Unit-1
The OSI (Open Systems Interconnection) security architecture provides a systematic framework for defining security attacks, mechanisms, and services.
1.> Security Attacks:- Security attacks are classified as either passive attacks, which include unauthorised reading of a message of file and traffic analysis; and active attacks, such as modification of messages or files, and denial of services.
2.> Security Mechanism:- A security mechanism is any process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. Examples of mechanisms are encryption algorithms, digital signature, and authentication protocols.
3. Security Services:- Security services include authentication, access control, data confidentiality, data integrity, non-repudiation, and availability.
The OSI Security Architecture:- To assess effectively the security needs of an organisation and to evaluate and choose various security needs of an organisation and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterising the approaches to satisfying those requirements.
The ITU-T(International Telecommunication Union (ITU)) Telecommunication Standardisation Sector (ITU-T) Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organising the task of providing security.
The OSI Security architecture provides a useful, if abstract, overview of many of the concepts that is as follows.
The OSI Security model or architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows:
Security Attacks:- Any action that compromises the security of information owned by an organisation.
Security Mechanism:- A process (or a device incorporating such a process) that is designed to detect , prevent, or recover from a security attack.
Security Service:- A processing or communication service that enhances the security of the data processing systems and the information transfers of an organisation. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
Note:-
1.> Threat:- A potential for violation of security, which exists when there is a circumstance, action, capability, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.
2.> Attack:- An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
Security Attacks:- A useful means of classifying security attacks, used both in X.800 and RFC 2828 is in terms of passive attacks and active attacks.
A Passive attack attempts to learn or make use of information from the system but does not affect system resources.
An Active attack attempts to alter system resources or affect their operation.
1.> Passive Attacks:- Passive Attacks are in the nature of eavesdropping on, or monitoring of transmissions.
The goal of the opponent is to obtain information that is being transmitted.
Two types of passive attacks are Release of Message Contents and traffic Analysis.
a.> Release of Message Contents:- The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions.
b.> Traffic Analysis:- Traffic Analysis, is subtler. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place.
3. Security Services:- Security services include authentication, access control, data confidentiality, data integrity, non-repudiation, and availability.
The ITU-T(International Telecommunication Union (ITU)) Telecommunication Standardisation Sector (ITU-T) Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organising the task of providing security.
The OSI Security architecture provides a useful, if abstract, overview of many of the concepts that is as follows.
The OSI Security model or architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows:
Note:-1.> Threat:- A potential for violation of security, which exists when there is a circumstance, action, capability, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.
2.> Attack:- An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
Security Attacks:- A useful means of classifying security attacks, used both in X.800 and RFC 2828 is in terms of passive attacks and active attacks.
A Passive attack attempts to learn or make use of information from the system but does not affect system resources.An Active attack attempts to alter system resources or affect their operation.1.> Passive Attacks:- Passive Attacks are in the nature of eavesdropping on, or monitoring of transmissions.
The goal of the opponent is to obtain information that is being transmitted.
Two types of passive attacks are Release of Message Contents and traffic Analysis.
a.> Release of Message Contents:- The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions.
b.> Traffic Analysis:- Traffic Analysis, is subtler. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
2.> Active Attacks:- Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
a.> Masquerade:- A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack.
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead of , the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.
Security services:- X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the system, or of data transfers. perhaps a clearer definition is found in RFC 2828, which provides the following definition a processing or communication service that is provided by a system to give a specific kind of protection to system resources, Security services implement security policies and are implemented by security mechanisms. X.800 divides these service into five categories and fourteen specific services.
1.> Authentication:- The authentication services is concerned with assuring that a communication is authentic. In the case of single message such a warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from.
Two specific authentication services are defined in X.800.
a.> Peer entity authentication:- Provides for the corroboration of the identity of a Peer entity in an association. It is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection.
b.> Data origin authentication:- Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This types of service supports applications like electronic mail where there are no prior interactions between the communicating entities.
2.> Access control:- Access control is the ability to limit and control the access to host system and applications via communication links. To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access right can be tailored to the individual.
3.> Data confidentiality:- Confidentiality is the protection of transmitted data from passive attacks with respect to the content of a data transmission, several levels of protection can be identified. The broadcast service protects all user data transmitted between two users over a period of time.
For example, when a TCP connection is set up between two system, this broad protection prevents the release of any user data transmitted over the TCP connection.
The other aspect of confidentiality is the protection of traffic flow from analysis. This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility.
a.> Masquerade:- A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack.
For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
b.>Replay:-Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized affect.
c.> Modification of messages :- Modification of messages simply means that some portion of a legitimates message is altered, or that messages are delayed or reordered, to produce an unauthorized effect.
d.> Denial of service :- The denial of service prevents or inhibits the normal use or management of communication facilities. This attack may have a specific target. Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
Security services:- X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the system, or of data transfers. perhaps a clearer definition is found in RFC 2828, which provides the following definition a processing or communication service that is provided by a system to give a specific kind of protection to system resources, Security services implement security policies and are implemented by security mechanisms. X.800 divides these service into five categories and fourteen specific services.1.> Authentication:- The authentication services is concerned with assuring that a communication is authentic. In the case of single message such a warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from.
Two specific authentication services are defined in X.800.
a.> Peer entity authentication:- Provides for the corroboration of the identity of a Peer entity in an association. It is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection.
b.> Data origin authentication:- Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This types of service supports applications like electronic mail where there are no prior interactions between the communicating entities.
2.> Access control:- Access control is the ability to limit and control the access to host system and applications via communication links. To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access right can be tailored to the individual.
3.> Data confidentiality:- Confidentiality is the protection of transmitted data from passive attacks with respect to the content of a data transmission, several levels of protection can be identified. The broadcast service protects all user data transmitted between two users over a period of time.
For example, when a TCP connection is set up between two system, this broad protection prevents the release of any user data transmitted over the TCP connection.
The other aspect of confidentiality is the protection of traffic flow from analysis. This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility.
