24

As we know CIA of the demand for security means:

  • Confidentiality
  • Integrity
  • Availability

I don't understand why define the "Integrity" and "Availability`,

  1. If we make a plaintext Confidentiality, the Integrity is a whole plaintext, this is the basic, why there gild the lily?
  2. If there defined the Integrity, the decrypted plaintext must be usable, so the Availability is gild the lily too.
Anders
  • 64,406
  • 24
  • 178
  • 215
244boy
  • 935
  • 2
  • 6
  • 8
  • 9
    Not to attack your question, but do you have a proposal for an alternative? – psosuna Jan 22 '20 at 17:37
  • 4
    Integrity means that an attacker can't change the message without such a change being detected. It definitely doesn't come for free with confidentiality; a lot of obvious encryption schemes provide confidentiality but not integrity. And a lot of the time you only want integrity and not confidentiality. – rlms Jan 22 '20 at 17:45
  • 46
    If you only require confidentiality but not integrity or availability why not just securely delete all your data? It will be entirely confidential. – Vality Jan 22 '20 at 18:23
  • @rlms: in every encryption you could always provide some verification, can't you? Just obtain the md5sum of your message, encrypt this and sent it along. – Quora Feans Jan 23 '20 at 14:36
  • 2
    @QuoraFeans, ...send a hash along where? On a per-block basis? Then you need to worry about blocks being reordered. At the end of the whole message? Then you can't incrementally decrypt, but need to go all the way to the end once to calculate the checksum, make sure it's correct, and then (unless you cached everything prior) decrypt *again* streaming to stdout. This is one of the big mistakes that PGP made, leading to being able to emit output for which integrity checks fail (sure, `if gnupg -o somefile -d somefile.pgp; then ...` works, but `gpg -d signedscript.gpg | sh` is utterly unsafe). – Charles Duffy Jan 23 '20 at 20:12

4 Answers4

71

You're focusing on a very narrow scope here. The CIA triad is about security of a whole system, not just an encrypted message.

That being said, all elements of the triad do apply to your example:

  • Confidentiality: As you mentioned, encryption's primary purpose is to enforce confidentiality.
  • Integrity: Encryption does not automatically provide integrity. An attacker could swap an encrypted message for a previously seen encrypted message. An attacker could abuse ciphertext malleability in order to modify the plaintext without knowing the key, e.g. if a stream cipher was used without an authenticity record on the ciphertext.
  • Availability: An attacker might delete or corrupt the encrypted message, or leverage a denial-of-service (DoS) attack against the system that contains the encrypted message.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 11
    In addition to this: there might be information where we want to protect the availability or integrity, but not the confidentiality: the contact phone number on my companies website is not confidential - but it must be available and I do not want an attacker to change it. – Tobias Jan 23 '20 at 07:48
  • 1
    You don't even need an attacker for the availability. Imagine a security scheme that, in order to be confidential and integral, uses too many resources to make the message useful. Obviously no one would build such a system, considering it has a fatal design flaw, but we can point to this principle as a justification for why that is indeed fatal. – corsiKa Jan 24 '20 at 02:59
  • 2
    Note that DoS attacks against messages does not imply an online attack. It can be offline by inserting data in the message that breaks the software decrypting the message for example the various unicode hacks that crashes smartphones. – slebetman Jan 24 '20 at 06:27
42

While Polynomial's answer is outstanding, it may aid the understanding of the CIA principle to add examples how each aspect can be broken, and how each aspect can be protected.

Confidentiality

The purpose of Confidentiality is simply put to control "Who reads what?". Confidentiality can be broken if information is leaked to an unauthorized party. What kind of information that is depends entirely on the threat model. I'll give some examples:

  • Organized criminals do not want criminal investigators to know who talks to whom. The mere indicator of communication, regardless of the content, is confidential information.
  • A spy attempting to defect to another side does not want to be traced back to. The origin of a message is as confidential as the content.

As you can see, there is more to Confidentiality than just the content of the message. Metadata matters as well, and that is hard to encrypt. In general though, encryption is a good way to gain Confidentiality. In those specific examples however, further measures need to be taken to keep all compromising information confidential.

