Does Symmetric Key provide Integrity Security Services or only Confidential

CISSPGOAL

Hi,

Does Symmetric Key provide Integrity Security Services or only Confidential Security services.

Thank You.

goatama

The answer is twelve. Or C. Depending on which version you're using.

philz1982

Symmetric and Asymmetric keys provide confidentiality. Remember the key proves identity. A public key encrypted message can only be opened with your private key.

Integrity would be validated by Hashes like SHA and MD. The hash is mathematically different for each data-set. Depending on the form of hashing if a single bit is changed the hash will be different and thus will show integrity has been violated.

Spin Lock

Confidentiality ensures that only entities that possess the appropriate key can read the encrypted message. Message integrity ensures that the message that was received is identical to the message that was sent. In other words, the message wasn't accidentally or intentionally modified in transit.

A cryptographic algorithm can provide confidentiality but not message integrity (with two possible exceptions - CBC-MAC and CMAC. More on this below).

Message integrity is provided by using hashing algorithms like MD5 or SHA-256. Message Integrity checks can be further divided into those that protect against accidental modification and those that protect against intentional changes.

Generating an hash (message digest) based only on the message content will protect against accidental changed to your message while it is in transit. For example, communication errors that cause a bit to flip can be caught by sending the message plus the message's hash. However, that won't protect you from someone who intercepts the message before the recipient gets it, changes the message *AND* generates a new hash value for the modified message. In this case, when the intended recipient gets the message he won't know the message was modified because the hash value will match.

To protect against this type of intentional modification of the message and the hash value, keyed hash values such as HMAC are used. An HMAC is the hash value based on the message and the sender's secret key. The secret key is appended to the end of the message and combined message+key is hashed. The recipient knows the secret key as well, so when the message is received, he will generate an HMAC based on the received message plus the secret key he already has. The resulting value should match the HMAC value that was sent over with the message. By including the key in the hash, an attacker who intercepts the message is unable to generate a new HMAC value because he doesn't have the secret key.

Finally, there are two cases when a symmetric algorithm is used to provide message integrity:
1. CBC-MAC
2. CMAC

Both of the above methods generate a message authentication code (MAC) that isn't generated by a hashing algorithm like MD5 or SHA-256. Instead, the MAC is generated using the CBC mode of AES. Normally the CBC mode of AES is used to encrypt the plaintext message and thus provide confidentiality. But in this case CBC is being used just to generate a MAC value for message integrity. This is called CBC-MAC.

CMAC is similar to CBC-MAC. It's based on CBC mode and is more secure than CBC-MAC.

You should also be aware of digital signatures - which act like MACs in that they provide message integrity, but they also provide non-repudiation and work with asymmetric algorithms not symmetric.