What does security mean in general? Word “security” is overloaded and different people and specialists may mean different things when using this word in different subject specific context. In our course we will mostly deal with the following areas: computer systems security, network and telecommunication systems security, computer and networking applications security, and Information security in general. Security in general means a set of principles, models, rules, and mechanisms to ensure correct and reliable system or application operation and to achieve the following generic security properties (of the secure system operation, subject or entity): • Confidentiality • Authenticity Page 1 of 17 • Integrity • Access control • Availability Such widely discussed and used security characteristic as privacy is actually a combination of the few basic security properties and a privacy policy that may be different in different environment and for different applications. These security properties are applicable for both physical security, computer security, and human security. It may be an interesting topic for discussion in the classroom how these generic security properties are applied in different areas and to different entities. We will learn how to achieve these security properties or characteristics in system operations and how to design secure systems by applying security principles, models, mechanisms, and services. What is security engineering? One of the most challenging problems for human beings is to find a way to protect our property and privacy. Typically, we have used locks, fences, signatures and laws to protect hardware property. Now, in the information era, more and more of our property is electronic-based and we need similarly effective mechanisms to protect it along with our privacy. In the textbook, the author uses three examples to illustrate this new area of information security engineering. Let us review them briefly here. Banks All of us have to do business with banks. But have we ever thought carefully about the underlying security needs of banking? And have we ever thought about the weakest links in banking systems? In order to gain a thorough understanding of security issues in information security engineering, we need to act as the ‘attacker’ for a moment and play ‘on both sides’. The textbook lists several reasons why security engineering is important to a bank. Here we list in brief a few key concerns relating to banking security systems. 1. An ATM machine is the public face of bank, and an ATM machine means money. Thus, ATM machines obviously represent a prime ‘hot spot’ for attackers. An important job for security engineers is to design protocols to protect ATM machines (both their hardware and software) and to protect the communications between ATM machines and central bank systems. 2. Customer account-related data is confidential information that should be protected at all costs. This information is stored on storage disks and mechanisms should be established for protecting such data – even from insider access. 3. Bank data should always be backed up in several places to ensure data recovery should disaster strike - such as an earthquake or terrorist attack. 4. Many banks are moving to the Internet, which means more attacking points are available to the public. Page 2 of 17 Military communication systems For most of us, military security is one of the most mysterious areas of all. The Military was one of the earliest departments to use security mechanisms to protect intelligence. Most current academic research in security engineering is motivated by military applications. The textbook lists several important security engineering applications at an Air Force Base. Most security problems raised in the military environment are also of relevance to civilian information systems. When information security is mentioned, people often first think of authentication and confidentiality. However, for military communication systems, authentication and confidentiality are not enough to ensure a secure system. Here we list just two of the many, many security problems shared by military systems and civilian applications which do not relate to classic problems of authentication and confidentiality: 1. Routing protection. For most of the time, the message flow should also be protected against traffic analysis attacks. We do not want the enemy to find out who is talking to whom. In particular, we want to keep our spy in a safe place. In recent years, this problem has been extensively studied by academic researchers. Indeed, several applications have been written to address this. For those who are interested in studying this area further, it is referred to the links provided at the end of this lecture. 