Does Cryptography support "Availability" or not?
In page 219 of ISC2 book it says it does not:
Official (ISC)2 Guide to the CISSP CBK - Google Books
While in in page 226 it says it does!
Can someone clarify that for me, does Cryptography support CIA or not?
Official (ISC)2 Guide to the CISSP CBK - Google Books
While in in page 226 it says it does!
Can someone clarify that for me, does Cryptography support CIA or not?
Comments
No it would support confidentiality.
I would say not availability. It does go hand in hand with CIA though. I would say it deals withe confidentiality and even integrity depending on how you look at it but I don't see how it deals with availability unless they are saying that crypto systems that aren't working will make the data unreadable.
I would have agreed with you on the integrity but I would say that would be something like hashing. Your the CISSP though, I only studied for the S+ lol.
http://www.techexams.net/forums/isc-sscp-cissp/55724-questions-about-cissp-access-control-domain.html
http://www.techexams.net/forums/isc-sscp-cissp/55861-minimum-password-security-requirement.html
Just to confirm, hashing is part of cryptography.
Sorry. I should mention that I was taking Cryptography and making it encryption. My mistake. Also yea I know they are all one big happy family lol.
Cryptography supports "Authenticity" through:
- Hash functions.
- Digital signatures.
- MAC (Message Authentication Codes), (aka., Checksum).
But that isn't part of the CIA triad, technically correct?
I vote
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Authenticity and integrity are pretty much the same thing, integrity meaning the messeage has not been tampered with, authentic meaning it is an actual communication from the expected source.
If a real or "authentic" communication originates from a trusted source and is then altered there by compromising it's integrity, it is no longer the original or authentic message.
I send 123ABC authentic and integral and it's altered to 1233ABC it's no longer authentic or integral.
Cryptography Integrity is done through hash functions, digital signatures, and MACs.
The issue that if a question came in my CISSP exam asking whether Cryptographic supports CIA or not, what shall be the accurate answer?
Excellent points guys; I was going to say the same thing.
Also, keep in mind that it's not likely you'll get a question asking something like, "Does cryptography facilitate availability?" There aren't many trivia-style questions on this exam. You'll more than likely be presented with a scenario that you'll have to apply your knowledge too. I could see the answer going either way depending on the circumstances.
Right, one note that I will put here is that alot of encryption systems use "hybrid" encryption, this is usually for speed reasons, they will encrypt the cipher text with a symmetric key, and encrypt the symmetric key with asymmetric encryption.
A book that brought me leaps and bounds in understanding this was a MS Press book written specifically about Microsoft's PKI envrionment.
If I were you I would really study public key encryption, for a couple of reasons, but mainly because you need this info for the exam.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Yes, you found a way to explain it better than I did, but that was the point I was trying to make. Thanks JD.
Saright...
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
cryptography provides confidentiality, integrity and "NON-REPUDIATION". It does not provide availability because crypto does not care if you get the message or not, it only cares about one of the three above.
digital signatures provide non-repudiation because once someone digitally signs an email, then can not deny sending the email. and they sign it using their private key which no one should have access to except the owner.
If bob sends alice an email and bob wants ONLY alice to read the email, he should encrypt it when alice's public key so only alice can unencrypt with her private key.
if bob sends alice an email and alice wants to make sure bob was the only person who sent the email and not an imposter, then bob should digitally sign the email to provide non-repudiation.
Availability has more to do with servers or services being available whenever they are needed, such as access to a share drive or being able to send and recieve email.
For example, the use of cryptography can ensure the integrity and confidentiality of an email message but has nothing to do with whether the email server is actually up and running or accessible.
What is the source that you found that says cryptography supports availability?
If it's using Symmetric cipher then it does NOT provide "NON-REPUDIATION".
So to be accurate, Cryptography supports Integrity, Confidentiality, and Authenticity, and could support Non-repudiation and proof of origin if it's using Asymmetric cipher.
I wouldn't include availability in a strict definition of cryptography, but things aren't black-and-white like that on the CISSP exam or in the real world.
edit: s2008, while you're correct, cryptography is an over-arching term that includes all those items, so I think his statement was fair. I could also pick apart your statement and say only some aspects of cryptography support confidentiality. It's a pointless argument.
Crypto doesn't "care" about anything, including C-I-A. Crypto is a tool that is used to achieve C-I-A.
I control telecommunication systems that would be impossible to keep available if it weren't for the crypto used in their authentication and transport systems. They would simply be too easy to compromise, and they would be.
None of this supports your assertion that crypto does not support availability.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
omg, what terrible advise....
That's nice. Let's not be mature and have a genuine discussion or anything...
The only respone I'll make to this is,
1. If you disagree with someone "respectfully" state your reasons and back that up with some logic and explanations of said logic.
2. JD is a very knowledgable and compotent member of TE and takes the time to contribute here he deserves your respect even if you don't think so, he certainly doesn't deserve disrespect.
I can tell you that if you work in this industry and make your living this way you will eventually need some help or advice and I personally use this site and it's members to help me advance my knowledge base there by my career and bank account. Either you don't work in the industry or at a high enough level to see it that way or you haven't realized that yet.
Either way your likely to find yourself needing folks like me and JD at some point, so it's probably in your best interest to play nice.