IT Security Concepts

Date

Introduction

Let’s talk about some IT Security. This note will contain a lot of useful theory for the IT security topic. We will talk about important and always to think about secure communication concepts in IT security. This will focus mostly on how to transfer safely messages over a connection and what kind of other security measures you should consider.

Most of this is based off my University lectures, so let’s dive into it.

1. Secure concepts

Secure communication concepts are extremely important, as they are applied everywhere in modern IT. In the early days of the internet, the network was not designed with security in mind, it focused mainly on reliability and usability among trusted parties. As more people joined and the internet grew, it became clear that security was essential. We do not want our messages to be read or modified by others, so various security mechanisms were developed over the years.

  • C - Confidentiality
  • I - Integrity
  • A - Availability

These form the core principles of secure communication. Other important concepts, such as authentication and authorization, are often discussed alongside the CIA triad but are not part of it. Another term frequently used in security is adversary, referring to an attacker or anyone attempting to compromise these security principles.

1.1 Confidentiality

First we need to get familiar with secure communication concepts. This is really important as it lays the fundamentals for security. What do I mean by that? Let’s clarify this first with an example that will be repeating the whole note. Let’s say we have this example: Alice wants to send to her friend Bob a message -> ‘Hello Bob!’. We are all familiar how this can be done, over the internet. How is this message being send is a complicated topic and deserves a book on it’s own, but basically simplified, let’s image Alice and Bob are connected through a line.

Communication example Alice and Bob

Figure 1: Basic communication example Alice-Bob

Now let’s assume, that somebody somehow manages to sit in the middle between Alice and Bob, called Mallow. This person would be able to read the plaintext (the message ‘Hello Bob!’). Alice and Bob might be exchanging private information, credit card credentials etc. We surely don’t want credentials or private information to be viewed by anybody so we need to introduce a security concept on how to secure this. This security concept would be called Confidentiality.

Communication example Alice, Mallow and Bob

Figure 2: Basic communication example Alice-Mallow-Bob

Confidentiality means that only the sender and the legitimate receiver can understand a message. This is achieved through cryptography. Although cryptography is a deep and complex field, the basic idea is simple: take a plain message like "Hello Bob!" and transform it into something unreadable such as "ZvbajsdaYAISdadgASDl1gJADAsdo". This transformation is performed by a mathematical algorithm, which we can think of as a function f(), often referred to as a key. The key takes the plaintext as input and produces encrypted output, called ciphertext.

Encrypted communication example Alice and Bob

Figure 3: Basic communication example Alice-Mallow-Bob encrypted

In symmetric cryptography, the same key is used for both encryption and decryption. As long as only Alice and Bob possess this key, they can communicate securely: Alice encrypts her message with the key, and Bob decrypts it with the same one. Even if Mallow intercepts the message while sitting in the middle, he cannot read it without the key. Confidentiality achieved ✅

But this introduces a new challenge: how can Alice and Bob share this secret key in the first place, without allowing Mallow to steal it as well?

1.2 Integrity

The concept of integrity in secure communication means that a message must not be altered by an adversary. Integrity is typically provided by a hash function. A hash is a function that takes an input (any data) and produces a fixed-length output string, called a hash value or digest. A secure hash function has three important properties:

  • Deterministic: The same input always produces the same output.
  • Avalanche effect: A tiny change in the input results in a large, unpredictable change in the output.
  • Collision resistance: It should be computationally infeasible for two different inputs to produce the same output.

Why is this useful? If we take the message “Hello Bob!”, a hash function will generate a unique fixed-length string such as:

Hello Bob! → 42ba8354db263a6a5a9f74d6b7ceb4c962a3d8fd58a41969e521eb0222455415

This means that Alice can hash her message and send both the message and the hash to Bob. Bob can then recompute the hash himself and compare it to the one Alice sent. If an adversary, Mellow, modifies the message to “Hello Bobby!”, the hash will change completely:

Hello Bobby! → 4da22bcb0ddfbb97c0a387526d312df95d4d097a359b3b8b63532ab166c7ecab

The mismatch warns Bob that the message has been altered.