2. Covert Channel. In the 1970s, in order to verify the second Strategic Arms Limitation Treaty (SALT II) between the former U.S.S.R. and the U.S.A., both parties had to authenticate messages. While concealing a covert channel in the message was not possible (those are standardized and could be verified by the other party), they tried to hide one in the authenticator called the subliminal channel. The capacity of this kind of subliminal message was enough to reveal to the other party which silos were loaded with a nuclear missile and which were empty. Clearly, using such a subliminal channel could give an undesired advantage to one side to enable it to carry out a first strike. More details can be found in G. J. Simmons (1994). Obviously, covert channels are also one of the security issues that affect civilian applications. The most classical covert channels, now outdated in the digital age, are invisible inks. Traditionally, covert channels have been studied within a multilevel computer, but covert channels may also be established between computers. For example, computer viruses have been suggested as a method for hiding communication, since a ‘well designed’ virus must, by definition, have covert properties to avoid detection. Hospitals The textbook gives a very nice description of security problems in modern hospitals that rely heavily on electronic information records. Though the textbook concentrates on confidentiality and authentication, reliability is also important for hospitals. More and more operations are carried out with the help of computers and other high intelligence machines. In rare case, these electronic machines can fail. However, when it comes to life-critical operations, we need a 100% guarantee that these machines are reliable. One of the most important areas for security engineering is to build reliable information systems. Page 3 of 17 The home The main market for information systems is shifting to the home. With more and more residential utilities now managed by computers, security concerns are obviously attracting more and more attention. In addition to those listed in the textbook, we can still imagine many, many more. Terms and Definitions Like many other subjects, we have our own jargon in security engineering and you need to read and understand all the definitions detailed in the textbook in Section 1.7. In particular, you should also become familiar with the widely used names ’Alice’, ’Bob’, and ’Carol’. You should also have a clear understanding of the following terms: ’subject’, ’principal’, ’group’, ’role’, ’identify’, ’trusted system’, ’confidentiality’, ’secrecy’, ’privacy’, ’authentication’, ’authorization’, ’vulnerability’ and ’security policy’. For more extended security related terms definition please refer to RFC2828 – Internet Security Dictionary. Two basic security models In our daily life we use and interact with different types of systems and applications that implement different security services. However, from the security engineering point of view we can distinguish two basic types of systems: open internet/network based systems like web based applications or network file sharing, and computer systems that typically represented by operating systems. There are well defined security models for both types of systems. The first one the Open System Interconnection (OSI) Security Architecture described in standards X.800/ISO7894-2 that provide a framework for building open systems and applications that interact over network (including Internet and web based applications). The second security model is the Trusted Computing Base (TCB) that defines how such trusted computing environments as operating systems are built and operate. However, the question how to secure interaction between trusted/protected operating system environment and open network interconnection in a consistent way still remains a problem and an active research topic in the distributed systems and applications security. This issue became especially important with the development of the Web-Services based computer Grids and Cloud Computing. The essential difference between these two models is that the TCB which functionality is mostly provided by the operating system security kernel is focused on the security of the managed object which are the processes in the operating system run under the security monitor control, and OSI security is focused on the security of independent distributed systems interaction over open networking/Internet environment. We will briefly discuss some general issues related to the two security models in this lecture and will return to more detailed discussion on the TCB and Multi-Level Security model in Seminar 4, and the Internet Security Architecture in Seminar 6. Page 4 of 17 The OSI Security Architecture Current Internet infrastructure and networking technologies are built in compliance with the Open Systems Interconnection (OSI) model. The OSI security architecture provides a common framework and approach for developing secure protocols and applications, on one hand, and for evaluation and management of different security services and procedures, on other hand. The OSI security architecture is described in the ITU-T Recommendation X.800: Security Architecture for OSI that specifies basic security services and mechanisms and their relation to the OSI layers. The OSI security architecture is fully applicable to the Internet TCP/IP protocol stack due their direct mapping at the Data link, network, and transport layers. Security services, in the context of the OSI security architecture, are defined as services, provided by a protocol layer of communicating or interacting systems, which ensure adequate security of the systems or of data transfers. To ensure openness and interoperability of communicating or interacting systems, the services are defined for specific OSI layers and may use one or more security mechanisms. Security policies are used to manage security services and can be a part of an application specific security service