Integrity

Integrity can be seen as the property that a message cannot be modified by an unauthorized party. Since this is often an infeasible goal, a good compromise is that any kind of unauthorized modification needs to be identifiable.

One of the first things you will learn about cryptography is to always use algorithms for what they were designed to do. Encryption is being used to guarantee Confidentiality, not Integrity.

A great example for this is the One-Time Pad. It is achieved by XOR'ing the message with a random key that is at least as long as the message. Let me give you an example. As message, we'll use

ATTACK AT 09:00

and as key, we'll use

jHiA015Ak4012Kf

This will result in the hexadecimal message

2b1c3d00737a15003f140008087b56

An attacker, knowing the rough format of the message, but not the content, can now change the ciphertext maliciously into:

2b1c3d00737a15003f140101087b56

With the same key, this will decipher into

ATTACK AT 10:00

This could prove to be a fatal outcome. The attacker still cannot read the ciphertext, so Confidentiality is still upheld, but by manipulating the ciphertext and the recipient not being able to detect that manipulation, the attacker got what they wanted.

Integrity can be upheld by adding some kind of code to the message that verifies if the message has been modified or not. A hash with a key, a cryptographic signature over a hash, etc. can all be used. The important part is that any modification to the message will be noticed, and that an attacker is not able to forge a valid authentication code themselves.

Availability

Availability is often looked down upon to those newer to security, as a kind of "nice-to-have" goal. But let me ask you: What good is a server that is perfectly encrypted and to which nobody could write to, if it was offline all the time?

Availability can be judged by many metrics, depending on each individual use-case. Sometimes it's uptime, sometimes it's response time, sometimes it's performance. Each of these factors could bring down a business if it was impacted in a major way.

Imagine if StackExchange would be down for "maintainance" 90% of the time, because some skiddie in ████████████ put bringStackExchangeDown.sh in a cronjob to run every 30 minutes. And the 10% where the site was online, it would be so slow that a 54k dial up modem seems blazing fast in comparison.

You would not want to use that site, and the attacker got what they wanted. Sadly, Availability can't be improved by throwing more crypto at it. Availability can only be improved by scaling up and wide, increasing redundancy, and by fixing bugs that would reduce Availability.

1

As other answers have mentioned, Confidentiality, Integrity, Availability is meant to apply, like, an entire datacentre application, not a single encrypted message.

That said, there is a slightly different definition of CIA that does apply: confidentiality, integrity, authentication -- for example, see Practical Cryptography in Python, Nieslon & Monson

Confidentiality

An attacker can not read your message. This one is self-explanatory.

Integrity

An attacker can not modify your message.

I will argue that this is orthogonal to confidentiality. Consider the following cases:

  • Digital signatures provide integrity but not confidentiality; anyone can read your message, but nobody can modify it without breaking the signature.
  • Block ciphers (typically) provide confidentiality but not integrity. For example AES_CBC is famous for ciphertext malleability; even if the attacker can't read the message, malleability lets them modify the plaintext in a predictable way, for example maybe it's enough to flip a particular bit to turn a Yes into a No.
  • Authenticated Encryption with Additional Data (AEAD ciphers) fix the melleability problems of CBC mode, and thus provide both confidentiality and integraty. AES_GCM or ChaCha20_poly1305 are examples of AEAD symmetric ciphers.

Authentication

That you know with cryptographic certainty who sent the message. Again, this is orthogonal to the other two because, at its core, it comes down to making sure that only one person has access to the private key that generated this message, and that you have a reliable way to map that key to the person. Examples that provide strong authentication are signatures produced by a key in a digital certificate, or AES_GCM where you are encrypting for yourself, ie you know that you must have created this message because nobody else has a copy of the key

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
-1

I received training that specified CIA is not just a mnemonic for the three words, but also a way to remember their preferred order. That is, there is an established priority of:

  1. Confidentiality
  2. Integrity
  3. Availability

in that order.

