Purpose
Thepurposeofintegrityistoprotecttheintegrityofdataandtheintegrityofdata-relatedattributesthatmaybecompromisedindifferentwaysbypreventingthreatsordetectingthreats.Manyopensystemapplicationshavesecurityrequirementsthatrelyondataintegrity.Suchrequirementscanprovidedataintegrityprotectionincludingthoseusedinothersecurityservices(suchasauthentication,accesscontrol,confidentiality,auditing,andnon-repudiation).Thecompletenessdescribedhereisdefinedbytheconstantcharacteristicsofadatavalue.Theconceptofdatavalueconstancyincludesallthecaseswherethedatavalueisconsideredequivalenttodifferentexpressions.
Thegoalofintegrityservicesistoprotectdatafromunauthorizedmodification,includingunauthorizedcreationanddeletionofdata.Completetheintegrityservicethroughthefollowingactions:
(1)Shield,generateintegrity-protecteddatafromthedata.
(2)Confirmthatintegrity-protecteddataischeckedtodetectintegrityfailures.
(3)De-shieldingandregeneratingdatafromintegrity-protecteddata.
Theseactionsdonotnecessarilyusecryptographictechniques.Whenusingcryptographictechniques,thereisnoneedtotransformthedata.Forexample,theshieldingoperationcanbedonebyaddingasealordigitalsignaturetothedata.Inthiscase,aftersuccessfulverification,de-shieldingisachievedbyremovingthesealordigitalsignature.
Integrityinformation
Inordertoshield,verify,orunshielddata,auxiliaryinformationmaybeused.Thisauxiliaryinformationiscalledintegrityinformation.Integrityinformationincludes:
(1)Shieldintegrityinformation,whichisusedtoshielddatainformation,includingprivatekeys,keys,algorithmidentifications,etc.,relatedpasswordparameters,time-varyingparameters(suchastimestamps))Wait.
(2)Transformationdetectionintegrityinformation,whichisusedtoverifytheinformationofintegrity-protecteddata,includingpublicandprivatekeys.
(3)De-shieldingintegrityinformation,whichisusedtode-shieldtheintegrityprotectiondata,includingpublicandprivatekeys.
Classification
Wecanbaseonthedatabehavior(create,delete,modify,insertorreplay)andtherequiredprotectionmeasures(preventthreatsordetectviolations)Orclassifyvariousintegrityservicesbasedonwhethertherecoveryfunctionissupportedintheeventofintegrityviolationoperations.
1.Accordingtothepreventionofviolationclassification
Accordingtothepreventionofviolationoperationclassification,integrityservicescanbedividedintopreventionofunauthorizeddatamodification,preventionofunauthorizeddatacreation,preventionofunauthorizeddatadeletion,Preventunauthorizeddatainsertionandpreventunauthorizeddatareplay.
2.Accordingtotheprovidedprotectionmethodclassification
Accordingtotheprovidedprotectionmethodclassification,theintegrityservicecanbedividedintothepreventionofintegritydamageandthedetectionofintegritydamage.
3.Accordingtowhethertherecoverymechanismisincludedornot
Accordingtowhethertherecoverymechanismisincludedornot,theintegrityserviceisdividedintotwosituations:inthecaseofarecoverymechanism,thede-shieldingoperationiswhentheverificationoperationischanged.,Canrestoretheoriginaldata(andmaysignalthattherestorationactivityhasoccurred,orindicateanerrorsignalforauditpurposes);withouttherestorationfunction,oncetheoperationinstructionisconfirmedtobechanged,theunmaskingoperationcannotrestoretheoriginaldata.
Integritymechanism
1.Testword
Testwordusesmutualagreementtoprotecttransactionfields(suchasaccountname,date,totalamount,etc.).ThismethodusuallyrequiresastatickeyandarandomnumbertooccurDevice.Thesenderusesamutuallyagreedalgorithmtoconverttheinformationintoacharacterstring(calledatestword)andattachittothetransaction.Thereceiverrepeatsthesamestepswiththereceivedtransactiondatatoverifytheintegrityofthetransaction.Thetestwordisanearlytechnicalrealizationofencapsulation.
2.Encapsulationandsignature
Themostcommonencapsulationandsignaturetechnologyinvolvestheuseofencryptiontogenerateavaluethatissentasaplaintextattachment.Whenaspecificdataintegrityrequirementisrequired,suchanattachmentisusuallycalledanintegritycheckvalue.
Theapplicationoftheencapsulationandsignaturemechanismneedstosolveseveralproblems,suchastheestablishmentofconsensusontheselectionofalgorithms,fillingrequirementsandthekeymanagementprocess.Mostencryptionmechanismsusedforconfidentialitypurposesaresuitableforencapsulationandsignaturemechanismsfordataintegritypurposes.
3.Encryption
Encryptioncanbeusednotonlytoensuretheconfidentialityofdata,butalsotoensureitsintegrity.Assumingthattheprotecteddataitemhassomeredundancy,theencryptiontransmissionredundancycanensuretheeffectofdataintegrity,whichmakesifanintruderdoesnotknowtheencryptionkeyandmodifiespartoftheciphertext,itwillleadtothedecryptionprocessIncorrectinformationisgeneratedin.
Insomecases,dataitemshavesufficientnaturalredundancy.Correspondingly,redundancycanbeobtainedbyextendingthedataitempriortoencryption,andacheckvalueiscalledamodificationdetectioncode.ThedatadigestgeneratedbytheHashfunction,oracyclicredundancycheck,areexamplesofmodifyingthedetectioncode.
Notallencryptionmechanismscanbeusedhere.Forexample,intheencryptionmode,thereversiblepublickeyalgorithmcannotguaranteetheintegrityofthedata.Assumingthatanintrudercanknowthepublickey,hecangenerateandencryptafakedataitem.
4.Sequenceintegrity
Sequenceintegrityprovidesamethodfordetectingthereplay,rearrangementorlossofdataitems,anditformsapartofthesecurityandconfidentialityofasequenceofcommunicationnetworks.Itisassumedthattheinternalintegrityofeachdataitemhasbeenprotected.Therearetwowaystoprovidesequenceintegrity.Onemethodistoattachanintegrityserialnumbertothedataitembeforeprotectionsuchasencapsulation,signing,orencryption;theothermethodistogenerateanintegritysequencenumberintheprocessofencapsulation,signing,orencryptionusingtheextendedchainofthedataitemEncryptionchain.
5.Copy
Ameasureofdataintegritycanbeprovidedbycopyingstorageinformationinmultiplestorageareasorbytransferringmultiplebackupsofdataindifferentpaths.Itcanbeassumedthattheattackercannotcompromiseallthebackupsatthesametime,sotheoriginaldatacanberestoredfromthebackupthatwasnevercompromised.
6.Integrityrecovery
Themechanismneededtosupportintegrityrecoveryisasimplestandardcommunicationerrorrecoverymechanism.Theusualmethodistoresynchronizetothedetectionpositionbeforedetectingthatthedamagehasoccurredandresendingallthedata.Anycryptographicprocess,whetherforconfidentialityorintegrity,needstoberesynchronizedtothesamedetectionlocationatthesametime.