implementation. X.500 divides all security services into five categories and thirteen specific services presented in Table A.1 of the appendix A. Security mechanisms can be defined as processes (that may be implemented as a device or a program, or applied as a security management procedure) that are designed to detect, prevent or recover from a potential security attacks. Security mechanisms are divided into two groups: (1) specific security mechanisms, i.e. those that can be incorporated into the specific OSI layer in order to provide some of the services described in Table 1; (2) pervasive security mechanisms which are not specific to any particular service or layer. Some of the pervasive security mechanisms can be regarded as aspects of security management. Definition of the X.800 security mechanisms is provided in Table A.2 of the appendix A. Additionally, Table A.3 illustrates relationship between security services and security mechanisms and security mechanisms, and Table A.2 provides a reference what security services are used at what OSI layers. The philosophy behind OSI security architecture is that security services and mechanisms can be added independently using standard/specified interfaces (as illustrated in Fig. 1). The following are inherited key features of the OSI/Internet security architecture: • Internet/OSI model suggests that interconnected systems are managed independently and communicated using protocols specific to each OSI/Internet layers. • Trust relations between systems established mutually or via 3rd trusted party, a group of system can create an administrative and/or trust domain. Page 5 of 17 • Public Key Infrastructure (PKI) provides a basis for trust management, authentication and key exchange • Communication and security protocols can use a session related security context. Security Security OSI Reference Application layer Presentation layer Session layer Transport layer Network layer Data layer Physical layer 7 6 5 4 3 2 1 Enciphermen Digital signature Access Data Authenticatio Notarisatio Traffic Routing Authentication Access control Confidentiality Non-repudiation Availability Figure 1. Relation between OSI security services, mechanisms and OSI reference model layers Multi-layer Security vs Multi-level security The two mentioned above security models created a basis for defining two related practical security models: Multi-layer security and Multi-level security. Multi-layer security means the following: 1) security layers are defined according to the OSI reference model, i.e. data layer, network, transport, application, what can be mapped into e.g. NE/node, router/network, application 2) security services and security mechanisms are defined in such a way that they can be applied to network/security layers independently (“orthogonally”). This means e.g. that many (the same) security services are can be used at different networking layers Multi-level security means the following: 1) Security levels are defined as: • object/document/resource security classification level, e.g. public, secret, top secret, Page 6 of 17 • subject/user/requestor clearance level that allows access to this resources. 2) the system corresponds to the Trusted Computing Base (TCB) model and uses centralised security management model (aka Reference Monitor (RM) in TCB). This can be explained as similar to OS security. RM regulates the access of subjects to objects on the basis of their security parameters: the access privileges (security clearance) of subjects, and the protection attributes (classification level) of objects. Security Threats and Attacks Security threats model is a part of any security architecture. To develop right security measures, engineers need to understand what security threats exist in the specific operational environment and against what security attacks the future application must be protected. Vulnerability, threat, and attack definition according to RFC2828: Vulnerability A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. Attack An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. Attack may consist of one or more steps taken by attacker to achieve an unauthorised result. Successful attack may lead to intrusion and further escalated as an incident. Opponents or attackers try various ways to attack a protocol using one of two main techniques: The Passive Attack Passive attacks involve eavesdropping on, or the monitoring of, protocol execution. The goal of the opponent is to obtain information that is being transmitted. Two types of attacks are involved here: the release of message contents and traffic analysis. The release of message contents is easily understood. A message flow in the protocol may contain sensitive or confidential information. Our aim is to prevent the opponent from learning the contents of these messages. The second passive attack, traffic analysis, is more subtle. Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if Page 7 of 17 they captured the message, could not extract the information from the message. A common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the contents of the message by observing where the message is sent to. In the case of a hospital records transmission protocol for example, if the opponent observes that the data of a patient were sent to the AIDS center, then, with high probability, it could be deduced that this patient might be infected with AIDS. The Active Attack The second major category of attacks on protocols is the active attack. This involves some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade takes place when one entity pretends to be another. For example, the authentication sequence can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Replay involves the passive capture of a data unit and the later retransmission of this data. Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered in the protocol. Denial of service prevents or inhibits the protocol being executed. Our textbook provides a detailed description of protocols and analyzes the security properties of several protocols. More realistic attacks could be combinations of those we have mentioned above. Protocols If security engineering has a unifying theme, it is the study of security protocols. Roughly speaking, a protocol is a series of steps, involving two or more parties, designed to accomplish a task. A ’series of steps’ means that the protocol is step-by-step and each is executed in turn. No step can be taken before the previous step is finished. Although a principal can perform a series of steps to accomplish a task, this does not mean it is a protocol. Finally, the phrase ’designed to accomplish a task’ means that the protocol must achieve something. A protocol could be as simple as swiping a badge through a reader in order to enter a building. It is easy to design protocols, but it is generally hard to guarantee that a protocol is secure. It is possible that an innocuous protocol that has been used for many years is subsequently found to be flawed. The textbook presents several security protocols. In order to understand these standard cryptographic protocols, we need to be familiar with the following notation: A Æ B: m Page 8 of 17 This is always used to denote the event when a subject A sends a message m to another subject B. For example, we could explain the similar notation on page 15 of the textbook as follows: Here T is the Token T Æ G : T, {T,N}KT T transmits to G the following Garage gets the following and deciphers it Here T is the name of token Random nonce The key In particular, this notation means that the token T transmits the message “T,{T,N}KT” to the garage G, where T in the message body is the name of the hardware token and N is a random nonce. {T,N}KT means that the message {T,N} is encrypted with the key KT. This kind of notation is used extensively in the protocols described in the textbook and other references. In addition to many important protocols presented in the textbook, we describe below a few other widely used protocols. Identification or entity authentication In today’s networked society it is often necessary for communicating parties to verify each other’s identity. Identification or entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a client, or a server. In the entity authentication process, an entity those identity needs to be proved is called the claimant; and the party that needs to prove the identity of claimant is called the verifier. To identify herself to the verifier, the claimant must present one of so-called witnesses: something she knows, something she possesses, something she is. In the simplest but widely used case, this can be done by the use of passwords (“something she knows”) even though the security offered by passwords used in the standard way is very limited. Building strong identification protocols has been one of the central topics in cryptographic research. The textbook provides examples of identification schemes such as the in-car token and garage scheme and the identify-friend-or-foe scheme. The invention of zero knowledge proof systems is one of the most important inventions in identification study. In zero-knowledge authentication the claimant doesn’t reveal anything that may lead to compromising the secret. After exchanging messages, the verifier will know that claimant either does know or does not know the secret. Page 9 of 17 One of the most famous examples is the Feige-Fiat-Shamir zero knowledge identity proof scheme - which is still one of the best-known. So significant was this development that the USA National Security Agency (NSA) even tried to prevent its spread. In 1986, when the inventors applied for a US patent on this scheme, the Patent Office sent them an order at the request of the Army which says: “…the disclosure or publication of the subject matter…would be detrimental to the national security…” The inventors were then ordered to notify all Americans to whom the research had been disclosed that unauthorized disclosure could lead to two years’ imprisonment, a $10,000 fine, or both. This is interesting since the inventors had presented their work in conferences throughout Israel, Europe and US by that time (it seems that NSA did not know this fact?). Zero knowledge protocol In order to study their security aspects, researchers have defined a mathematical notion for secure protocols. For most of the time, we say that a protocol is secure only in a heuristic way. We never have a notion of secure protocols in mind. One revolutionary development in this field is ’zero knowledge protocols’. Let’s consider the following scenario. By chance, Alice acquires the password she needs to access the computer systems of the Federal Bank. Alice boasts of this fact to Bob. But Bob does not believe her. The usual way for Alice