2.3 Confidentiality

A fundamental need in secure communication is to ensure the privacy of the information transmitted between the communicating parties. In cryptography, this is referred to as confidentiality of data.

More precisely, confidentiality is the ability to keep the content of information from all but those authorized to have it [117]. Confidentiality therefore guarantees that no one except the sender and the intended receiver(s) of the information can read it.

In the classical scenario illustrated in Figure 2.1, these are two parties (Alice and Bob). In general, cryptographic mechanisms can be used to ensure confidentiality for any number of parties, for example, using the concept of group keys. In the simplest case, there is only one party involved, for example, a user encrypting their private data stored in the cloud or on a personal device such as a smartphone.

Figure 2.3 shows the classical scenario for confidentiality. The eavesdropper Eve has the capability r to read all messages sent between Alice and Bob over an insecure channel. Eve’s goal is to recover the original plaintext from the messages transmitted over the channel (within a reasonable period of time).

Figure 2.3: Alice and Bob must keep their communication confidential in the presence of Eve

There are many different ways to achieve confidentiality, such as physically protecting access to the media on which the private information is stored or exchanging private information in a way that both parties believe to be secure by design, such as in a private, face-to-face meeting. In contrast, cryptography focuses on mathematical algorithms – based on number-theoretic problems or the concept of pseudo-randomness – that scramble the message, before it is sent, in such a way that the private information becomes unintelligible for unauthorized parties.

An implicit assumption is that the communication channel between the legitimate parties is insecure, that is, that an eavesdropping adversary sees all scrambled messages and can store them for later processing. A cryptographic mechanism ensuring confidentiality must hold even if the messages observed by the eavesdropper are used in an offline attack.

If the goal of a cryptographic mechanism is to provide confidentiality, then a passive attacker is typically assumed. Recall from the last section that a passive attacker is supposed only to be able to read information from an unsecured channel [117]. While manipulating messages sent by Alice and Bob might interrupt the overall system – for example, lead to a denial-of-service attack if the legitimate parties are interpreting these messages to accomplish some kind of a computational or control task – this usually won’t help the attacker to recover the original plaintext, so confidentiality will be preserved.

In cryptography, confidentiality is achieved using mathematical functions that transform the private information m, also referred to as plaintext, into a scrambled message c = fK(m), referred to as ciphertext. These functions are bijective meaning that for every such function fK there is an inverse function, denoted by fK−1, which transforms the ciphertext back to the original plaintext. In other words, an algorithm mapping plaintext to ciphertext in such a way that the plaintext cannot be recovered does not provide confidentiality in a cryptographic sense. Note that bijectivity also implies that there are as many plaintexts as ciphertexts.

The infamous Wired Equivalent Privacy (WEP) hack illustrates what consequences a confidentiality breach can have in practice. WEP was a cryptographic algorithm that provided confidentiality for over-the-air transmissions in Wireless Local Area Networks (WLANs) defined in the IEEE 802.11 set of standards. Released in 1997 as part of the original 802.11 standard, WEP was recommended for all 802.11b- and 802.11g-compliant devices and included in most Wi-Fi routers by the late 1990s [52].

WEP was designed as a so-called stream cipher based on the RC4 algorithm as a key stream generator (see Section 4.5.1 and Section 4.5.2, respectively). Because interference can cause bit errors and, consequently, packet loss in a wireless channel, the WEP key stream generation was restarted each time a frame of a message had been transmitted. This restart procedure relied on a so-called Initialization Vector (IV), basically a 24-bit string. An attacker could therefore wait until an IV repeated after 224 frames, which led to the repetition of the entire key stream. As is explained in Section 4.3.2, this is a serious security problem, especially if parts of the plaintext are already known, as is often the case with standardized network protocols.

In 2001, researchers published a complete cryptanalysis of WEP that recovered the secret key after eavesdropping on the wireless network [66]. Depending on the number of network packets available for inspection, the complete key could be recovered in as little as one minute [197].