1

Could you please help me to clarify the following:

ISO 25023 standard divided security into the following 5 characteristics which are:

  1. Confidentiality characteristic (divided into) -----> Access controllability and Data encryption

  2. Integrity characteristic (divided into) -----> Data corruption prevention and Internal data corruption prevention

  3. Non-repudiation characteristic (divided into) -----> Utilization of digital signature

  4. Accountability characteristic (divided into) -----> Access auditability and System Log keeping time

  5. Authenticity characteristic (divided into) -----> Authentication protocols and Establishment of authentication rules

Based on the literature, authenticity is a part of confidentiality (access controllability), why ISO has separated it form confidentiality and categorized it as a characteristic?

user3011084
  • 529
  • 1
  • 3
  • 9
  • 1
    One is the application of a control over who can access a target while the other is how to verify who a subject is. #1: there should be a control that allows me to limit access to a certain set of individuals. #5: how do I confirm that the individual is who they say they are, and how to I assign capabilities to that person once I do? – schroeder Aug 23 '15 at 06:29

1 Answers1

1

I agree that these terms overlap and I also have a hard time differentiating between them in the context of read-access (where Authenticity can not mean the assurance of information 'being authentic' - originating from a known source, but only Authentication as an agent with certain access privileges). But here are some examples involving write-access in which the two concepts differ:

  • An attacker can read encrypted messages from a channel, and now has gained access to a decryption key. The measure ensuring Confidentiality (the encryption) has been circumvented, but Authenticity may still be in place, in that only the alleged and intended author could have created the messages (asymmetric cryptography can ensure this, as can access control on the channel).

  • An attacker writes to an encrypted communication channel. Confidentiality requires the plaintext that is being communicated not to be discovered by attackers, which still may very much be in force, even if the attacker can actually read from the channel as well. Authenticity, however, has been defeated, and 'replayed' messages can be used as an angle of attack.

I am under the impression that the distinction is quite common, and that Confidentiality, Integrity and Authenticity (allowing for the convenient initialism CIA) are cited as essential in secure communication. My notes from university - based on the Parkerian Hexad - add Possession, Avaliability and Utility as rather self-evident qualities, but in any case retain the distinction between Confidentiality and Authenticity.

Leif Willerts
  • 155
  • 3