8.24 Use of Cryptography

Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.

The use of cryptography in information security refers to the practice of using mathematical algorithms to protect information by converting it into an unreadable format, called ciphertext, that can only be read by someone with the proper decryption key. Cryptography is used to provide confidentiality, integrity, and authenticity of the data.

Some examples of the use of cryptography in information security include:

• Encryption: Encryption is the process of converting plaintext data into an unreadable format, called ciphertext, in order to protect it from unauthorised access or disclosure. It can be used to protect data at rest, such as on a hard drive, or data in transit, such as over a network.
• Digital Signatures: Digital Signatures is a way to ensure authenticity of the data, it uses a private key to encrypt the hash of the data and a public key to decrypt it, allowing the receiver to be sure the data is coming from a trusted source.
• Hashing: Hashing is a one-way function that takes an input (or 'message') and returns a fixed-size string of characters, which is a 'digest' that can be used to authenticate the integrity of the input.
• Public-Key Infrastructure (PKI): PKI is a system of digital certificates, digital signatures, and public-private key pairs that can be used to secure communications, authenticate users, and provide non-repudiation.
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS): These protocols are widely used to provide secure communications over the internet; they use encryption and digital certificates to establish a secure connection between a web server and a web browser.
The use of cryptography is a fundamental part of modern information security, and it is widely used to protect sensitive data, to secure communications, and to authenticate users and devices. It's important to note that the use of cryptography alone is not a comprehensive security solution and should be used in conjunction with other security measures such as firewall, IDPS. Moreover, the organisation should consider including the use of cryptography at policy level and implementing necessary procedures.