Does Cryptography support "Availability" or not?

s2008

In page 219 of ISC2 book it says it does not:

Official (ISC)2 Guide to the CISSP CBK - Google Books

While in in page 226 it says it does!

Can someone clarify that for me, does Cryptography support CIA or not?

Bl8ckr0uter

s2008 wrote: »

In page 219 of ISC2 book it says it does not:

Official (ISC)2 Guide to the CISSP CBK - Google Books

While in in page 226 it says it does!

Can someone clarify that for me, does Cryptography support CIA or not?

No it would support confidentiality.

slinuxuzer

I could be wrong, but in my opinion Cryptography is only for Confidentiality and Integrity. There may be some implementations that can feasibly be said to support availability, but for the exam I would stick with this answer.

kriscamaro68

s2008 wrote: »

In page 219 of ISC2 book it says it does not:

Official (ISC)2 Guide to the CISSP CBK - Google Books

While in in page 226 it says it does!

Can someone clarify that for me, does Cryptography support CIA or not?

I would say not availability. It does go hand in hand with CIA though. I would say it deals withe confidentiality and even integrity depending on how you look at it but I don't see how it deals with availability unless they are saying that crypto systems that aren't working will make the data unreadable.

Bl8ckr0uter

slinuxuzer wrote: »

I could be wrong, but in my opinion Cryptography is only for Confidentiality and Integrity. There may be some implementations that can feasibly be said to support availability, but for the exam I would stick with this answer.

I would have agreed with you on the integrity but I would say that would be something like hashing. Your the CISSP though, I only studied for the S+ lol.

s2008

Thank you knwminus, slinuxuzer, and kriscamaro68 for the prompt response, so for my CISSP exam (after one week) I will say that Cryptography supports only Integrity, Confidentiality, and Authenticity BUT NOT (Availability which is part of CIA).

I hope you guys answer my other two threads here:
http://www.techexams.net/forums/isc-sscp-cissp/55724-questions-about-cissp-access-control-domain.html
http://www.techexams.net/forums/isc-sscp-cissp/55861-minimum-password-security-requirement.html

broc

knwminus wrote: »

I would have agreed with you on the integrity but I would say that would be something like hashing. Your the CISSP though, I only studied for the S+ lol.

Just to confirm, hashing is part of cryptography.

Bl8ckr0uter

broc wrote: »

Just to confirm, hashing is part of cryptography.

Sorry. I should mention that I was taking Cryptography and making it encryption. My mistake. Also yea I know they are all one big happy family lol.

s2008

knwminus wrote: »

Sorry. I should mention that I was taking Cryptography and making it encryption. My mistake. Also yea I know they are all one big happy family lol.

Cryptography supports "Authenticity" through:
- Hash functions.
- Digital signatures.
- MAC (Message Authentication Codes), (aka., Checksum).

Bl8ckr0uter

s2008 wrote: »

Cryptography supports "Authenticity" through:
- Hash functions.
- Digital signatures.
- MAC (Message Authentication Codes), (aka., Checksum).

But that isn't part of the CIA triad, technically correct?

s2008

knwminus wrote: »

But that isn't part of the CIA triad, technically correct?

What I understand so far that Cryptography supports Integrity, Confidentiality, and Authenticity but does not support "Availability", so technically speaking Cryptography does not fully support CIA (Confidentiality, Integrity, Availability).

wastedtime

While I agree with the above posts. I just wanted to add a bit of real world experience where the lack of confidentiality/authenticity/integrity leads to a lack of availability. I have been in areas that a lack of an encryption device or proper keys for it will lead to no network access or no communication. While it isn't direct relationship, one does lead to the other.

JDMurray

Will removing cryptographic capabilities from a system possibly affect the system's availability? If so, crypto supports the concept of Availability.

I vote

slinuxuzer

s2008 wrote: »

What I understand so far that Cryptography supports Integrity, Confidentiality, and Authenticity but does not support "Availability", so technically speaking Cryptography does not fully support CIA (Confidentiality, Integrity, Availability).

Authenticity and integrity are pretty much the same thing, integrity meaning the messeage has not been tampered with, authentic meaning it is an actual communication from the expected source.

