Why is encryption alone insufficient for secure communication — what additional protections are needed?
Encryption only provides confidentiality. Secure communication also requires integrity (MAC/signatures), authentication (protocols), and freshness (sequence numbers).
What encryption gives you: Protection against eavesdropping — Eve can't read the message.
What encryption does NOT give you:
| Missing Property | Attack Possible | Solution |
|---|---|---|
| Integrity | Modify encrypted data | MAC or Digital Signature |
| Authenticity | Insert fake messages | MAC or Digital Signature |
| Non-repudiation | Sender denies sending | Digital Signature |
| Freshness | Replay old messages | Sequence numbers |
| Availability | Delete messages | Sequence numbers |
| User authentication | Masquerade | C-R Protocols |
Real-world consequence: Early SSL/TLS versions that only encrypted (without proper integrity) were vulnerable to attacks like BEAST and POODLE. Modern TLS 1.3 uses authenticated encryption (AEAD) which combines confidentiality + integrity in a single operation.
Rule of thumb: Never use encryption without authentication. "Encrypt-then-MAC" or AEAD modes like AES-GCM are the standard approach.
Go deeper:
Authenticated encryption — AEAD, which bundles confidentiality and integrity.