Beyond secrecy, what three security requirements might a system need, and why is encryption said to stop only one of eight attacks?
The three requirements are confidentiality (secrecy), data authenticity (integrity + proof of origin), and user authenticity (proving who you're talking to). In the classic Alice–Eve–Bob model there are eight distinct attacks, and encryption defeats only one of them — eavesdropping.
* Eve mounts six wire attacks; the two repudiation attacks come from Alice and Bob themselves. *
Real applications need different mixes of the three:
| Application | Confidentiality | Data auth. | User auth. |
|---|---|---|---|
| Pay-TV access | ✓ | ✓ | |
| Traffic-light control | ✓ | ||
| ATM cash withdrawal | ✓ | ✓ | ✓ |
| Remote-controlling a drone | (maybe) | ✓ | ✓ |
| Uploading a race GPS track | ✓ | ✓ |
The eight attacks in the sender→network→receiver picture are: eavesdropping, modification, insertion, replay, deletion, masquerade, repudiation of origin, and repudiation of receipt. Encryption addresses only the first — a sobering reminder that it is neither the only nor the most important mechanism.
The subtle point everyone misses: Eve on the wire is not the only threat. The two repudiation attacks come from the legitimate parties themselves — the sender denying they sent a message (origin) and the receiver denying they got it (receipt) — and an insider like Alice could mount most of the others too. This is why non-repudiation (via digital signatures) exists at all, and why the trend is that user authentication keeps growing in importance (cars, IoT, access control) rather than raw encryption.
Go deeper:
Alice and Bob (Wikipedia) — the cast of characters behind the classic attack model.