If a real or "authentic" communication originates from a trusted source and is then altered there by compromising it's integrity, it is no longer the original or authentic message.

I send 123ABC authentic and integral and it's altered to 1233ABC it's no longer authentic or integral.

s2008

slinuxuzer wrote: »

Authenticity and integrity are pretty much the same thing, integrity meaning the messeage has not been tampered with, authentic meaning it is an actual communication from the expected source.

If a real or "authentic" communication originates from a trusted source and is then altered there by compromising it's integrity, it is no longer the original or authentic message.

I send 123ABC authentic and integral and it's altered to 1233ABC it's no longer authentic or integral.

what I understand so far that Cryptography Authenticity is done through the control of the keys, the secret key in case of the symmetric ciphers, and the public/private keys in case of Asymmetric ciphers.

Cryptography Integrity is done through hash functions, digital signatures, and MACs.

s2008

JDMurray wrote: »

Will removing cryptographic capabilities from a system possibly affect the system's availability? If so, crypto supports the concept of Availability.

I vote

The issue that if a question came in my CISSP exam asking whether Cryptographic supports CIA or not, what shall be the accurate answer?

dynamik

wastedtime wrote: »

While I agree with the above posts. I just wanted to add a bit of real world experience where the lack of confidentiality/authenticity/integrity leads to a lack of availability. I have been in areas that a lack of an encryption device or proper keys for it will lead to no network access or no communication. While it isn't direct relationship, one does lead to the other.

JDMurray wrote: »

Will removing cryptographic capabilities from a system possibly affect the system's availability? If so, crypto supports the concept of Availability.

I vote

Excellent points guys; I was going to say the same thing.

Also, keep in mind that it's not likely you'll get a question asking something like, "Does cryptography facilitate availability?" There aren't many trivia-style questions on this exam. You'll more than likely be presented with a scenario that you'll have to apply your knowledge too. I could see the answer going either way depending on the circumstances.

s2008

dynamik wrote: »

keep in mind that it's not likely you'll get a question asking something like, "Does cryptography facilitate availability?" There aren't many trivia-style questions on this exam. You'll more than likely be presented with a scenario that you'll have to apply your knowledge too. I could see the answer going either way depending on the circumstances.

Then that is fair......

slinuxuzer

s2008 wrote: »

what I understand so far that Cryptography Authenticity is done through the control of the keys, the secret key in case of the symmetric ciphers, and the public/private keys in case of Asymmetric ciphers.

Cryptography Integrity is done through hash functions, digital signatures, and MACs.

Right, one note that I will put here is that alot of encryption systems use "hybrid" encryption, this is usually for speed reasons, they will encrypt the cipher text with a symmetric key, and encrypt the symmetric key with asymmetric encryption.

A book that brought me leaps and bounds in understanding this was a MS Press book written specifically about Microsoft's PKI envrionment.

If I were you I would really study public key encryption, for a couple of reasons, but mainly because you need this info for the exam.

veritas_libertas

That was a fun thread to read....

JDMurray

slinuxuzer wrote: »

Authenticity and integrity are pretty much the same thing, integrity meaning the messeage has not been tampered with, authentic meaning it is an actual communication from the expected source.

You mean to say that an inauthentic (forged, spoofed) message can't have integrity? And that a message proved to have integrity is also proved to be authentic? Apples and oranges it would seem; not the same things at all.

slinuxuzer

JDMurray wrote: »

You mean to say that an inauthentic (forged, spoofed) message can't have integrity? And that a message proved to have integrity is also proved to be authentic? Apples and oranges it would seem; not the same things at all.

Yes, you found a way to explain it better than I did, but that was the point I was trying to make. Thanks JD.

JDMurray

slinuxuzer wrote: »

Yes, you found a way to explain it better than I did, but that was the point I was trying to make. Thanks JD.

Saright...

novaterriers

hey guys, its my first post and i would like to thank the administrator for allowing me access to this board. I recently took larry greenblatt's bootcamp and just took the exam this past saturday. I do not know my results yet but I wanted to respond to this post because it is very testable as larry would say....

cryptography provides confidentiality, integrity and "NON-REPUDIATION". It does not provide availability because crypto does not care if you get the message or not, it only cares about one of the three above.

digital signatures provide non-repudiation because once someone digitally signs an email, then can not deny sending the email. and they sign it using their private key which no one should have access to except the owner.

