Quiz Entry - updated: 2026.07.14
What security goals do the different cryptographic mechanisms achieve, and which threats do they counter?
No single mechanism covers all threats. A useful framing is 3 participants and 8 attacks: encryption handles eavesdropping; a MAC or signature handles tampering and forgery; signatures alone add non-repudiation; sequence numbers catch replay and deletion; and a challenge-response protocol stops masquerade.
Security goals and mechanisms:
| Threat | Encryption | MAC | Digital Signature | Sequence Numbers |
|---|---|---|---|---|
| Eavesdropping | Yes | No | No | No |
| Modification | No | Yes | Yes | No |
| Insertion | No | Yes | Yes | No |
| Replay | No | No | No | Yes |
| Deletion | No | No | No | Yes |
| Masquerade | No | No | No | No → challenge-response |
| Non-repudiation (origin) | No | No | Yes | No |
| Non-repudiation (receipt) | No | No | Yes (with protocol) | No |
Key insights:
- Encryption alone only protects against passive eavesdropping — it fails against all active attacks
- MAC provides integrity and authentication, but no non-repudiation (both parties know the key, so either could have created the MAC)
- Digital signatures are the only mechanism providing non-repudiation — proof that a specific party signed
- Sequence numbers are essential for detecting replay and deletion attacks — no cryptographic mechanism alone can prevent these
- Masquerade (impersonation) is caught by an interactive challenge-response protocol: the verifier sends a fresh challenge that only the genuine party — holding the shared key or the private key — can answer correctly. Run with a signature, the same idea also yields receipt non-repudiation (proof the other side really received the message).
The complete protection stack:
- Encrypt (confidentiality) + Sign or MAC (integrity) + Sequence numbers (ordering) + Challenge-response (authentication)
- Or use authenticated encryption (AES-GCM) + Signatures + Sequence numbers
Tip: When asked "which mechanism protects against X," think about whether the attacker is passive (eavesdropping) or active (modifying, replaying, inserting, impersonating). Encryption only helps against passive attacks.
Go deeper:
Message authentication code (Wikipedia) — why a MAC gives integrity and authentication but not non-repudiation.