0

I'm trying to understand the CIA triad. I read that all three parts of the triangle exclude each other, but I don't understand why you can't have full integrity and full confidentiality? I figure you get integrity with encryption and maybe some other restrictions, but how does that hurt confidentiality?

Thanks.

hansn
  • 111
  • 4
  • 6
    Where did you read that they exclude eacn other? – Graham Hill Nov 04 '14 at 11:35
  • 3
    It would help if you included a link to where you read they exclude each other (I can't see this being mentioned in the link you provide), but perhaps it's also more of a question for the author of the article you read. For more info on the CIA Triad refer to a [related post in our blog](http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/). They're (arguably) three core components of IT security, so they're supposed to be approached in conjunction. Claiming otherwise would have to be explained by its author, not us. – TildalWave Nov 04 '14 at 11:37
  • Integrity and confidentiality are two different things. You can have full integrity and full confidentiality at the same time, theoretically speaking of course as there is NO full confidentiality nor full integrity in real life. – Ulkoma Nov 04 '14 at 11:46
  • 2
    @GrahamHill I'm taking a class at HIST, a norwegian school, and I got this assignment: "explain why all three parts of the cia triad are contrary to each other and need to be weighed against each other". The assignment is in norwegian so my translation might not be 100 percent, but I will consult the teacher about it and post back. – hansn Nov 04 '14 at 14:07
  • "contrary" can have a few connotations. I'm actually very curious what the intended meaning is. – schroeder Nov 04 '14 at 15:39
  • @hansn Do you have an update? Is it a translation error? The link you include with your question even indicates that the three parts work together and don't 'exclude' one another. – schroeder Nov 06 '14 at 16:03
  • @schroeder I finally got an answer from the teachers. I asked why integrity excludes availability and confidentiality and this is the explanation I got: "Confidentiality means no access. Integrity means read access. Availability means read and write access. It's the methods used in the OS on files." – hansn Nov 28 '14 at 20:21
  • 3
    @hansn This explanation is is a complete over-simplification of the concepts. It is so simple, it's wrong. – schroeder Nov 28 '14 at 21:12
  • 2
    hansn - as schroeder says, that is just wrong, I'm afraid. In all 3 parts. – Rory Alsop Nov 28 '14 at 21:21
  • @schroeder does it make more sense if we're only thinking in terms of local networks? – hansn Nov 28 '14 at 22:41
  • 3
    @hansn No. It really, really doesn't matter. – schroeder Nov 28 '14 at 22:56

1 Answers1

6

You can have both integrity and confidentiality. There is no such "exclusion". However, you must remember that they are different things provided by distinct algorithms. Piling layers of encryption does not provide integrity.

Integrity is normally obtained with a MAC, while confidentiality relies on encryption. Combining encryption and a MAC algorithm properly is known to be tricky; e.g. SSL/TLS got it wrong and it generated an endless stream of attacks that can be thwarted only with extreme care in their implementation.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Just because I'm pedantic, and I know you know this, but for the reader: new encryption modes like GCM do provide confidentiality. The old saw that encrypting data does not prevent changing that data has some rust – atk Nov 05 '14 at 01:48
  • @atk But that's not because the data is encrypted, it's because GCM incorporates a MAC (the tag) on top of the encrypted data. It's the same model, it's just that the MAC is now a mandatory component of the implementation. – Xander Nov 05 '14 at 14:40
  • @Xandar, Absolute correct :-) The GCM ebcryption mode includes data integrity via a MAC/hash. However, it's still called an encryption mode, which 'weakens' (for lack of a better word) the statement that 'encryption doesn't provide integrity.' Or maybe better stated, it blurs the lines so they are no longer as brightly drawn, in the eyes of the nonexpert. – atk Nov 05 '14 at 16:10