The line of reasoning is as follows:

  • If you have to lose something, confidentiality is the worst to lose. Losing availability can be inconvenient, but once data becomes available again, there may be no long-term damage. Losing integrity can be bad, but if you know about it, you can restore from backups and cease further damage. Once confidentiality is lost, data that has left the organization without authorization is often out of your control, so this problem is unfixable.
  • While availability is nice, it is better if data is reported to be unavailable, then if wrong data is given. Let's say I'm a truck driver at a truck stop, and am waiting to find out which direction to start driving. If I cannot get that information, I just sit. If I am given wrong information that I trust, then I start investing resources (burning fuel) moving in the opposite direction, causing even more work to try to undo some of the damage (by re-locating me back to near where I started, but the lost fuel is gone).
  • Of course, losing any of these things is bad. CIA just represents the order of the most important priority first.

Some people may be unconvinced that's best. I do think people may disagree with some of the above for some intelligent reasons, and come up with some convincing arguments for their alternate views.

  • A person may suggest that even wrong information, which would be a loss of integrity, such as if only some outdated information from last month is available, could sometimes be more useful than having absolutely no information, which would be a complete loss of availability. If I recognized that the information was outdated, the potential harm might be minimized while I might get some benefit from whatever I can see. So availability might be desired more than integrity.
  • As another example, keeping some information confidential might be desirable but considered to be less critical than errors in information's integrity. For instance, I might prefer that my competitors don't know some details before I publicize a plan next week. However, maybe I'd rather have that than to have my plan become entirely unusable because data corruption introduced errors into my process. So integrity could be more important than confidentiality, in some cases.

What I've taught my students is that the above order is something good to be familiar with in case it shows up on an industry exam, and is good to understand so you can intelligently consider the benefits of that standard priority, even if there appears to be some good cause to have disagreement with some aspect.

