Download OSI Security Architecture

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Multilevel security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyberwarfare wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Wireless security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Security printing wikipedia , lookup

Airport security wikipedia , lookup

Mobile security wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Social engineering (security) wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Information Security Principles course
“Cryptology”
Based of: “Cryptography and network Security” by William Stalling, 5th edition.
Eng. Mohamed Adam Isak
PH.D Researcher in CS
Lecturer in Mogadishu University and University of Somalia
[email protected]
www.engmaisak.blogspot.com
Tell:0615648
Chapter one: Overview
1.
2.
3.
4.
5.
Computer Security Concepts
The OSI Security architecture
Security Attacks
Security Services
Security Mechanisms
2
Computer Security concept
• The protection afforded to an automated information system in
order to attain the applicable objectives of preserving(protecting)
the integrity, availability and confidentiality of information
system resources (includes hardware, software,
information/data, and telecommunications)
[NIST 1995]
3
CIA Security Triangle (1/2)
The three Key Objectives
4
CIA Security Triangle (2/2)
• Confidentiality (covers both data confidentiality and privacy): preserving
authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information. A loss
of confidentiality is the unauthorized disclosure of information.
• Integrity (covers both data and system integrity): Guarding against
improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or
an information system.
5
Two additional key objectives
Authenticity: The property of being genuine and being able to be
verified and trusted; confidence in the validity of a transmission, a
message, or message originator.
Accountability: The security goal that generates the requirement
for actions of an entity to be traced uniquely to that entity.
6
Levels of Impact
• 3 levels of impact from a security breach
• Low
• Moderate
• High
7
The Challenges of Computer Security
•
•
•
•
•
•
•
•
•
Security is not as simple as it might first appear to the novice
Security developers must consider potential attacks
Involve algorithms and secret info
Must decide where to deploy mechanisms
Battle of wits (brains) between attacker / admin
Not perceived on benefit until fails
Requires regular monitoring
Too often an afterthought (becoming larger)
The system will not be friendly usage.
8
OSI Security Architecture (1/2)
• ITU-T X.800 “Security Architecture for OSI”
• The International Telecommunication Union (ITU) Telecommunication
Standardization Sector (ITU-T) is a United Nations-sponsored agency that
develops standards, called Recommendations, relating to telecommunications
and to OPEN SYSTEMS INTERCONNECTION (OSI).
• The OSI security architecture was developed in the context of the OSI protocol
architecture.
• OSI Security architecture defines a systematic way of defining and providing
security requirements.
• The OSI security architecture is useful to managers as a way of organizing the
task of providing security.
9
OSI Security Architecture (2/2)
Aspects of Security
• The OSI security architecture focuses on 3 aspects: security
attacks, mechanisms, and services.
1. Security attack: Any action that compromises the security of
information owned by an organization.
2. Security service: A processing or communication service that enhances
the security of the data processing systems and the information
transfers of an organization.
3. Security mechanism: A process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security
attack.
10
Security attack classifications
1. A passive attack attempts to learn or make use of information
from the system but does not affect system resources.
Passive attacks are in the nature of eavesdropping on (means
listening to the conversation) , or monitoring of
transmissions. The goal of the opponent is to obtain
information that is being transmitted.
2. An active attack attempts to alter system resources or affect
their operation.
11
Passive Attacks (1)
Release of Message Contents
• Two types of passive attacks are:
Release of message contents and
Traffic analysis.
• Release of message contents relates
to eavesdropping on (means listening
to the conversation). as this figure
shows.
• These attacks are difficult to detect
because they do not involve any
alteration of the data.
• E.g. A telephone conversation, an
electronic mail message, and a
transferred file may contain sensitive
or confidential information.
12
Passive Attacks (2)
Traffic Analysis
• Traffic analysis - monitor
traffic flow to determine
location and identity of
communicating hosts and
could observe the frequency
and length of messages being
exchanged
13
Categories of Active attacks
• Active attacks try to alter system resources or affect their
