Home > Uncategorized > Confidentiality without Integrity & Vice versa [re-phrased]

Confidentiality without Integrity & Vice versa [re-phrased]

Can a system provide Confidentiality without needing to provide integrity as a precursor?
Can a system provide Integrity, without having to deal with confidentiality first?

I came across this interesting piece by Nicholas Allen. I hadn’t though it was possible because i couldn’t come up with a clear example. However, he seems to somehow bring the idea home,thus i have copied this from his blog (http://blogs.msdn.com/drnick) verbatim and added a little “meat” to it to make it slightly more clear:

Confidentiality. Confidentiality means that the contents of the message are kept secret from unintended listeners. An unintended listener is typically going to be someone that is trying to eavesdrop on your messages, although it’s possible for the unintended listener to come from logging or other normal network monitoring. Confidentiality protects you from spying.

Integrity. Message integrity means that you have confidence that the message you received is the same as the one that the sender sent.

It’s possible to have confidentiality without integrity. Someone can hand you an encrypted message, and you can start changing bits in the message without knowing what those bits mean. Thus, the message could still remain confidential [as it is encrypted], but it has lost it’s integrity as the message has been tampered with.

Similarly, it’s possible to have integrity without confidentiality. You can transmit a message whose contents are in cleartext, but provide a tamper-resistant envelope for the message. Thus, the confidentiality of the message is non-existent [it is cleartext], but it cannot be tampered with [or traces of tampering shall be evident].

Practically speaking, i would say the 2 above scenarios are possible, but in the first case [Confidentiality, without integrity], the system is probably not meeting it’s requirements.

If you have further examples, ideas or comments, feel free to add them here.

Advertisements
Categories: Uncategorized
  1. Son of Adam
    September 8, 2013 at 10:35 PM

    Integrity is a broader concept than just data integrity, or consistency and correctness of information, which is to what you are referring above. Integrity also implies origin integrity, which is knowing that an entity is what it claims to be. Integrity guards against impersonation for example. One of the mechanism to protect against this threat is authentication.

    Coming to the discussion of whether confidentiality is possible without integrity, here I would say no. Because if a system has no integrity measures I can impersonate an authorized subject and request access to confidential information.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: