• Data Integrity Recap
      • We’ve looked at a lot of concepts so far that build on top of each other (and we’re not done yet).
      • Before we proceed, let’s take a minute to digest (pun intended) how the concepts we seen so far are related:
      • To ensure that only certain people can read our data, we can encrypt the data.

 

    • — Otherwise —
      • To ensure that plaintext data hasn’t been tampered with, we generate a message digest.
      • To ensure that the message hasn’t been replaced (and given a new digest), we will encrypt the message digest (which is a digital signature).
      • To ensure that the digital signature is authentic, we get a digital certificate (validating the key used to decrypt the signature and the key owner).
      • To ensure that the digital certificate is not given to us by an imposter, we check with a certificate authority (who vouches for the validity of the certificate).
      • To ensure that the certificate authority is not a fraud, we can have certificates provided by certificate authorities validated by another certificate authority (certificate chaining).

 

  • Authentication and Authorization
    • For our next section, recall our security cycle from the beginning of the chapter:
    • Authentication ties in and overlaps with some of the concepts we covered already.
    • However, authentication primarily deals with two things:
    • Identity (who is being authenticated?)
    • Proof of identity (is the person really who they say they are?)
    • Authentication has a circular relationship with data integrity:
    • In order to authenticate someone, we need to be assured that the proof of identity is valid – which relies on data integrity.
    • Data integrity relies on digital signatures, certificates and authorities for proof of authenticity.
    • Lastly, there is authorization
    • Of the three main topics in the security cycle, authorization is the trickiest.
    • There is no standard for authorization – it is application-specific.
    • We need to ask, “Who is given authorization to what?”
    • On a related note, we also need to ask, “Who is giving the authorization?” (in other words, “Who’s checking authorization?”)
    • However, by authorizing users (meaning that the user has been authenticated), exposes our data.
    • This can compromise data integrity.
    • By looking at our security cycle, we can see how this can trickle through and cause a lot of damage.
    • On the other hand, the entire cycle has certain checks and balances to protect the rest of the cycle (even if one piece is compromised).

Leave a Reply

Your email address will not be published. Required fields are marked *

Join our telegram channel now for latest updates

join now