RevisionSu2013
Security Architecture for OSI The ITU (International Telecommunications Union) is a United Nations sponsored
agency which develops standards (called recommendations) for telecommunications and
open systems interconnection (OSI). Recommendation X.800, Security Architecture for
OSI defines a systematic approach for the manager and technical professional responsible
for implementing security in a network, communications or computer environment to
systematically define the requirements for security and to characterize various approaches
to implement functionality that satisfies the requirements.
The framework provided by the architecture categorizes the elements of security into
security attacks, security services and security mechanisms.
A Security Attack is an action that compromises the information owned or entrusted to
the organization. The compromise affects some attribute of the CIA triad.
A Security Service is a collection of functionality (routines, programs, algorithms,
specifications) that provides support for various aspects of security: In order to protect a
network from attack, mechanisms need to be implemented that support each of these
services to the extent they are needed in the target environment. Security services are
implemented by making use of one or more security mechanisms.
Security Services:
Authentication: The assurance the communicating entity is the one they claim to be.
Access Control: Controls to prevent unauthorized use of a resource.
Data Confidentiality: The protection of data from unauthorized disclosure.
Availability: Assurance that computing resources and data are available.
Data Integrity: The assurance that data that is sent/received/stored is exactly as it was sent/received/stored by the authorized entity.
Nonrepudiation: Protection against denial by one or both parties in a communication that they sent or received all or part of it.
Logging and Monitoring: Services that support the observation and logging of system activity.
The security services enumerated above are categories of services that are further divided
into specific services that apply to different aspects of a service. For example; the
authentication service is divided into two specific services peer entity authentication and
data origin authentication. Peer entity authentication involves each party in a logical
connection being able to confirm to some degree of confidence the identity of the other
party. Data origin authentication is used in a connectionless transfer such that the
recipient of the data can be confident in the identity of the sender.
RFC 2828 provides the following definition for a security service:
Definition: Security Service: A processing or communication service that is
provided by a system to give a specific kind of protection to system resources;
security services implement security policies by using security mechanisms.
A Security Mechanism is a particular technique or set of techniques that are used to
implement a security service.
Security mechanisms are divided into two groups: specific security mechanisms and
pervasive security mechanisms. A specific security mechanism is implemented in a
particular protocol layer or layers (e.g. TCP and/or application layer, etc.) to provide a
security service. For example: encipherment is a specific security mechanism that could
be implemented at various protocol layers. Encipherment may be implemented at the
application level using PGP, the transport layer using SSL and the IP layer using IPsec.
Specific Security Mechanisms:
Encipherment: The use of cryptography to encrypt and decrypt information. Supports authentication, data confidentiality, data integrity.
Digital Signature: The use of cryptography to compute a value and append it to a data object such that any recipient of the data can verify the data's
origin and integrity.
Access Control: Numerous mechanisms that protect a system resource (control, data) from unauthorized use in accordance by the systems
security policy.
Data Integrity: Numerous mechanisms that protect unauthorized changes to data, both malicious and accidental.
Authentication exchange: Mechanisms used to ensure the identity of an entity.
Traffic Padding: The generation of bits into a data stream to frustrate analysis of the data stream.
Routing Control: Numerous mechanisms to control the path data takes from source to destination to ensure secure transmission of data.
Notarization: Use of a trusted third party to assure or vouch for the integrity of a data exchange (i.e. Digital Certificates)
Pervasive security mechanisms are not specific to any protocol layer or security service.
The mechanism is implemented in any protocol layer and for any service.
Pervasive Security Mechanisms: