6.1 Data Security
Objectives
Describe the security methods designed to protect the security of data, including concepts of confidentiality, integrity, availability, authentication, and non‑repudiation.
Key Security Principles
Confidentiality: Ensuring that data is accessible only to authorised users.
Integrity: Maintaining the accuracy and completeness of data over its lifecycle.
Availability: Guaranteeing that data is accessible when required.
Authentication: Verifying the identity of a user, device, or process.
Non‑repudiation: Preventing denial of actions performed, typically using digital signatures.
Cryptographic Methods
1. Symmetric Encryption
Uses a single secret key for both encryption and decryption.
Typical algorithms: DES, 3DES, AES.
Encryption formula: \$C = E_{k}(M)\$ where \$M\$ is the plaintext, \$k\$ the secret key, and \$C\$ the ciphertext.
2. Asymmetric Encryption (Public‑Key Cryptography)
Employs a pair of mathematically related keys: a public key (\$K{pub}\$ ) and a private key (\$K{priv}\$ ).
Encryption: \$C = E{K {pub}}(M)\$
Decryption: \$M = D{K {priv}}(C)\$
Typical algorithms: RSA, ECC.
3. Comparison of Symmetric and Asymmetric Encryption
Aspect
Symmetric
Asymmetric
Key Management
Single secret key shared securely
Public key distributed openly; private key kept secret
Performance
Fast, suitable for large data volumes
Slower, typically used for key exchange or digital signatures
Security
Relies on secrecy of the key
Security based on mathematical difficulty of key derivation
Typical Use
Bulk data encryption (e.g., file storage)
Secure key exchange, authentication, digital signatures
Hash Functions and Message Digests
A hash function maps data of arbitrary size to a fixed‑size bit string called a digest.
Properties:
Deterministic – same input always yields same output.
Pre‑image resistance – infeasible to reconstruct input from digest.
Collision resistance – infeasible to find two different inputs with the same digest.
Common algorithms: MD5 (deprecated), SHA‑1 (deprecated), SHA‑256, SHA‑3.
Digital Signatures
Combine hashing and asymmetric encryption to provide authentication, integrity, and non‑repudiation.
Process:
Compute hash of the message: \$h = H(M)\$ .
Encrypt the hash with the sender’s private key: \$S = E{K {priv}}(h)\$ .
Transmit \$(M, S)\$ .
Receiver decrypts \$S\$ with sender’s public key to obtain \$h'\$ and compares with \$H(M)\$ . If they match, the message is authentic and unaltered.
Access Control Mechanisms
Discretionary Access Control (DAC): Owner decides who may access resources.
Mandatory Access Control (MAC): Central authority enforces policies based on security labels.
Role‑Based Access Control (RBAC): Permissions are assigned to roles, and users acquire permissions by being assigned roles.
Physical and Network Security
Firewalls – filter inbound and outbound traffic based on rule sets.
Intrusion Detection Systems (IDS) – monitor network or system activity for malicious behavior.
Secure Physical Facilities – controlled access, CCTV, environmental controls.
Backup and Recovery – regular backups, off‑site storage, and disaster recovery planning.
Security Policies and Procedures
Effective security requires documented policies covering:
Acceptable Use
Password Management
Incident Response
Data Classification and Handling
Audit and Compliance
Suggested diagram: Flow of data through encryption, transmission, decryption, and verification using digital signatures.