However, in real secure communication, a hash alone is not enough, because an attacker could simply replace both the message and the hash. For this reason, hashes are typically used inside a MAC (Message Authentication Code), which uses a secret key to ensure that only the sender and receiver can produce a valid hash.

1.3 Availability, Authenticity

Availability means that the communication or service between users must remain accessible and functional. An adversary should not be able to disrupt or take down the connection. A common example of an availability attack is a DDoS (Distributed Denial of Service) attack, where an attacker overloads a system so legitimate users cannot access it.

Authentication is the process of verifying the identity of a user. There are several ways to authenticate someone, typically grouped into standard categories:

  • Something the user knows (password, passphrase, PIN, usually stored as a hash, not in plain text)
  • Something the user has (smart card, token, security key, mobile device)
  • Something the user is (biometrics such as fingerprint, facial recognition, retina scan)
  • Single Sign-On (SSO) (a system allowing one login to access multiple services)
  • Multi-Factor Authentication (MFA) (using two or more of the above factors together)

2. Cryptography

Cryptography is used, as explained in 1.1 Confidentiality, to encrypt messages so that only the sender and the intended receiver can understand them. This can be achieved with symmetric cryptography, where the same key is used to encrypt and decrypt messages. However, in the real world there is a major challenge: how can the symmetric key be securely exchanged? This is where asymmetric cryptography comes into play.

Asymmetric cryptography uses two mathematically related keys: a public key and a private key. Whatever is encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. These keys are generated using mathematical algorithms and are represented as long strings of data that have this special relationship.

This simplifies key exchange: Each user keeps their private key secret, while the public key can be freely shared. For example, Alice can obtain Bob’s public key, encrypt her message “Hello Bob” with it, and only Bob can decrypt it using his private key.

Public and private keys are also used for digital signatures. If Alice signs (encrypts) a hash of her message using her private key, anyone can verify that signature with her public key. If it decrypts correctly, the recipient knows the message really came from Alice and has not been altered.

In practice, asymmetric cryptography is mainly used to securely exchange symmetric keys and establish a protected communication channel. Once the channel is established, the actual message data is usually encrypted using faster symmetric cryptography.

However, another problem remains: Alice cannot be sure that the public key she receives truly belongs to Bob. An attacker (Mellow) could send his own public key instead. This is why digital certificates and Certificate Authorities (CAs) are necessary, they allow users to verify the authenticity of public keys.

3. Digital Certificates

Symmetric keys have the problem of how to securely deliver the secret key to the other party. This problem is solved by asymmetric cryptography, where each user has a public key and a private key. However, asymmetric cryptography introduces a new issue: How can you verify that a given public key actually belongs to the person claiming it?

This is solved by using a Trusted Third Party (TTP), more commonly known as a Certificate Authority (CA). A CA is an organization that verifies identities and uses its own private key to digitally sign public keys, creating digital certificates. These certificates allow others to trust that a specific public key belongs to a specific person, system, or organization.

Digital certificates link a public key to an identity (a person, server, device, or organization).

Digital certificate overview

Figure 4: Digital certificate PKI overview

How the Certificate Process Works

  1. A user creates a key pair (private key + public key).
  2. The user creates a CSR (Certificate Signing Request), which includes the public key and identity information.
  3. The CSR is sent to a Registration Authority (RA).
  4. The RA verifies the identity of the requester.
  5. Once verified, the RA tells the Certificate Authority (CA) to issue a certificate.
  6. The CA signs the certificate using its private key and sends it back to the user.

Now, when Alice sends her public key to Bob, she also sends her digital certificate, not the CSR. Bob can verify the certificate using the CA’s well-known public key. If the certificate is valid, Bob knows the public key truly belongs to Alice.

A typical digital certificate (such as an X.509 certificate used on the internet) includes:

Identity Information

  • Subject name (e.g Alice Smith or www.example.com)
  • Organization, country, email address
  • Distinguished Name (DN)

Public Key Information

  • The actual public key
  • The key algorithm (RSA, ECC, etc.)

Validity Information

  • Issuance date
  • Expiration date

Issuer Information

  • The Certificate Authority that issued the certificate
  • CA’s Distinguished Name

Certificate Metadata

  • Serial number
  • Version
  • Signature algorithm (SHA-256, etc.)

