Thursday, October 05, 2006

When to consider cryptography in your application

Cryptography DOES provides the following services to applications:
a) Confidentiality
Prevents application from being read and disclosed to everyone except for the intended recipient. This is achieved using encryption.

b) Authentication
Provides techniques using which the sender of a message (or originator of the data) can be authenticate reliably. This is achieved using message digesting and encryption.

b) Integrity
Provides a tamper-detection and tamper-evident technique for detecting if the message has been tampered since it was first generated. This is achieved using HMACs and digital signatures.

c) Non-repudiation
Provides a means for preventing an entity from denying an operation was carried out by that entity by providing conclusive proof. This too is achieved using digital signatures.

d) Replay protection
Provides techniques that can be used to prevent a previous message from being replayed to recreate the desired operation. This is done with a combination of message digesting and timestamps.

Cryptography DOES NOT provides the following services to applications:
a) Denial of service protection
Cryptography represents an operation carried out on data. It does not (and cannot) prevent DoS attacks.

b) Preventing Eavesdropping
c) Providing access control

No comments: