Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
241 views6 pages

OSI Security for IT Managers

The document discusses the OSI security architecture and its key concepts. It focuses on security attacks, mechanisms, and services. Security attacks are classified as either passive attacks like eavesdropping, or active attacks like masquerading, message modification, and denial of service. Security services include authentication, access control, data confidentiality, data integrity, and non-repudiation. These services are implemented using security mechanisms like encipherment, digital signatures, access control methods, and traffic padding.

Uploaded by

balainsai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
241 views6 pages

OSI Security for IT Managers

The document discusses the OSI security architecture and its key concepts. It focuses on security attacks, mechanisms, and services. Security attacks are classified as either passive attacks like eavesdropping, or active attacks like masquerading, message modification, and denial of service. Security services include authentication, access control, data confidentiality, data integrity, and non-repudiation. These services are implemented using security mechanisms like encipherment, digital signatures, access control methods, and traffic padding.

Uploaded by

balainsai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 6

OSI Security Architecture

The System Manager is responsible for

Assessing effectively the security needs of an organization


Evaluate and choose various security products and policies

The OSI security architecture provides a useful overview of many of the


concepts. The OSI security architecture focuses on security attacks,
mechanisms, and services. These can be defined briefly as follows:

Security Attack: Any action that compromises the security of


information owned by an organization.
Security Mechanism: A process ( or a device incorporating such a
process) that is designed to detect, prevent, or recover from a
security attack.
Security Service: A processing or communication service that enhances
the security of the data processing systems and the information transfers
of an organization. The services are intended to counter security
attacks, and they make use of one or more security mechanisms
to provide the service.

Threat
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause
harm. That is, a threat is a possible danger that might exploit a vulnerability.

Attack
An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in the sense of
a method or technique) to evade security services and violate the security
policy of a system.

SECURITY ATTACKS

Passive attack attempts to learn or make use of information from the


system but does not affect system resources.

Active attack attempts to alter system resources / affect their operation.

Passive Attack: Eavesdropping or monitoring of transmissions. Aim of the


opponent is to obtain information that is being transmitted

Two types of passive attacks are

Release of message contents : A telephone conversation, an


electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning
the contents of these transmissions. Common technique used is encryption.
Traffic analysis : The opponent could determine the location and
identity of communicating hosts and could observe the frequency and
length of messages being exchanged. This information might be useful in
guessing the nature of the communication that was taking place.

Passive attacks are difficult to detect because they do not involve any
alteration of the data

It is feasible to prevent the success of these attacks, usually by


means of encryption.

Thus, the emphasis in dealing with passive attacks is on prevention


rather than detection.

Active Attack

Active attacks involve some modification of the data stream or the


creation of a false stream and can be subdivided into four categories:
masquerade, replay, modification of messages, and denial of service

A masquerade( Pose/Pretend to be/ Impersonate /Deception /Cover-


up) takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack. For
example, authentication sequences can be captured and replayed after a valid
authentication sequence has taken place, thus enabling an authorized entity
with few privileges to obtain extra privileges by impersonating an entity that
has those privileges.
B
Masquerade

Message from B
A That appears to be from A C

Replay B

Capture message from A to C


A Later replay the message C

Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.

Modification of messages simply means that some portion of a legitimate


message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect. For example, a message meaning "Allow Suresh to read
confidential file accounts" is modified to mean "Allow Ramesh to read
confidential file accounts"

The denial of service prevents or inhibits the normal use or management of


communications facilities. This attack may have a specific target; for example,
an entity may suppress all messages directed to a particular destination (e.g.,
the security audit service). Another form of service denial is the disruption of an
entire network, either by disabling the network or by overloading it with
messages so as to degrade performance.

Modification of messages B

B modifies message from A to C

A C

Denial of Service B

B disrupts the services provided


By server
A Server

Active attacks present the opposite characteristics of passive attacks.


Whereas passive attacks are difficult to detect, measures are available to
prevent their success. On the other hand, it is quite difficult to prevent active
attacks absolutely, because of the wide variety of potential physical, software,
and network vulnerabilities. Instead, the goal is to detect active attacks and to
recover from any disruption or delays caused by them. If the detection has a
deterrent effect, it may also contribute to prevention.

SECURITY SERVICES

A processing or communication service that is provided by a


system to give a specific kind of protection to system resources;
security services implement security policies and security services are
implemented by security mechanisms.

AUTHENTICATION

The assurance that the communicating entity is the one that it claims to be.

Peer Entity Authentication


Used in association with a logical connection to provide confidence in
the identity of the entities connected.

Data Origin Authentication


In a connectionless transfer, provides assurance that the source of
received data is as claimed.

ACCESS CONTROL

The prevention of unauthorized use of a resource


(This service controls who can have access to a resource, under what
conditions access can occur, what are all the things are allowed to be done)
DATA CONFIDENTIALITY

The protection of data from unauthorized disclosure

Connection Confidentiality
The protection of all user data on a connection.

Connectionless Confidentiality
The protection of all user data in a single data block

Selective-Field Confidentiality

The confidentiality of selected fields within the user data on a


connection or in a single data block.

Traffic Flow Confidentiality

The protection of the information that might be derived from


observation of traffic flows.

DATA INTEGRITY

A connection-oriented integrity service, one that deals with a stream of


messages, assures that messages are received as sent, with no
duplication, insertion, modification, reordering, or replays. The
destruction of data is also covered under this service. Thus, the connection-
oriented integrity service addresses both message stream modification
and denial of service. On the other hand, a connectionless integrity service,
one that deals with individual messages without regard to any larger context,
generally provides protection against message modification only.

NONREPUDIATION

Provides protection against denial of one of the entities involved in a


communication of having participated in all or part of the communication.

Nonrepudiation, Origin,

Proof that the message was sent by the specified party.

Nonrepndiation, Destination

Proof, that the message was received by the specified party.

SECURITY MECHANISMS

The mechanisms are divided into those that are implemented in a specific
protocol layer and those that are not specific to any particular protocol layer or
security service.
The definition of encipherment

A Reversible encipherment mechanism is simply an encryption algorithm


that allows data to be encrypted and subsequently decrypted.

Irreversible encipherment mechanism include hash algorithms and


message authentication codes(MAC), which are used in digital signature and
message authentication applications.

SPECIFIC SECURITY MECHANISMS

May be incorporated into the appropriate protocol layer in order to provide


some of the OSl security services.

Encipherment

The use of mathematical algorithms to transform data into a form that is not
readily intelligible. The transformation and subsequent recovery of the data
depend on an algorithm and zero or more encryption keys.

Digital Signature

Data appended to, or a cryptographic transformation of, a data unit that allows,
a recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery (e.g., by the recipient).

If A is the sender of a message and B is the receiver, A encrypts the message


with A’s private key and sends the encrypted message to B.

Access Control

A variety of mechanisms that enforce access rights to resources.

Data Integrity

A variety of mechanisms used to assure the integrity of a data unit or


stream of data units.

Authentication Exchange

A mechanism intended to ensure the identity of an entity by means of


information exchange.

Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.

Routing Control
Enables selection of particular physically secure routes for certain data and
allows routing changes, especially when II breach of security is suspected.
Notarization
The use of a trusted third party to assure certain properties of a data exchange.

PERVASIVE SECURITY MECHANISMS

Mechanisms that are not specific to any particular OSI security service or
protocol layer.

Trusted Functionality
That which is perceived to be correct with respect to some criteria (e.g.,
as established by a security policy).

Security Label
The marking bound to a resource (which may be a data unit) that names
or designates the security attributes of that resource.

Event Detection
Detection of security-relevant events.

Security Audit Trail


Data collected and potentially used to facilitate a security audit, which is
an independent review and examination of system records and activities.

Security Recovery
Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.

The relationship between security services and security mechanisms.

Service Enci Digital Acces Data Authen Traf Routi Not


phe Signatu s Integ tication fic ng ariz
rme re Contr rity Exchan Pad Contr atio
nt ol ge ding ol n

Peer entity Y Y Y
authentication
Data origin Y Y
authentication
Access control Y
Confidentiality Y Y
Traffic flow Y Y Y
confidentiality
Data integrity Y Y Y
Nonrepudiation Y Y Y
Availability Y Y

You might also like