OSI Security Architecture
OSI SECURITY ARCHITECTURE
Security architecture for OSI offers a systematic way of defining security requirements and characterizing the approaches to achieve these requirements.
It was developed as an international standard.
The OSI security architecture focus on security attack, mechanism, and services. These can be defined briefly as fallows:
Security Attack: Any action that compromise the security of information owned by an organization.
Security Mechanism: A process that is designed to detect, prevent or recover from a security attack. And security mechanism is a method which is used to protect your message from unauthorized entity.
Security Services: Security Services is the services to implement security policies and implemented by security mechanism.
Eavesdropping communications and releasing of messages.
Traffic analysis on the identities, locations, frequency etc of communications.
Involves some modification of the data stream or the creation of a false stream.
Masquerade (impersonation) attackTakes place when one entity pretends to be a different entity
Replay attackInvolves passive capture of a data unit and its subsequent retransmission to produce unauthorized effect.
Modification of messageSome portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect
Denial of servicePrevents or inhibits the normal use or management of communications facilities.
Specific Security Mechanisms:
Encipherment can provide confidentiality of either data or traffic flow information and can play a part in or complement a number of other security mechanisms as described in the following sections.
Digital signature mechanisms
These mechanisms define two procedures:
a) signing a data unit, and
b) verifying a signed data unit.
The first process uses information which is private (i.e. unique and confidential) to the signer. The second
process uses procedures and information which are publicly available but from which the signer's private information
cannot be deduced.
Access control mechanisms
These mechanisms may use the authenticated identity of an entity or information about the entity (such as membership in a known set of entities) or capabilities of the entity, in order to determine and enforce the access rights of the entity.
Data integrity mechanisms
Determining the integrity of a single data unit involves two processes, one at the sending entity and one at the receiving entity.
Authentication exchange mechanism
Use of authentication information, such as passwords supplied by a sending entity and checked by the receiving entity, cryptographic techniques and use of characteristics and/or possessions of the entity.
Traffic padding mechanism
Traffic padding mechanisms can be used to provide various levels of protection against traffic analysis. This mechanism can be effective only if the traffic padding is protected by a confidentiality service.
Routing control mechanism
Routes can be chosen either dynamically or by prearrangement so as to use only physically secure subnetworks,
relays or links.
Properties about the data communicated between two or more entities, such as its integrity, origin, time and destination, can be assured by the provision of a notarization mechanism. The assurance is provided by a third party notary, which is trusted by the communicating entities, and which holds the necessary information to provide the required assurance in a testifiable manner.
Pervasive Security Mechanisms:
Trusted functionality may be used to extend the scope, or to establish the effectiveness, of other security mechanisms.
A security label may be additional data associated with the data transferred or may be implicit.
Event detection includes the detection of apparent violations of security and may also include detection of “normal” events, such as a successful access (or log on).
Security audit trail
A security audit is an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to aid in damage assessment, and to recommend any indicated changes in controls, policy and procedures
Security recovery deals with requests from mechanisms such as event handling and management functions, and takes recovery actions as the result of applying a set of rules.
To assure the communicating entity is the one that it is claimed to be.
Peer entity authentication: To assure the identity of a peer entity in communications.
Data origin authentication: To assure the source of a data unit.
To prevent unauthorized access of resources.
To protect the content of data from unauthorized disclosure.
To protect data from unauthorized modifications.
To prevent a sender or receiver from denying a transmitted message.
To assure that a system or a resource is accessible and useable upon demand of authorized users.
SOURCES and REFERENCES