topic Encryption granted confidentiality and integrity? in CISSP Study Group

Encryption granted confidentiality and integrity?

OliLue — Mon, 09 Oct 2023 10:31:37 GMT

Hi,

I found such question.

The sender encrypts a message with the recipient's public key. This ensures:

1 Integrity

2 Non-repudiation

3 Prof of origin

4 Confidentiality

I could mark more than one answer. For me it is 1 & 4.

unfortunately I got an incorrect for this question.

Do you have an idea? Clear, primar reason to use encryption is confidentiality........

Re: Encryption granted confidentiality and integrity?

dcontesti — Sun, 07 May 2023 20:31:02 GMT

Off the top of my head, I am going to assume that the author was going for B) Non-repudiation.

Typically these systems (non-repudiation) use digital signatures to ensure that one party cannot successfully dispute its authorship of a document or communication.

Suggest that you look at this WIKI for more explanations:

https://en.wikipedia.org/wiki/Public-key_cryptography

and

https://en.wikipedia.org/wiki/Non-repudiation

Re: Encryption granted confidentiality and integrity?

denbesten — Mon, 08 May 2023 00:51:59 GMT

Confidentiality is ensuring that the message is only readable by the intended parties and is best accomplished using the recipient's key pair.

Integrity is ensuring that the message is as intended by the sender and is best accomplished using the sender's key pair.

Although use of the recipient's public key prevents the message from being modified in transit, it does not attest to the identity of the sender, making 1, 2 and 3 much less correct than 4.

Re: Encryption granted confidentiality and integrity?

saurabh007 — Mon, 08 May 2023 06:55:43 GMT

1 Integrity - this is achieved using Hash and hashing is not encryption. this only checks if data is not tampered during the exchange.

2 Non-repudiation - this will happen if the sender encrypts using his private key and then share the public key with the recipient

3 Prof of origin - this can be achieved with CA

4 Confidentiality - this is matching the question where the sender encrypts using the recipient public key but do not achieve non repudiation and integrity.

So will go with Option 4.

Re: Encryption granted confidentiality and integrity?

OliLue — Wed, 17 May 2023 10:09:42 GMT

Great help.

In between I go with answer 4, based on the explanation of surabh007.

Thanks to all for your support.

Re: Encryption granted confidentiality and integrity?

Sam1u — Tue, 30 May 2023 08:47:33 GMT

I would choose options 1, 2 and 4.

Re: Encryption granted confidentiality and integrity?

JohnEricsson — Fri, 03 Nov 2023 14:39:34 GMT

1 Integrity

2 Non-repudiation

3 Prof of origin

4 Confidentiality

If the public key was treated in the same way as a private key then 1,2, and 4 would be true.

However the "text book" way of describing public keys is they are shared far and wide.

Therefore non-repudiation can not be claimed because anyone could encrypt the document.

There is an argument that it could protect integrity because no changes could be made to the encrypted document, but I think not for the same reasons as non-repudiation.

I COULD BE WRONG

I hate questions like this, because I add "yeah, but what if" or "but we dont know if" scenarios. I think you have to take questions at face value.

Re: Encryption granted confidentiality and integrity?

JoePete — Fri, 03 Nov 2023 15:11:27 GMT

@JohnEricsson wrote:
I hate questions like this, because I add "yeah, but what if" or "but we dont know if" scenarios. I think you have to take questions at face value.

Yes, I have always found the "textbook" answers a bit presumptive around cryptography. For example, I consider non-repudiation and authentication just derivatives of integrity even though they are typically presented as distinct attributes that can be delivered only through asymmetric (not symmetric) encryption. Well, that all really depends the quality of your keys and how your secure them - not really the algorithm. Further homomorphic encryption can throw integrity out the door even though it is asymmetric.

There's also the issue that availability is often left out as an objective of cryptography, but in the context of ransomware and digital rights management, cryptography can certainly impact the availability of resources.

For an exam, yes, memorize that they want, but in practice, I think it is fair to say cryptography can impact all three aspects of the CIA triad. And if you don't consider non-repudiation and authentication under the integrity umbrella, then you can take those onto CIA (CIA-NRA - how's that for an acronym?) too.

Re: Encryption granted confidentiality and integrity?

Early_Adopter — Fri, 03 Nov 2023 16:12:18 GMT

I think the proper answer is probably “e”, nobody knows how to read it… because we encrypt the session key we used to encrypt the message using the recipients public key.

This provides for the confidentiality of the symmetric session key that is effluent in encryption of the message and the recipient can decrypt this - at least that’s how it nomally works in S/MIME, OpenPGP etc.

1,2,3 are all incorrect and require message digest, and encryption of the same with the senders private key - a hash encrypted with a prove key is how we make digital signatures which give us authenticity, integrity and from these non-repudiation. (Check out Qualified Digital Signatures).

So the answer is 4 as the most correct but no one really does it like that because it would take too long and the standards work differently thanks to clever people.

Re: Encryption granted confidentiality and integrity?

Dinar8 — Fri, 10 Nov 2023 22:16:48 GMT

Re: Encryption granted confidentiality and integrity?

dcontesti — Fri, 10 Nov 2023 22:33:35 GMT

Can we all agree that this is a poorly written question. The author has posed a very open ended question that as written has multiple correct answers.

Source of question?

Re: Encryption granted confidentiality and integrity?

Early_Adopter — Sat, 11 Nov 2023 01:48:06 GMT

It’s incorrect in that in practical implementations a season key is encrypted to the recipient's public key rather than the message for performance and security.

Though conceptually the only thing it could give you is confidentiality, none of the other answers are possibilities.

Integrity will come from comparison of the message digest or hash, and non- repudiation and proof of origin(Authenticity) is from that hash being encrypted by the signer’s key.

So yes, totes - unless it’s a cryptology 101 course, and you’re trying to get the concepts of asymmetric cryptography across.

Re: Encryption granted confidentiality and integrity?

JoePete — Sun, 12 Nov 2023 14:03:41 GMT

@dcontesti wrote:
Can we all agree that this is a poorly written question. The author has posed a very open ended question that as written has multiple correct answers.

The overwhelming majority of test-prep resources are written by exam prep professionals who take a line from study materials and then build a questions. Often where they fail - because they lack a thorough understanding of the subject matter - is understanding how their "distractor" incorrect answers could in fact be correct.

The standard for the actual exam is significantly higher. But how often do you hear someone complain how one confusing question tripped them up for the rest of the test? As I say, that in and of itself, is a good test. In this job you have days where you have to move on from some confusion or blunder. You have shift focus or a failure can spiral into a catastrophe.