4.3 SECURITY MECHANISMS

Team-Fly

4.3 SECURITY MECHANISMS

The OSI security architecture distinguishes between specific security mechanisms and pervasive security mechanisms, and we follow this distinction in this section.

4.3.1 Specific Security Mechanisms

Specific security mechanisms may be incorporated into an appropriate layer to provide some of the security services mentioned in Section 4.2. As shown in Table 4.2, the OSI security architecture enumerates eight specific security mechanisms.

1. Encipherment is used either to protect the confidentiality of data units and traffic flow information or to support or complement other security mechanisms. The cryptographic techniques that are used for encipherment are examined in Chapter 5.

2. Digital signature mechanisms are used to provide an electronic analog of handwritten signatures for electronic documents. Like handwritten signatures, digital signatures must not be forgeable; a recipient must be able to verify it, and the signer must not be able to repudiate it later. But unlike handwritten signatures, digital signatures incorporate the data (or the hash of the data) that are signed. Different data therefore result in different signatures even if the signatory is unchanged. Again, we postpone the discussion of digital signatures mechanisms to Chapter 5.

3. Access control mechanisms use the authenticated identities of principals, information about these principals, or capabilities to determine and enforce access rights. If a principal attempts to use an unauthorized resource, or an authorized resource with an improper type of access, the access control function rejects the attempt and may additionally report the incident for the purposes of generating an alarm and recording it as part of a security audit trail.

   Access control mechanisms and the distinction between discretionary access control and mandatory access control have been extensively discussed in the computer security literature referenced in the preface. They are usually described in terms of subjects, objects, and access rights. A subject is an entity that can access objects. It can be a host, a user, or an application. As such, it is a synonym for principal. An object is a resource to which access should be controlled. An object can range from a single data field in a file to a large program. Access rights specify the level of authority for a subject to access an object, so access rights are defined for each subject-object-pair. Examples of UNIX access rights include read, write, and execute.

4. Data integrity mechanisms are used to protect the integrity of either single data units and fields within these data units or sequences of data units and fields within these sequences of data units. Note that data integrity mechanisms, in general, do not protect against replay attacks that work by recording and replaying previously sent valid messages. Also, protecting the integrity of a sequence of data units and fields within these data units generally requires some form of explicit ordering, such as sequence numbering, time-stamping, or cryptographic chaining.

5. Authentication exchange mechanisms are used to verify the claimed identities of principals. In accordance with ITU-T recommendation X.509 [5], we use the term strong to refer to an authentication exchange mechanism that uses cryptographic techniques to protect the messages that are exchanged, and weak to refer to an authentication exchange mechanism that does not do so. In general, weak authentication exchange mechanisms are vulnerable to passive wiretapping and replay attacks.

6. Traffic padding mechanisms are used to protect against traffic analysis attacks. Traffic padding refers to the generation of spurious instances of communication, spurious data units, and spurious data within data units. The aim is not to reveal if data that are being transmitted actually represent and encode information. Consequently, traffic padding mechanisms can only be effective if they are protected by some sort of a data confidentiality service.

7. Routing control mechanisms can be used to choose either dynamically or by prearrangement specific routes for data transmission. Communicating systems may, on detection of persistent passive or active attacks, wish to instruct the network service provider to establish a connection via a different route. Similarly, data carrying certain security labels may be forbidden by a security policy to pass through certain networks or links.

8. Notarization mechanisms can be used to assure certain properties of the data communicated between two or more entities, such as its integrity, origin, time, or destination. The assurance is provided by a trusted third party (TTP) in a testifiable manner.

4.3.2 Pervasive Security Mechanisms

Pervasive security mechanisms are not specific to any particular security service and are in general directly related to the level of security required. Some of these mechanisms can also be regarded as aspects of security management. As shown in Table 4.3, the OSI security architecture enumerates five pervasive security mechanisms.

1. The general concept of trusted functionality can be used to either extend the scope or to establish the effectiveness of other security mechanisms. Any functionality that directly provides, or provides access to, security mechanisms should be trustworthy.

2. System resources may have security labels associated with them, for example, to indicate sensitivity levels. It is often necessary to convey the appropriate security label with data in transit. A security label may be additional data associated with the data transferred or may be implicit (e.g., implied by the use of a specific key to encipher data or implied by the context of the data such as the source address or route).

3. Security-relevant event detection can be used to detect apparent violations of security.

4. A security audit refers to an independent review and examination of system records and activities to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures. Consequently, a security audit trail refers to data collected and potentially used to facilitate a security audit.

5. Security recovery deals with requests from mechanisms such as event handling and management functions, and takes recovery actions as the result of applying a set of rules.

Team-Fly