Cryptography Basics: CIA Triad, Authenticity, Accountability, and Security Challenges

Introduction to Cryptography
  • Purpose: cryptography is about keeping information safe and encrypted.
  • Core motivation: people learn cryptography to protect data and trust in systems.
  • Real-world intuition:
    • Passwords are typically encrypted and then stored; storing plain-text passwords would let an attacker read them.
    • Messages on platforms like WhatsApp are encrypted end-to-end, so others cannot read them.
  • Course aim: introduce cryptography as a field that makes information safe, trustworthy, and secure.
  • Course progression: after the introduction and syllabus, the focus shifts to security, cryptography basics, terms, and concepts.
The CIA Triad: Confidentiality, Integrity, Availability
  • Core security objectives in most cybersecurity curricula: extCIA=(extConfidentiality,extIntegrity,extAvailability)ext{CIA} = ( ext{Confidentiality}, ext{Integrity}, ext{Availability} )
  • CIA is often learned together as foundational concepts.
Confidentiality
  • Definition: protect data so that only authorized parties can access it.
  • Three example differentiators:
    • If you send a letter, confidentiality means others should not read it; use secure handling and secrecy.
    • Data confidentiality means information must be protected whether stored, transmitted, or processed.
    • Privacy is related but broader: individuals should control what information is collected, stored, and shared.
  • Data confidentiality specifics: data should be protected at rest, in transit, and during processing; unauthorized access must be prevented.
  • Privacy example: Facebook or other platforms allow you to customize who can see your information or posts.
Integrity
  • Definition: data or systems should not be altered or tampered with by unauthorized parties.
  • Two key terms:
    • Data integrity: data cannot be changed, deleted, or tampered with by unauthorized persons; for example, a grade change should come from an authorized instructor or department authority.
    • System integrity: the system should perform its intended function properly (e.g., antivirus software preventing malicious code from altering files).
  • Implication: integrity ensures that what you receive or observe is exactly what was intended by authorized actors.
Availability
  • Definition: system, data, and resources should be available to authorized users whenever needed.
  • AWS example: cloud infrastructure with regional redundancy; if one server or region fails, others can continue service and recover data; services are available across regions to ensure uptime.
  • Practical takeaway: availability means services must be usable when users need them, often requiring redundancy and failover strategies.
Authentication, Authenticity, and Accountability
  • Authenticity: ensuring that users and systems are genuine and verifiable; authentication mechanisms confirm identity.
    • Example mechanisms: multifactor authentication (MFA), dual security verification, or Google Authenticator-style verification.
    • Limitation: just using a username/password is not enough to guarantee the right person is logging in; MFA strengthens authenticity.
  • Accountability: ensuring that actions can be traced back to the responsible person or process.
    • Example: in organizations, logs and audit trails allow tracing data access and changes to specific individuals.
    • If a breach occurs, audits help determine whether an action was performed by an authorized or unauthorized actor.
Data, Privacy, and System Integrity in Practice
  • Summary of key terms:
    • Confidentiality: protect data from unauthorized access.
    • Privacy: control over what information is collected, stored, and shared by individuals.
    • Data Integrity: data cannot be altered by unauthorized parties.
    • System Integrity: systems function as intended.
    • Availability: data and services are accessible when needed.
    • Authenticity: verify identity of users and systems.
    • Accountability: traceability of actions to individuals or processes.
Challenges in Computer Security
  • Security is not as simple as the CIA terms suggest.
    • Behind-the-scenes, securing passwords and information relies on complex algorithms and cryptographic techniques.
  • Attackers think differently than designers:
    • Even if encryption is strong, attackers may succeed via unexpected paths (e.g., phishing) instead of breaking encryption directly.
    • Example concept: phishing emails directing users to click malicious links can harvest credentials or install malware.
  • Counterintuitive nature of security mechanisms:
    • A simplistic solution (e.g., just a password) is often insufficient to prevent breaches (e.g., attacker could reset or steal credentials).
  • Decision points about where to apply security controls:
    • Security mechanisms must be placed at the right places in both software architecture and network design to be effective.
    • Security relies on secret information such as encryption keys; if keys are compromised, security can fail.
    • Protocols matter: mismatched or weak protocols can undermine otherwise strong cryptography.
  • Real-world risk example:
    • RSA tokens or other authentication tokens can be compromised if secret keys used for encryption/decryption are stolen.
  • Takeaway: attackers may exploit gaps in placement, key management, or user behavior; robust security requires defense-in-depth, proper key management, and layered protocols.
Practical Takeaways and Real-World Relevance
  • Cryptography is a foundational tool for confidentiality, integrity, and availability in modern systems.
  • Authentication and accountability are essential complements to CIA to ensure trust and traceability.
  • The ecosystem includes software architecture, network design, key management, and robust protocols; all must be considered together.
  • Real-world implications include secure password storage, end-to-end encryption in messaging, privacy controls in social networks, cloud availability across regions, and auditing in organizations.
  • The lecture sets the stage for future topics on the cryptographic ecosystem, attacks, defenses, and best practices.
Quick References and Concepts to Remember
  • CIA triad: ext{CIA} = ig( ext{Confidentiality}, ext{Integrity}, ext{Availability} ig)
  • Data confidentiality requires protection in all states: at rest, in transit, and in processing.
  • Privacy vs confidentiality: privacy adds user control over data collection, storage, and sharing.
  • Data integrity vs system integrity: integrity guards data correctness; system integrity guards proper system behavior.
  • Availability relies on redundancy and failover (e.g., multi-region cloud services).
  • Authenticity strengthened by MFA and verification methods beyond usernames/passwords.
  • Accountability relies on logs and traces to identify responsible actors.
  • Security challenges include complexity, attacker creativity, counterintuitive protections, and correct placement of controls.
  • RSA and other key-based mechanisms can be compromised if keys are stolen; emphasizes the importance of key management.