5.1 Encryption, authentication & access control (CIA triad)
Key Takeaways
- The CIA triad — Confidentiality, Integrity, Availability — is the foundation every security control is built to protect.
- Symmetric encryption (AES) uses one shared key and is fast; asymmetric encryption (RSA) uses a public/private key pair and solves the key-distribution problem.
- Hashing (SHA-256) is one-way and verifies integrity — it is not encryption and cannot be reversed back into the original data.
- Authentication factors are something you know, something you have, and something you are; MFA requires two or more different categories.
- Authorization enforces least privilege through access-control models such as RBAC, ACLs, DAC, and MAC.
The CIA Triad: The Foundation of Security
Every security control you will study exists to protect one or more of three goals, collectively called the CIA triad: Confidentiality, Integrity, and Availability. On the DoD Cyber Test you should be able to match a scenario to the goal it protects.
- Confidentiality means only authorized people can read data. Encrypting a laptop's hard drive so a thief cannot read classified files protects confidentiality.
- Integrity means data is accurate and has not been altered. A checksum that flags a tampered software update protects integrity.
- Availability means authorized users can reach systems when they need them. Backup generators and redundant servers that keep a network online during an attack protect availability.
A single incident can break more than one goal at once. A ransomware attack that encrypts files (blocking access) attacks availability; if the attacker also copies those files out, it attacks confidentiality too. Good security balances all three — locking data down so tightly that nobody can use it defeats availability, while making it too easy to reach defeats confidentiality.
Encryption: Symmetric vs. Asymmetric
Encryption scrambles readable plaintext into unreadable ciphertext using an algorithm and a key. There are two families.
Symmetric encryption uses the same key to encrypt and decrypt. AES (Advanced Encryption Standard) is the modern standard, using 128-, 192-, or 256-bit keys. Symmetric algorithms are fast, so they bulk-encrypt files and network traffic. Their weakness is key distribution: both parties need the identical secret key, and delivering it safely is hard.
Asymmetric encryption (public-key) uses a pair of mathematically linked keys: a public key anyone may hold and a private key the owner keeps secret. RSA is the classic example. Data encrypted with the public key can only be decrypted with the matching private key, which solves the distribution problem — you can publish your public key openly. Asymmetric math is slow, so in practice systems like HTTPS use RSA to exchange a symmetric AES key, then switch to fast AES for the actual conversation.
| Feature | Symmetric (AES) | Asymmetric (RSA) |
|---|---|---|
| Keys | One shared secret key | Public + private key pair |
| Speed | Fast | Slow |
| Best for | Bulk data / file encryption | Key exchange, digital signatures |
| Main challenge | Distributing the secret key safely | Heavy, slow computation |
| Example | AES-256 disk encryption | RSA in the HTTPS/TLS handshake |
Hashing Is Not Encryption
A hash function (such as SHA-256) takes any input and produces a fixed-length "fingerprint." Hashing is one-way — you cannot reverse a hash back into the original data, which is exactly why it is not encryption. Because any tiny change to the input produces a completely different output, hashes verify integrity: download a file, hash it, and compare against the published hash. Systems also store password hashes instead of the actual passwords, so a stolen database does not immediately hand attackers usable passwords. To stop attackers from precomputing hashes of common passwords, systems add a random salt to each password before hashing, making every stored hash unique even when two users pick the same password.
Digital Signatures, PKI, and Certificates
Combine hashing with asymmetric keys and you get a digital signature. The sender hashes a message and encrypts that hash with their private key. Anyone can decrypt it with the sender's public key and re-hash the message to confirm two things: it truly came from that sender (authenticity) and it was not altered (integrity). PKI (Public Key Infrastructure) is the system of Certificate Authorities (CAs) that issue digital certificates, which bind a public key to a verified identity — this is what the padlock in your browser represents.
Authentication: Proving Who You Are
Authentication answers "are you who you claim to be?" using three factor categories:
- Something you know — a password, PIN, or security-question answer.
- Something you have — a CAC/smart card, a phone running an authenticator app, or a hardware token.
- Something you are — a biometric such as a fingerprint, face, or iris.
Multi-Factor Authentication (MFA) requires factors from two or more different categories. A password plus a code from your phone is MFA; two passwords are not, because both are "something you know." MFA is powerful because stealing one factor (a password) is not enough to get in.
Authorization and Access Control
Authentication proves identity; authorization decides what that identity is allowed to do. The guiding rule is least privilege: give each user only the access their job requires, and nothing more. Common models:
- RBAC (Role-Based Access Control): permissions attach to roles (e.g., "medic," "analyst"), and users inherit them through their assigned role.
- ACL (Access Control List): each resource lists which users or groups may access it and how (read, write, execute).
- DAC (Discretionary Access Control): the data owner decides who gets access — flexible, but easy to misconfigure.
- MAC (Mandatory Access Control): the system enforces access from classification labels (e.g., Secret, Top Secret) and clearances; users cannot override it, which is why MAC is common in military environments.
Together these controls turn the CIA triad from theory into enforced practice.
Ransomware encrypts a unit's files and blocks everyone from opening them. Which goal of the CIA triad is most directly violated?
Why does HTTPS typically use RSA only to exchange a key and then switch to AES for the rest of the session?
A password combined with a one-time code from an authenticator app qualifies as multi-factor authentication because it combines which two categories?