OSI Security Architecture
OSI Security Architecture
OSI SECURITY ARCHITECTURE
Security architecture for OSI offers a systematic way of defining security requirements and characterizing the approaches to achieve these requirements.
It was developed as an international standard.
The OSI security architecture focus on security attack, mechanism, and services. These can be defined briefly as fallows:
SECURITY ATTACKS
Passive Attacks:
Active Attacks:
Involves some modification of the data stream or the creation of a false stream.
SECURITY MECHANISMS
Specific Security Mechanisms:
Encipherment
Encipherment can provide confidentiality of either data or traffic flow information and can play a part in or complement a number of other security mechanisms as described in the following sections.
Digital signature mechanisms
These mechanisms define two procedures:
a) signing a data unit, and
b) verifying a signed data unit.
The first process uses information which is private (i.e. unique and confidential) to the signer. The second
process uses procedures and information which are publicly available but from which the signer's private information
cannot be deduced.
Access control mechanisms
These mechanisms may use the authenticated identity of an entity or information about the entity (such as membership in a known set of entities) or capabilities of the entity, in order to determine and enforce the access rights of the entity.
Data integrity mechanisms
Determining the integrity of a single data unit involves two processes, one at the sending entity and one at the receiving entity.
Authentication exchange mechanism
Use of authentication information, such as passwords supplied by a sending entity and checked by the receiving entity, cryptographic techniques and use of characteristics and/or possessions of the entity.
Traffic padding mechanism
Traffic padding mechanisms can be used to provide various levels of protection against traffic analysis. This mechanism can be effective only if the traffic padding is protected by a confidentiality service.
Routing control mechanism
Routes can be chosen either dynamically or by prearrangement so as to use only physically secure subnetworks,
relays or links.
Notarization mechanism
Properties about the data communicated between two or more entities, such as its integrity, origin, time and destination, can be assured by the provision of a notarization mechanism. The assurance is provided by a third party notary, which is trusted by the communicating entities, and which holds the necessary information to provide the required assurance in a testifiable manner.
Pervasive Security Mechanisms:
Trusted functionality
Trusted functionality may be used to extend the scope, or to establish the effectiveness, of other security mechanisms.
Security labels
A security label may be additional data associated with the data transferred or may be implicit.
Event detection
Event detection includes the detection of apparent violations of security and may also include detection of “normal” events, such as a successful access (or log on).
Security audit trail
A security audit is an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to aid in damage assessment, and to recommend any indicated changes in controls, policy and procedures
Security recovery
Security recovery deals with requests from mechanisms such as event handling and management functions, and takes recovery actions as the result of applying a set of rules.
SECURITY SERVICES
Authentication
To assure the communicating entity is the one that it is claimed to be.
Access Control
To prevent unauthorized access of resources.
Data Confidentiality
To protect the content of data from unauthorized disclosure.
Data Integrity
To protect data from unauthorized modifications.
Non-repudiation
To prevent a sender or receiver from denying a transmitted message.
Availability (Usability)
To assure that a system or a resource is accessible and useable upon demand of authorized users.
Comments
Post a Comment