to prove something to Bob is for Alice to tell him. But, if she does, then Bob will know the password. Bob could then tell anyone else that he got the password first and then passed it on to Alice. So, how can we design a protocol so that Alice can prove to Bob that she got the password first - and Bob cannot prove to anyone that it was he who first acquired it? A protocol of this type (if successfully designed) is called a zero knowledge protocol. Zero knowledge protocol – Cave example Two cryptographers Jean-Jacques Quisquater and Louis Guillou explained the concept of zero knowledge with a story about Ali Baba’s cave. This is illustrated in Figure 2 and has two passages forked at point B and a secret door. Only someone who knows the magic words can open the secret door between C and D. For anyone else, both passages lead to dead ends. Page 10 of 17 Figure 2. Ali Baba’s Cave Alice knows the secret of the cave. She wants to prove her knowledge to Bob, but she does not want to reveal the magic words. The following protocol can achieve this objective. 1. Bob stands at point A. 2. Alice walks all the way into the cave, either to point C or to point D. 3. After Alice has disappeared into the cave, Bob walks to point B. 4. Bob shouts to Alice, asking her either to: a. Come out of the left passage or b. Come out of the right passage. 5. Alice complies, using the magic words to open the secret door if she has to. 6. Alice and Bob repeat the above steps (1 to 5) n times. Let’s assume that Bob has a camcorder and records everything he sees. He records Alice disappearing into the cave. He records when he shouts out where he wants Alice to come out from. And he records Alice coming out. He records all n trials. Obviously, Bob learns nothing about the magic words. Now if he shows this record to Carol, would Carol believe that Alice knew the magic words to open the door? No. But what if Alice and Bob had agreed beforehand what Bob would call out, and Alice would make sure that she followed her chosen path, and would then come out where Bob asked her to every time, without knowing the magic words? Or maybe they wouldn’t do that. Alice would go into one of the passages and Bob would call out a random request. If Bob guessed right, great. If he didn’t, they would edit that trial out of the camcorder recording. Either way, Bob could get a recording showing exactly the same sequence of events as if it were real proof that Alice knew the magic words. This protocol also guarantees that Bob cannot get the magic words via Alice’s proof and cannot prove to others that he knows the magic words. This kind of protocol is called a zero knowledge protocol. Formally, a protocol for Alice to prove Page 11 of 17 the knowledge of a secret s is called zero knowledge if the following conditions are satisfied: 1. Completeness. Bob always accepts the proof if Alice really knows the secret s and Bob follows the protocol. 2. Soundness. Bob always rejects the proof if Alice does not know the secret s and Bob follows the protocol. 3. Zero knowledge. Bob learns nothing about s even if Bob does not follow the protocol as long as Alice does. This definition is to guarantee that Bob will not use some other trick to learn the secret s, e.g. Bob follows Alice to the gate in Ali Baba’s cave, and learns what magic words Alice uses to open the secret door. The only exceptional knowledge Bob can learn about the secret s is as follows: a. The knowledge that Alice knows this s. b. The knowledge that Bob could already learn without Alice, e.g. that s is an integer or words. In a zero knowledge proof, Bob cannot even later prove the fact to anyone else that Alice knows the secret s. We will not go into the mathematical definitions of zero knowledge protocols. Indeed, the zero knowledge protocol itself would require one entire module. Zero knowledge techniques have been extensively used to design secure authentication protocols in the last decade. Zero-knowledge protocol provides a basis for the security protocols stack in such emerging technology as Trusted Computing Platform (TCP) which we will discuss in one of the next seminars. There are many other interesting protocols such as the blind signature scheme which is mainly used in digital cash systems and secure voting protocols. Unfortunately I do not think we have enough time to cover this topic in this lecture. Subliminal Channel In the first part of this lecture, we talked about subliminal channels. We will now look at this topic in more detail. Alice and Bob have been arrested and are on their way to prison. Bob is going to the men’s prison and Alice is going to the women’s prison. The warden is willing to let Alice and Bob exchange messages, but he won’t allow them to be encrypted. The warden expects them to co-ordinate an escape plan, so he wants to be able to read everything they say. Since a general signature scheme will enable him to achieve this objective, the warden allows Alice and Bob to use a signature scheme to authenticate their messages while keeping them in clear text. If the warden were not to allow them to use signature schemes, then they would not be able to communicate since it could not be guaranteed that the message really was from the other party. In order to keep signature schemes secure, most available schemes use random nonce each time when signing a message. Page 12 of 17 For example, in the digital signature