4. TLS

Now that we understand the fundamentals of secure communication: confidentiality, integrity, availability, authentication, symmetric and asymmetric cryptography, and digital certificates, we can finally look at how these are used in the real world. Whenever you browse a website and see https:// instead of http://, your browser is using a security protocol called TLS (Transport Layer Security). TLS is the modern, secure version of what used to be called SSL (Secure Sockets Layer). SSL is outdated and insecure today, but the name “SSL” is still commonly used, even though the actual protocol running everywhere is TLS.

TLS is the protocol that ensures secure communication between a client (e.g your browser) and a server (e.g a website). It combines everything explained so far into a single, structured process.

4.1 What TLS Provides

TLS ensures:

  • Confidentiality → messages are encrypted with symmetric cryptography
  • Integrity → messages contain MACs or digital signatures
  • Authentication → digital certificates confirm the identity of the server (and sometimes the client)
  • Availability → secure, stable communication channels resistant to interference
  • Key Exchange → secure negotiation of symmetric keys using asymmetric cryptography

4.2 TLS Handshake

TLS begins with a process called the TLS Handshake. This is the setup phase where both parties agree on how to communicate securely. Here’s a simplified version of the handshake:

TLS handshake example

Figure 5: TLS v1.2 handshake example

  1. Phase 1: Client Hello - The handshake starts when the client (Alice) contacts the server (Bob) and sends:
    • The TLS versions it supports (e.g. TLS 1.2, TLS 1.3)
    • The encryption algorithms (cipher suites) it’s willing to use
    • A random value used later in key generation
    • Additional information such as the domain name (SNI) and supported extensions
  2. Phase 2: Server Hello + Certificate - The server responds with::
    • The chosen TLS version and cipher suite
    • Its own random value (for key derivation)
    • A digital certificate containing its public key, signed by a trusted Certificate Authority (CA)
  3. Phase 3: Certificate Verification - The client (Alice) checks the server’s identity:
    • Is it signed by a trusted CA?
    • Is it valid?
    • Does it belong to the server she’s visiting?

    This step provides authentication and protects Alice from adversaries like Mellow pretending to be Bob.

  4. Phase 4: Symmetric Key Exchange - Alice and Bob exchange symmetric keys for communication:

    After the certificate is verified, both sides establish shared secret keys. Modern TLS (including all TLS 1.3 connections and most TLS 1.2 connections) usesephemeralDiffie-Hellman (a secure key exchange protocol) for this exchange. This means:

    • The symmetric keys are derivedfrom Diffie-Hellman, not transmitted directly
    • No symmetric key ever travels over the network

Older TLS versions sometimes used RSA to encrypt a premaster secret, but this is now discouraged.

Secure Communication Established

Once key exchange is complete, both sides compute the same symmetric session keys. From this point on, all communication data is encrypted and authenticated using fast symmetric cryptography(e.g AES-GCM or ChaCha20-Poly1305). Asymmetric cryptography is no longer used after the handshake.

If the application protocol is HTTP, the combination becomes HTTPS, so HTTP running inside a TLS secured channel.

4.3 TLS Usage

TLS is used in:

  • Web browsing (HTTPS)
  • Email security (TLS for SMTP, IMAP, POP3)
  • VPN connections
  • APIs and backend communication
  • Secure file transfer (FTPS)
  • Messaging applications

Anywhere data must be transmitted safely, TLS is involved. Without TLS, online banking, shopping, and even basic privacy on the internet wouldn’t be possible.

5. Endnote

IT security may seem overwhelming at first, but once you understand the core building blocks, everything makes more sense. Confidentiality, integrity, availability, authentication, cryptography, and digital certificates all play a crucial role in keeping our communication secure. The early internet was designed primarily for reliability and connectivity among trusted users, not for security or protection against adversaries. And as we’ve seen, TLS is the real-world protocol that brings all of these concepts together to protect the data we send and receive every day.

This blog is only a starting point, each of these topics can go incredibly deep but having a solid foundation will help you understand how modern secure communication works and why it is so essential.