it is no longer necessary to hide (x9.59) account numbers. In effect, x9.59 manages to substitute integrity and authentication for privacy/confidentiality as countermeasure to account number related fraud (to preserve the integrity of the financial infrastructure for all retail payments, it is no longer necessary to hide the account number).
lots of past posts mentioning threats, exploits, vulnerabilities, and fraud
Yes.
Public Key Encryption does not have offer authentication unless the the sender "signs" the transmission with their private key.
Authenticity != Authentication
confidentiality + integrity = authenticity (yes that's the original unaltered data)
But nothing "authenticates" where or from whom it came.
Bonsoir Walter,
Thanks for that. It's clear now, I had a doubt with that.
Sorry, I made a terrible mistake: cryptography is not encryption, but a technique that uses algorithm and keys. It allows to authentify users, to detect information integrity and to make encryption (that is to protect information confidentiality).
Do you agree?
Interresting! is it really used? I would say that, normally, the signature is done with the private key.
Regards, Michelot
Bonsoir Michelot,
You're sleeping Michelot. Walter is right, if the authentication is signed, the sender signs with its private key.
Michelot
Bonsoir,
I'm not an expert. In the draft ISO 27000, it is noted that definition:
"Authenticity: the property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems and information".
When you say "that's the original unaltered data", it seems that is only integrity.
Draft ISO 27000 "Data integrity: property that data has not been altered or destroyed in an unauthorized manner.[ISO/IEC 18028-2]"
Thanks for your reply. Michelot
Bonsoir Thorin,
Finally, after thinking about it, it seems that I grasp that meaning. And now, I don't really find very clear the authenticity definition given in ISO 27000, but it is a draft.
Your word "original" is important. For that, confidentiality is probably needed.
Best regards, Michelot
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.