standard (DSS), the signature on a message m is a pair (r,s) where r is a random seed which is different every time, even if the same message is signed twice, and s is a function of m, r and the secret key. These random seeds will obviously help Alice and Bob to build a secure subliminal channel for covert communication between them in full view of the warden, even if the messages themselves contain no secret information. Through the exchange of perfectly innocuous signed messages, they will be able to pass secret information back and forth and fool the warden even though the warden is checking all communications. An easy subliminal channel might be the number of 0s in a random seed. An odd number of 0s might correspond to one and an even number may correspond to zero. Let’s assume that Alice and Bob share a secret key bit b (b=0 or 1) and Alice wants to send a bit of information c (c=0 or 1) to Bob. The protocol may proceed as follows: 1. Alice generates an innocuous message, maybe at random. 2. Alice signs the innocuous message in such a way that she hides her subliminal message b?c in the random seed of the signature. This subliminal message is obviously only readable by Bob who shares the secret key bit b with Alice, though anyone can check whether Alice’s signature is valid. 3. Alice then sends this signed message to Bob via the warden. 4. The warden reads the innocuous message and checks the signature. Finding nothing wrong, he passes the signed message to Bob. Even though he may suspect that Alice and Bob are using a subliminal channel, he cannot prove this fact since he does not know the secret key bit b. 5. Bob checks the signature on the innocuous message, confirming that the message came from Alice. 6. Bob ignores the innocuous message and uses the secret key bit b he shares with Alice to extract the subliminal message c. A general description of this kind of attack can be found in Y. Wang (1998). Though we described the subliminal channel in a negative way, it has several positive applications. One obvious application is in a spy network, even though, of course, the enemy could do similar things. In recent years, much research effort has been put into designing subliminal-free signature schemes. Some further links and references Traffic analysis and message flow protection Onion routing (http://www.onion-router.net/Summary.html) provides an Internet-based system that strongly resists traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). It prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network. Page 13 of 17 Anonymizer (http://www.anonymizer.com/) provides a relatively secure way to prevent the web server getting the client machine IP address. This is only relatively secure since the Anonymizer site still keeps all the routing information. By contrast, the solution provided by Zeroknowledge is cryptographically secure. No one in the world can access the real routing information if that solution is implemented. Covert Channels B. W. Lampson. A note on the confinement problem. Comm. ACM 16 (1973) 613-615 Covert Channels Bibliography (http://caia.swin.edu.au/cv/szander/cc/cc-general-bib.html). A list of publications that discuss covert channels in general or are focused on interprocess covert channels on a single computer. Bibliography ISO 7498 Information processing systems: Open systems interconnection – Basic Reference Model. ISO Standard, 1984. X.800 Security Architecture for Open Systems Interconnection for CCITT applications. ITU-T (CCITT) Recommendation, 1991. RFC2828 - Internet Security Glossary. [Online]. Available from http://www.faqs.org/rfcs/rfc2828.html. W. Stallings (2006), Cryptography and Network Security. Principles and practices. Pearson Education, 2006. ISBN: 0-13-187316-4. 679 pp. G. J. Simmons (1994), Subliminal channels: past and present. In European Trans. On Telecommunications, 5(4):459—473, July-August, 1994. Reading requirements Preface, pp xxix-xxxii, Chapter 1,3, pp 3-15, 63-92). Total - 44 pages Appendix A. X.800 Security Architecture – Reference materials Table A.1. X.800 Security Services Authentication The process of verifying an identity claimed by or for a system entity. Peer entity authentication This service is provided for use at the establishment of, or at times during, the data transfer phase of a connection to confirm the identities of one or more of Data integrity Protects against possible data modification during data transfer over uncontrolled environment. Provides assurance that data received are exactly the same as sent by authenticated and authorised entity. The specific Data integrity services include: • Connection Integrity with recovery Page 14 of 17 the entities connected to one or more of the other entities. This service provides confidence, at the time of usage only, that an entity is not attempting a masquerade or an unauthorized replay of a previous connection. Data origin authentication The data origin authentication service provides the corroboration of the source of a data unit. The service does not provide protection against duplication or modification of data units. Access control Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy. Data confidentiality These services provide for the protection of data from unauthorized disclosure Connection confidentiality The protection of all user data on a connection of a specific layer. Connectionless confidentiality