The OSI Security Architecture
The OSI Security Architecture
The OSI Security Architecture
Prepared By
T. G. Rebanowako
Outline
• Introduction
• Security Attacks
• Security Services
• Security Mechanisms
Introduction
The ITU-T Recommendation X.800, Security Architecture for OSI, defines a systematic approach
that can be adopted by organizations.
• OSI security architecture is useful to managers as way of organizing the task of security provision.
• computer and communications vendors have bench-marked development of security features
for their products and services with this structured definition of services and mechanisms.
•architecture focuses on security attacks, mechanisms, and services.
• RFC 4949, Internet Security Glossary provides definitions of the terms threat and attack as
follows:
• Threat: potential for violation of security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm.
• Attack: assault on system security that derives from an intelligent threat.
Security Attacks
X.800 and RFC 4949 both classify security attacks in terms of passive attacks and
active attacks.
•Passive Attacks: involve eavesdropping on, or monitoring of, transmissions, opponent’s intention
being to obtain information being transmitted.
•Two types identified:
• Release of message contents
• Traffic analysis
•Very difficult to detect as no alteration of data is involved.
•Feasible to prevent these attacks, thus focus should be prevention rather than detection.
Passive Attacks
Release of Message Contents
•Involves ability to limit and control access to systems and applications via
communications links in a network.
•Accomplished by ensuring each entity trying to gain access must first be identified,
or authenticated.
•Access rights can be tailored to the individual.
•Prevention of unauthorized use of a resource.
•Controls who can have access to a resource, under what conditions access can occur,
and what those accessing the resource are allowed to do.
Data Confidentiality
•Can apply to stream of messages, single message, or selected fields within a message.
•Most useful and straightforward approach is total stream protection.
•A connection-oriented integrity service, which deals with a stream messages, assures
messages are received as sent with no duplication, insertion, modification, reordering, or
replays.
•Destruction of data also covered under this service.
•Connection-oriented integrity service addresses both message stream modification and
denial of service.
•Connectionless integrity service which deals with individual messages without regard to
any larger context generally provides protection against message modification only.
•Distinction can be made between service with or without recovery.
Nonrepudiation
•Both X.800 and RFC 4949 define availability as the property of a system or system
resource being accessible and usable upon demand by an authorized system entity,
according to performance specifications for the system.
•A system is available if it provides services according to the system design whenever
users request them.
•A variety of attacks can result in the loss of or reduction in availability.
•Some of these attacks are amenable to automated countermeasures (e.g.,
authentication and encryption).
•Others require some sort of physical action to prevent or recover from loss of
availability of elements of a distributed system.
Availability Service (cont’d ….)
Trusted Functionality Perceived to be correct with respect to some criteria (e.g., as established
by a security policy).
Security Label Marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.
Event Detection Detection of security-relevant events.
Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities.
Security Recovery Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.
Relationship Between Security Services and Mechanisms
•X.800 also indicates the relationship between security services and security
mechanisms.
Security Service Security Mechanisms
1. V.S. Bagad and I.A. Dhotre, Information and Network Security, 2nd Edition, Technical
Publications, 2017
2. William Stallings, Cryptography and Network Security: Principles and Practice, 7th
Edition, Pearson, 2017
-----End-----