Confidentiality is the protection of transmitted data from unauthorised disclosure. It serves as a #Security Service and utilises encryption# and Routing Control# in order to counter the release of message contents#.
Confidentiality
- TNS3131 Chapter 7: Web Security
-
Security Service
Security Service is a service that improve the security data processing system and/or information transfers. It needs to at least secure four elements: confidentiality#, authenticity#, integrity#, and availability#. It has Security Mechanism# implemented in order to fulfil its promises and prevents potential Security Attack.
-
Secure Socket Layer (SSL)
The main security services, that is guarantee message integrity# and Confidentiality#, are provided by SSL Record Protocol. The former is done via MAC with shared secret key used for encryption, the latter with Handshake protocol. The operations are done as shown below:
-
SNMPv3 1998
#SNMPv3, defined by RFC 2570 - 2575, addresses security issues of #SNMPv1 1988 and #SNMPv2 1993 by using User Security Model (USM), including overall architecture and security capability. It provides authentication service# that is part of User-Based Security (UBS), privacy# (Data Encryption Standard (DES) message encryption), and Access Control# to allowed operations, device information, and Management Information Base (MIB) access.
-
Pretty Good Privacy (PGP)
PGP is a #Asymmetric Cryptographic program used to encrypt, decrypt and sign emails over insecure transmission channel such as Internet with Digital Signature# which is developed by Philip R. Zimmermann in 1991. It has become the de facto #standard for email security. It provides five services: Confidentiality#, Authentication#, compression, e-mail compatibility (encode raw binary to ASCII characters using Radix-64 Encoding#) and segmentation (if the message is too large). It guarantees the security in Application Layer#.
-
IP Security (IPsec)
IPsec is an #Network Layer security framework for secure communications over Internet Protocol (IP)# network. This means it could protect every application or Protocol#, including those that are security-ignorant (doesn’t design around security), running on top of IP (IPv4 or IPv6#, however, both of them are not compatible to each other). It is common having it to have secure access over the Internet, extranet and intranet connectivity with partners or just to enhance the security especially in electronic commerce. It provides Authentication#, Confidentiality#, and key management (secure key exchanges) services.
The data encapsulation is done by two extension headers (append to the IP header): Authentication Header (AH) and Encapsulating Security Payload (ESP), defined by RFC 4303 and RFC 4302 respectively. AH provides Access Control#, Authentication# (including the IP Address#) and Connectionless Data Integrity# services using Message Authentication Code (MAC# /HMAC) where both parties must share secret key. It guards against address spoofing attacks and Replay Attack. ESP provides Confidentiality# services over message contents and traffic flow (but limited) and optionally support Access Control# services like in AH using MAC. It can also guard against Replay Attack#. The users can design which kind of ciphers, modes, and padding to be used in ESP. The IPsec could be set up to have AH only or ESP only or both.