If bob sends alice an email and bob wants ONLY alice to read the email, he should encrypt it when alice's public key so only alice can unencrypt with her private key.

if bob sends alice an email and alice wants to make sure bob was the only person who sent the email and not an imposter, then bob should digitally sign the email to provide non-repudiation.

burneweb

I am also in the majority that says that Cryptography addresses Integrity and Confidentiality but not availability.

Availability has more to do with servers or services being available whenever they are needed, such as access to a share drive or being able to send and recieve email.

For example, the use of cryptography can ensure the integrity and confidentiality of an email message but has nothing to do with whether the email server is actually up and running or accessible.

What is the source that you found that says cryptography supports availability?

s2008

novaterriers wrote: »

cryptography provides confidentiality, integrity and "NON-REPUDIATION". It does not provide availability

You are right ONLY if the cryptography was using Asymmetric cipher.

If it's using Symmetric cipher then it does NOT provide "NON-REPUDIATION".

So to be accurate, Cryptography supports Integrity, Confidentiality, and Authenticity, and could support Non-repudiation and proof of origin if it's using Asymmetric cipher.

dynamik

The point people are making is that cryptography can influence and affect availability. If someone sniffs your credentials sent via telnet, logs into your server, and issues an rm -rf /, your server's availability will probably be significantly affected. Had you been using SSH, that attack would not have been possible.

I wouldn't include availability in a strict definition of cryptography, but things aren't black-and-white like that on the CISSP exam or in the real world.

edit: s2008, while you're correct, cryptography is an over-arching term that includes all those items, so I think his statement was fair. I could also pick apart your statement and say only some aspects of cryptography support confidentiality. It's a pointless argument.

JDMurray

novaterriers wrote: »

cryptography provides confidentiality, integrity and "NON-REPUDIATION".

Non-repudiation is part of integrity.

novaterriers wrote: »

It does not provide availability because crypto does not care if you get the message or not, it only cares about one of the three above.

Crypto doesn't "care" about anything, including C-I-A. Crypto is a tool that is used to achieve C-I-A.

I control telecommunication systems that would be impossible to keep available if it weren't for the crypto used in their authentication and transport systems. They would simply be too easy to compromise, and they would be.

novaterriers wrote: »

digital signatures provide non-repudiation because once someone digitally signs an email, then can not deny sending the email. and they sign it using their private key which no one should have access to except the owner.

If bob sends alice an email and bob wants ONLY alice to read the email, he should encrypt it when alice's public key so only alice can unencrypt with her private key.

if bob sends alice an email and alice wants to make sure bob was the only person who sent the email and not an imposter, then bob should digitally sign the email to provide non-repudiation.

None of this supports your assertion that crypto does not support availability.

novaterriers

JDMurray wrote: »

Non-repudiation is part of integrity.


Crypto doesn't "care" about anything, including C-I-A. Crypto is a tool that is used to achieve C-I-A.

I control telecommunication systems that would be impossible to keep available if it weren't for the crypto used in their authentication and transport systems. They would simply be too easy to compromise, and they would be.


None of this supports your assertion that crypto does not support availability.

omg, what terrible advise....

dynamik

novaterriers wrote: »

omg, what terrible advise....

That's nice. Let's not be mature and have a genuine discussion or anything...

slinuxuzer

novaterriers wrote: »

omg, what terrible advise....

The only respone I'll make to this is,

1. If you disagree with someone "respectfully" state your reasons and back that up with some logic and explanations of said logic.

2. JD is a very knowledgable and compotent member of TE and takes the time to contribute here he deserves your respect even if you don't think so, he certainly doesn't deserve disrespect.

I can tell you that if you work in this industry and make your living this way you will eventually need some help or advice and I personally use this site and it's members to help me advance my knowledge base there by my career and bank account. Either you don't work in the industry or at a high enough level to see it that way or you haven't realized that yet.

Either way your likely to find yourself needing folks like me and JD at some point, so it's probably in your best interest to play nice.