CISA Made Easy

                                           - easy CISA preparation

Friday, July 25, 2008

Achieving confidentiality through Cryptography

In today's internet environment sending message to the destination with confidentiality, authentication, non repudiation and authorization is very important. To achieve all of these or part of these we use cryptographic techniques.


This article intends to discuss how confidentiality can be achieved by cryptographic methods. This article is equally important for IS auditors and Information Security Professionals.

Beside communication channel, Cryptographic Message communication involves

  1. Sender
  2. Receiver(s)
  3. Cryptographic algorithm
  4. Key(s)

My article about Symmetric and Asymmetric Encryption and benefits of encryption give you some initial background on this topic.

Let us see first what is Confidentiality?

As I said cryptographic message involves sender and receiver. Achieving confidentiality means the message sent should reach to the person for whom the message is sent to. In other ways if A sends a message to B, message must reach B only and other than B nobody should be able to decrypt the message. Message must be decrypted by authorized recipient only.

To see how confidentiality is achieved I shall discuss some scenarios which will help us in knowing the concept better.

Scenario1. When the sender encrypts the message with Symmetric key/Secret key.

In symmetric cryptography a sender encrypts the message with the symmetric key and sends the message to the receiver. The message can be decrypted by the receiver who will have the same symmetric key. So, the message is decrypted by the intended person only.

Thus scenario-1 achieves Confidentiality.

Sometimes, Symmetric Key is also known as Secret key

Scenario-2. When the sender encrypts the message with Sender's Private Key.

Asymmetric cryptography involves two keys read my article. When the message is encrypted by Sender's Private Keys this can be decrypted by anyone having Sender's Public Key. So this type of message does not intended for particular receiver.

Thus this scenario-2 does not achieve Confidentiality.

Scenario-3. When the sender encrypts the message with Sender's Public Key.


Although this is not a practical approach to achieve confidentiality but to discuss all possible scenario I included this. When the sender encrypts the message with his public key then the message can be decrypted by the sender only as he only knows his private key. The receiver can not decrypt the message.


Thus this scenario-3 does not achieve Confidentiality.

Scenario-4. When the sender encrypts the message with Receiver's Private Key.


This is also not possible as the sender can not have the receiver's private key.


Thus this scenario-4 is not possible in normal course and does not achieve Confidentiality.


Scenario-5. When the sender encrypts the message with Receiver's Public Key.


In this scenario the receiver's public key may be known to sender and so, the sender can encrypt the message with Receiver's Public Key. Only the intended receiver could decrypt the message with his private key.


Thus scenario-5 achieves Confidentiality.


The following table summaries the above scenarios:


Case

If Sender encrypts the Message by

Which receiver can decrypt the message

Confidentiality achieved or not

1.

Symmetric/Secret key

Only the receiver having the symmetric/secret key

Achieved

2.

Sender's Private key

Any of receivers having sender's public key

Not achieved

3.

Sender's Public key by sender

Only sender can decrypt the message. No receiver can decrypt the message

Not achieved as the source and destination is same

4.

Receiver's Private key

Not possible as sender can not have the receiver's private key

Not applicable

5.

Receiver's Public key

Only actual receiver

Achieved


CISA Type question 08 -2507

A sender encrypts the message in various ways. the confidentiality can not be achieved when the sender encrypts the message by

  1. Symmetric Key
  2. Secret Key
  3. Receiver's Public Key
  4. Sender's public Key

Answer to CISA Type Question 08-2307


Scope and nature of follow up audit all depends on engagement letter/audit charter. So, the correct answer is 3. As per the audit charter/engagement letter


Add Post To: | Digg| Technorati| del.icio.us| Stumbleupon| Reddit| BlinkList| Furl| Spurl| Yahoo| Simpy|

Posted by PassCISA | Permalink |  

Labels:

Readers who visited this post also read :

2 comments:

Reg May 26th 2008 :
Name Column - Unique and null.
One point is no two nulls are equal.
In that case there can be more than
one null in name field.
Please clarify me.

Very useful blog.

July 26, 2008 at 7:04 PM  

Dear razen,
Refer to the following answer:
Answer to CISA Type Question 08-1107

Name field is unique and null.So, each name in the column should be distinct and at most one null value is allowed. If we see iii & v both are null which is against UNIQUE criteria.

All others are adhering to this criteria. So, the correct answer is 2. iii & v


Two nulls will be against the principle of Uniqueness.
The column referred as unique and null can contain at most one null value.

I hope this clears.

Reference : Post dated July 11

July 26, 2008 at 10:15 PM  

Post a Comment

Subscribe to: Post Comments (Atom)
 

Home | | | | |

CISA made Easy - Easy CISA Preparation