Communication Security, Application Secuirty and Cryptography : Differences

From the beginning, I have seen people confusing (or mixing) Communication Security with application security though both have some totally different objectives to fulfill. And some people goes far extend and mixes cryptography also in the same box and tries to make an alloy of cryptographic goals with communication security goals.
But, I feel reality is different. Cryptography can be used as a technique to achieve cummunication security goals but not in a reverse way.
As I say, communication secuirty ensures any/all three of the following criteria while two entities are communicating (and ofcourse there is a threat that some unknown third party can listen to their communication) over some meduim.

  • End point or Entity authentication : which ensures both of the communicating entities are talking to ritght entity only.
  • Message integrity / Message authentication : this is always tricky. Which will ensure the message sent by one party will not fabricated on transit.
  • Message Confidentiality: A unknow or unintended receiver of a message, can not make any meaning of the message.

Now, if we consider about application security, it is about achieving some goals which comes from the design or from the natural behaviour of the application. For example, you are creating an email service you need user – authentication to their respective account. Now to edit user account you need authorization. So, application security has maily two component:

  • User authentication
  • User Authorization

Now, somebody can use cryptographic technique to provide strong user authentication and authorization.

A good design should alawys make the Communication security and the application security separate, as i feel. It makes easier for the developer and the security analyser’s life easier and also make the applocation more portable.
As i say, cryptography can be used to achieve mainly the communication security goals. Following is a example,:-

  1. Enpoint authentication : X.509 certificates and PKI
  2. Message Int : Some Secure Hash algorithm
  3. Confidentiality : AES

Using cryptography for application layer security, some people does it to sign authorization, which makes the application desgn more complex….

Next post, i will discuss on the available security mechanism at TCP layer.

Advertisements

About yadab das
Software Developer{writing,debugging,documenting} source code

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: