SecurITyCerts dot Org

       Navigating Security Certifications

Cryptography: Confidentiality

CISSP, GIAC GSEC, Security+ Review

Confidentiality is the concept of ensuring that data is not made available or disclosed to unauthorized people.

Confidentially is achieved through encryption. Both symmetric and asymmetric encryption can be used and we'll discuss them later.

Confidentiality was the original purpose of cryptography. If the data is confidential, it cannot be read or understood by anyone other than the intended recipient or recipients.

The "secret spy ring" you might have gotten in a box of cereal when you were a kid is an example. Typically, with the aid of the ring, you substitute each letter in your message with another letter. Unless someone looking at the now encrypted data knows the encryption key, i.e. has an equivalent ring or understands how it works, they cannot read the  original message - at least not trivially.

Confidentiality of data is accomplished by using strong encryption algorithms that cannot be easily “broken.” A secret spy ring doing simple character substitution is not strong encryption,  but probably strong enough for two kids playing spy.

Confidentiality is important when network communications are of a sensitive nature, such as trade secrets, client information subject to privacy laws or policies, or business strategies that depend on the element of surprise.

Confidentiality is also important for important data at rest, i.e. not transversing the network.

The encryption process is often entirely transparent to the user. For example a user buying a book from Amazon.com has no idea how or why their credit card and other critical information is encrypted before it's sent to Amazon's server. Similarly, a user who's laptop is configured to use Microsoft's EFS (Encrypting File System) doesn't know data on the hard drive is encrypted. It's plaintext to them, but to someone who steals the laptop, it's nonsense.

NEXT