The protections of all user data in a single data block. Selective field confidentiality The confidentiality of selected fields within the user data on a connection or in a single data block. Traffic flow confidentiality The protection against possible collection of information that can be derived from the traffic observation. • Connection Integrity without recovery • Selective-field connection Integrity • Connectionless Integrity • Selective-field connectionless Integrity Nonrepudiation Provides protection against denial by one of the communicating entities their participation in all or part of the communication. Non-repudiation with proof of origin The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents. Non-repudiation with proof of delivery The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents. Availability (according to RFC2828) *) The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. *) Availability is an important security service originally not defined in the X.500 document and used in all following documents relying on the X.800. Current definition is taken from RFC 2828. Table A.2. X.800 Security Mechanisms Specific security mechanisms These mechanisms may be incorporated into the appropriate protocol layer in order to provide some security services. Encipherment Encipherment can provide confidentiality of either data or traffic flow information and can play a part in or complement a number of other security mechanisms. Encipherment may use different encryption algorithms. Pervasive security mechanisms These mechanisms are not specific to any specific security service or protocol layer. Trusted functionality The functionality that is perceived to be correct with respect some criteria. Any functionality that directly provides, or provides access to, security mechanisms should be trustworthy. Security label The marking securely bound to a resource that Page 15 of 17 Digital signature Cryptographic transformation applied to a data unit to ensure data integrity and protect against data modification. Digital signature can be appended to the data or simply associated with the signed data. Digital signature defines two procedures: signing a data unit, and verifying a signed data unit. Access control (or authorisation) Mechanisms used to enforce access rights of the authenticated entity to services or resources. Access control uses the authenticated identity or other attributes of an entity in order to determine and enforce access rights or the entity. Access control often relies on the access control policy. Data integrity Mechanisms used to ensure integrity of a data unit or stream of data units. Authentication exchange Mechanisms that can be incorporated into a security protocol at different layer in order to ensure peer entity authentication. Traffic padding Mechanisms can be used to provide various levels of protection against traffic analysis. This mechanism can be effective only if the traffic padding is protected by a confidentiality service. Routing control Enables selection of a particular secure route depending on specific data security requirements. Notarisation Use of a trusted third party to ensure certain properties of a data exchange, in particular to support non-repudiation service. identifies or specifies the security attributes of that resource. Event detection Detection of security-related events that may be provided entities inside OSI security model, in particular, b y security mechanisms. Security Audit trail Data collected and used to facilitate a security audit. A security audit is an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures. Security recovery Security recovery deals with requests from mechanisms such as event handling and management functions, and takes recovery actions Table A.3 Illustration of relationship of security services and mechanisms (ref. X.800 TABLE 1/X.800) Mechanism -> Service Enciph erment Digital signature Access control Data integrity Authentic ation exchang e Traffic padding Routing control Notariza tion Authentication, Peer entity Y Y Y Authentication, Data origin Y Y Access control service Y Y Connection confidentiality Y Y Connectionless confidentiality Y Y Page 16 of 17 Selective field confidentiality Y Traffic flow confidentiality Y Y Y Connection Integrity with recovery Y Y Connection integrity without recovery Y Y Selective field connection integrity Y Y Connectionless integrity Y Y Y Selective field connectionless integrity Y Y Y Non-repudiation. Origin Y Y Y Non-repudiation. Delivery Y Y Y Table A.4 Illustration of the relationship of security services and layers (ref. X.800 TABLE 2/X.800) Service Layer 1 2 3 4 5 6 7* Peer entity authentication Y Y Y Data origin authentication Y Y Y Access control service Y Y Y Connection confidentiality Y Y Y Y Y Y Connectionless confidentiality Y Y Y Y Y Selective field confidentiality Y Y Traffic flow confidentiality Y Y Y Connection Integrity with recovery Y Y Connection integrity without recovery Y Y Y Selective field connection integrity Y Connectionless integrity Y Y Y Selective field connectionless integrity Y Non-repudiation Origin Y Non-repudiation. Delivery Y Y Yes, service should be incorporated in the standards for the layer as a provider option. - Not provided. * It should be noted, with respect to layer 7, that the application process may, itself, provide all types of security services Page 17 of 17