operation
• Modification of data, or creation of false data
• Four categories
•
•
•
•
Masquerade
Replay
Modification of messages
Denial of service: preventing normal use
• Difficult to prevent
• The goal is to detect and recover
14
Active Attacks (1)
Masquerade
Masquerade is pretending of an entity as authorized entity
15
Active Attacks (2)
Replay
Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect
16
Active Attacks (3)
Modification of Messages
Modify/alter (part of) messages in transit to produce an unauthorized
effect
17
Active Attacks (4)
Denial of Service
Denial of service - prevents or inhibits the normal use or management of
communications facilities.
18
Security Services (1/2)
• X.800:
“a service provided by a protocol layer of communicating open systems,
which ensures adequate security of the systems or of data transfers”
• RFCs (Requests for Comments - RFC 2828):
“a processing or communication service provided by a system to give a
specific kind of protection to system resources”
19
Security Services (X.800) (2/2)
1. Authentication - assurance that communicating entity is the one claimed
• Have both peer-entity & data origin authentication
2. Access Control - prevention of the unauthorized use of a resource
3. Data Confidentiality –protection of data from unauthorized disclosure
4. Data Integrity - assurance that data received is as sent by an authorized
entity
5. Non-Repudiation - protection against denial by one of the parties in a
communication
6. Availability – resource accessible/usable
20
Security Mechanisms (1/2)
• Security Mechanisms are the specific means of implementing
one or more security services.
• It is a feature designed to detect, prevent, or recover from a
security attack
• No single mechanism that will support all services required
• However one particular element underlies many of the security
mechanisms in use:
• Cryptographic techniques
• Hence our focus on this topic
21
Security Mechanisms (2/2)
(X.800)
• It is divided into Specific security mechanisms and Pervasive security
mechanisms.
• Note that the “specific security mechanisms” are protocol layer specific,
whilst the “pervasive security mechanisms” are not.
• Specific security mechanisms are: Encipherment*, digital signatures,
access controls, data integrity, authentication exchange, traffic padding
and routing control.
• Pervasive security mechanisms are: Trusted functionality, security labels,
event detection, security audit trails (security review paths) and security
recovery
*
Encipherment is: The use of mathematical algorithms to transform data into a form that is not readily intelligible.
22
Model for Network Security (1/3)
• This model, the information being transferred from one party to
another over an insecure communications channel
23
Model for Network Security (2/3)
•
This general model shows that there are four basic tasks in
designing a particular security service, as the previous figure
shows.
1.
2.
3.
4.
Design a suitable algorithm for the security transformation
Generate the secret information (keys) used by the algorithm
Develop methods to distribute and share the secret information
Specify a protocol enabling the principals to use the transformation
and secret information for a security service
24
Model for Network Access Security (3/3)
•
Using the model shown in the this figure requires, we understand
that the security mechanisms needed to cope with unwanted
access fall into two broad categories.
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorised users
access designated information or resources
25
Standards
• NIST: National Institute of Standards and Technology
• FIPS: Federal Information Processing Standards
• SP: Special Publications
• ISOC: Internet Society
• Home for IETF (Internet Engineering Task Force) and IAB (Internet
Architecture Board)
• RFCs: Requests for Comments
26
Summary and coming assignment points
27
CHAPTER ONE – KEY TERMS AND REVIEW QUESTIONS
1.1 What is the OSI security architecture?
1.2 What is the difference between passive and active security
threats?
1.3 List and briefly define categories of passive and active
security attacks.
1.4 List and briefly define categories of security services.
1.5 List and briefly define categories of security mechanisms
28
Related documents
download
download
Introduction - Computer Science
Introduction - Computer Science
Lecture 1 - WordPress.com
Lecture 1 - WordPress.com
No Slide Title
No Slide Title
12_hSecurityRequirements
12_hSecurityRequirements
Introduction (Pres.)
Introduction (Pres.)
Introduction to network security
Introduction to network security
Honeynet Project
Honeynet Project
Systems Security
Systems Security
Computer Security: Principles and Practice, 1/e
Computer Security: Principles and Practice, 1/e
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
Chapter 3 OSI Model Worksheet In class lecture and handout.
Chapter 3 OSI Model Worksheet In class lecture and handout.