Specific security mechanism

Security Architecture for OSI

Week7 Part3-IS

RevisionSu2013

Security Architecture for OSI The ITU (International Telecommunications Union) is a United Nations sponsored

agency which develops standards (called recommendations) for telecommunications and

open systems interconnection (OSI). Recommendation X.800, Security Architecture for

OSI defines a systematic approach for the manager and technical professional responsible

for implementing security in a network, communications or computer environment to

systematically define the requirements for security and to characterize various approaches

to implement functionality that satisfies the requirements.

The framework provided by the architecture categorizes the elements of security into

security attacks, security services and security mechanisms.

A Security Attack is an action that compromises the information owned or entrusted to

the organization. The compromise affects some attribute of the CIA triad.

A Security Service is a collection of functionality (routines, programs, algorithms,

specifications) that provides support for various aspects of security: In order to protect a

network from attack, mechanisms need to be implemented that support each of these

services to the extent they are needed in the target environment. Security services are

implemented by making use of one or more security mechanisms.

Security Services:

 Authentication: The assurance the communicating entity is the one they claim to be.

 Access Control: Controls to prevent unauthorized use of a resource.

 Data Confidentiality: The protection of data from unauthorized disclosure.

 Availability: Assurance that computing resources and data are available.

 Data Integrity: The assurance that data that is sent/received/stored is exactly as it was sent/received/stored by the authorized entity.

 Nonrepudiation: Protection against denial by one or both parties in a communication that they sent or received all or part of it.

 Logging and Monitoring: Services that support the observation and logging of system activity.

The security services enumerated above are categories of services that are further divided

into specific services that apply to different aspects of a service. For example; the

authentication service is divided into two specific services peer entity authentication and

data origin authentication. Peer entity authentication involves each party in a logical

connection being able to confirm to some degree of confidence the identity of the other

party. Data origin authentication is used in a connectionless transfer such that the

recipient of the data can be confident in the identity of the sender.

RFC 2828 provides the following definition for a security service:

Definition: Security Service: A processing or communication service that is

provided by a system to give a specific kind of protection to system resources;

security services implement security policies by using security mechanisms.

A Security Mechanism is a particular technique or set of techniques that are used to

implement a security service.

Security mechanisms are divided into two groups: specific security mechanisms and

pervasive security mechanisms. A specific security mechanism is implemented in a

particular protocol layer or layers (e.g. TCP and/or application layer, etc.) to provide a

security service. For example: encipherment is a specific security mechanism that could

be implemented at various protocol layers. Encipherment may be implemented at the

application level using PGP, the transport layer using SSL and the IP layer using IPsec.

Specific Security Mechanisms:

 Encipherment: The use of cryptography to encrypt and decrypt information. Supports authentication, data confidentiality, data integrity.

 Digital Signature: The use of cryptography to compute a value and append it to a data object such that any recipient of the data can verify the data's

origin and integrity.

 Access Control: Numerous mechanisms that protect a system resource (control, data) from unauthorized use in accordance by the systems

security policy.

 Data Integrity: Numerous mechanisms that protect unauthorized changes to data, both malicious and accidental.

 Authentication exchange: Mechanisms used to ensure the identity of an entity.

 Traffic Padding: The generation of bits into a data stream to frustrate analysis of the data stream.

 Routing Control: Numerous mechanisms to control the path data takes from