TOOGAM
  • 372
  • 1
  • 5
  • (This answer was not made to try to duplicate and hopefully replace other answers, but to add an additional aspect that I didn't see in the other posted answers. Hopefully it is useful.) – TOOGAM Jan 22 '20 at 19:03
  • 4
    I do not understand the order. Consider the Constitution of the United States (or a system of laws in general). I want Integrity and Availablity, but I don't care about Confidentiality. In fact, I specifically do not want Confidentiality. – emory Jan 22 '20 at 20:28
  • 1
    @emory In the case of the constitution, I would say that Confidentiality is satisfied, because any desired confidentiality has been sufficiently achieved (which is easy since none is desired). The first bullet point in my answer provides a sensible reason for Confidentiality to come first. You are welcome to disagree with any of the reasoning. Actually, much of my class (including me) did when I was trained in this. I recognize this, which is why the latter half of my answer addresses belief that there certainly can be compelling arguments for a different order. – TOOGAM Jan 22 '20 at 21:44
  • 3
    The priority depends on the situation. For example, if I'm sending a purchase request to Amazon, integrity is critical (I *really* don't want someone changing the delivery address), but confidentiality of what I'm ordering is only a minor concern. – Mark Jan 22 '20 at 23:26
  • _"Losing integrity can be bad, but if you know about it..."_ But knowing about it is exactly what integrity is: "is this the message that was actually sent?" – cjs Jan 23 '20 at 05:22
  • @Curt : The definition of integrity used in my training is: the data is accurate (unaltered). So, verification would be a slightly different concept than that. (I could have unverified integrity. Whether a person is actually lying, or telling the truth is a slightly different concept than whether someone else has verified the truth of what has been said.) – TOOGAM Jan 23 '20 at 06:20
  • Implicit in the definition is that you _know_ if the data is unaltered or not. "I know the data have not been altered" allows you to trust that the data is accurate; in either of the other two cases, "I do not know if the data have been altered or not" and "I know the data have been altered" your reaction must be the same: not to trust it. – cjs Jan 23 '20 at 06:35
  • 4
    I would say the assumption that "*In general*, Confidentiality is more important than Integrity is more important than Availability" is not a true statement. It may be true for some use-cases, but certainly not all. It depends on each individual threat model. –  Jan 23 '20 at 07:19
  • Of course all 3 are desired, but consider losing each for one hour. After an hour, all is fixed. Which is the worst? Confidentiality: when double-clicking on the name of a spreadsheet file containing SSNs and passwords, a copy gets posted onto Russian Hacker site. Integrity: when double-clicking on the name of a spreadsheet file containing SSNs and passwords, the wrong data is opened so a picture of Mickey Mouse is opens up on the screen. Availability: When double-clicking on the name of a spreadsheet file, a message reports permission is denied, even though you should have full access. – TOOGAM Jan 23 '20 at 14:41
  • 2
    @TOOGAM In a lot of situations you don't care about confidentiality at all. Consider for instance a control network for a car; you don't care if an attacker can read the commands you are sending, but you want to be sure that the attacker can't modify them, to make you swerve off the road - and you want to make sure that the command interface is always available. – vidarlo Jan 23 '20 at 18:48
  • 1
    Sigh... people just don't seem to understand... I know this. The confidentiality clause is only intended to apply to information that needs to remain confidential. Not all information needs to be confidential, in which case there is no unmet need to secure info, so the confidentiality clause is specified. These guidelines are worthy for consideration and any actual implementation should be suitably customized to make sure it applies to whatever real needs that actually exist. I never said these were hard and fast unbendable rules... In fact the second half of the answer addresses just that. – TOOGAM Jan 23 '20 at 19:20
  • @TOOGAM I think I understand your point, but I do not agree with it. I will try to think of a counterexample. My counter example must be something where confidentiality is required (unlike the Constitution) but is less important. – emory Jan 23 '20 at 19:58
  • @emory : The point I'm trying to make, in these comments, is I recognize the view in the first part of the answer is something that people (including myself) may disagree with. Before trying hard to make another example of a priority list different than this answer's, can you acknowledge that I understand there are different views (and may hold those other views myself)? I was taught this official list of priorities (by Cisco or Microsoft, I think), so these are good to understand. If someone understands this, that's great, even if they disagree. The other views may even be better. I get that. – TOOGAM Jan 23 '20 at 20:51
  • @TOOGAM I think your point wrt constitution is that we can assign infinite importance to meeting the minimum confidentiality requirement of the constitution b/c there is an extremely minimum confidentiality requirement. This makes sense. I have to think of a scenario where confidentiality is required but it is less important. – emory Jan 23 '20 at 21:03
  • @emory Maybe police/fire brigade radio? Sure it is 'nice' if bank robers cannot get information about police location but the real problem is if police cannot coordinate response as they are fed false information (integrity) or system is down (availability). In most situations when someone calls 911 it is good to have confidentiality but availability is probably more important. – Maciej Piechotka Jan 24 '20 at 06:13
  • @TOOGAM You can't at the same time say that you understand that threat models differ for every application and then say "In general Confidentiality is the most important". Those two statements are directly contradictory. The importance of every of these three aspects is directly dependent on the threat model. If you have no threat model, you can't say anything about how important any of these three aspects are. –  Jan 24 '20 at 11:05
  • @MechMk I didn't. You're quoting your own comment and ascribing it to me. However, even if I did say such a thing, I can say that I understand one concept, and yet attempt to intelligently discuss another contradictory concept. My answer said "The line of reasoning", not necessarily "My line of reasoning which I strongly back in all scenarios". When I first learned this, I instantly had doubts/disagreements, but set aside such objections when this became presented as a useful tool to study/consider (even if not something I must adhere to in all cases). – TOOGAM Jan 24 '20 at 11:24
  • @MaciejPiechotka : I noted earlier, "Before"... "another example of a priority list different than this answer's, can you acknowledge that I understand there are different views (and may hold those other views myself)?" You didn't do that, but contributed another priority list. My (still unedited) answer acknowledges "some intelligent reasons" behind alternate priorities, and there can be "some convincing arguments" for them. If someone wants to discuss which priority list is best, that may be worthy of being a separate site question. So what's the point behind trying to list other priorities? – TOOGAM Jan 24 '20 at 11:38
  • 2
    @TOOGAM There is only one correct view - none of these is "generally" more important than the others. Instead, the importance depends on a given use case. Sometimes Confidentiality matters the most. Sometimes availability does. Many times all three are equally important. Trying to order these is like trying to order flavors of ice cream. People aren't objecting to your chosen order. They are objecting to the fact that you tried to order them in the first place (at least, that's why I downvoted this). – Conor Mancone Jan 24 '20 at 14:37