Key Management: General 18 3 Security Services Cryptography may be used to perform or support several basic security services: confidentiality, integrity authentication, source authentication, authorization and non- repudiation. These services may also be required to protect cryptographic keying material. In addition, there are other cryptographic and non-cryptographic mechanisms that are used to support these security services. In general, a single cryptographic mechanism may provide more than one service e.g., the use of digital signatures can provide integrity authentication, and source authentication, but not all services.

3.1 Confidentiality

Confidentiality is the property whereby information is not disclosed to unauthorized parties. Secrecy is a term that is often used synonymously with confidentiality. Confidentiality using cryptography is achieved using encryption to render the information unintelligible except by authorized entities. The information may become intelligible again by using decryption. In order for encryption to provide confidentiality, the cryptographic algorithm and mode of operation must be designed and implemented so that an unauthorized party cannot determine the secret or private keys associated with the encryption or be able to derive the plaintext directly without using the correct keys.

3.2 Data Integrity

Data integrity is a property whereby data has not been modified in an unauthorized manner since it was created, transmitted or stored. Modification includes the insertion, deletion and substitution of data. Cryptographic mechanisms, such as message authentication codes or digital signatures, can be used to detect with a high probability both accidental modifications e.g., modifications that sometimes occur during noisy transmissions or by hardware memory failures and deliberate modifications by an adversary. Non-cryptographic mechanisms are also often used to detect accidental modifications, but cannot be relied upon to detect deliberate modifications. A more detailed treatment of this subject is provided in Appendix A . In this Recommendation, the statement that a cryptographic algorithm provides data integrity means that the algorithm is used to detect unauthorized modifications. Authenticating integrity is discussed in the next section.

3.3 Authentication

Two types of authentication services can be provided using cryptography: integrity authentication and source authentication. • An integrity authentication service is used to verify that data has not been modified, i.e., this service provides integrity protection. • A source authentication service is used to verify the identity of the user or system that created information e.g., a transaction or message. Several cryptographic mechanisms may be used to provide authentication services. Most commonly, digital signatures or message authentication codes are used to provide authentication; some key-agreement techniques also provide an authentication service. Key Management: General 19 When multiple individuals are permitted to share the same source authentication information such as a password or cryptographic key, it is sometimes called role-based authentication. See [FIPS140] .

3.4 Authorization