Security Mechanisms with X 800 and RFC 2828

A security mechanism is a process (or a device incorporating such a process) that can be used
in a system to implement a security service that is provided by or within the system. Some
examples of security mechanisms are authentication exchange, checksums, digital signatures,
encryption and traffic padding (cf. p.153, RFC 2828). Security mechanisms are divided into
two groups: specific security mechanisms, which may be incorporated in a specific protocol
layer, and pervasive security mechanisms, which are not specific to any particular protocol
layer. The concepts below are taken from the X.800 Recommendations
• Specific security mechanisms
– Encipherment: encipherment can provide confidentiality of either data or traffic flow
information by converting the original information into a form that is not intelligible.
Encipherment algorithms may be reversible or irreversible. Two general classifications
of reversible encipherment algorithm are symmetric (i.e. secret key) and asymmetric (i.e.
public key).
– Digital signature: this mechanism attaches some special information to the transmitted
data, enabling the recipient to verify the source as well as the integrity of the data. The
term digital signature goes hand-in-hand with public key cryptography.
– Access control: this mechanism may use the authenticated identity of an entity, information
about the entity or capabilities of the entity to grant access rights to the
entity.
– Data integrity: two aspects of data integrity are: (i) the integrity of a single data unit or
field; (ii) the integrity of a stream of data units or fields. In general, different mechanisms
are used to provide these two types of integrity service, although provision of the second
without the first is not practical.
– Authentication exchange: peer entity authentication is assisted by means of information
exchange.
– Traffic padding mechanism: traffic padding mechanisms can be used to provide various
levels of protection against traffic analysis. Traffic padding is done by inserting bits into
gaps in data streams.
– Routing control: this mechanism allows a proper choice of routes for transferring information.
End systems may wish to instruct the network service provider to establish a
connection via a different route for a more secure communication.
– Notarization mechanism: this mechanism needs the involvement of a third party to
ensure certain properties of data exchange between the two entities.
• Pervasive security mechanisms
– Trusted functionality: may be used to extend the scope, or to establish the effectiveness,
of other security mechanisms. Any functionality which provides access to security
mechanisms should be trustworthy.
– Security labels: resources including data items may have security labels associated with
them, e.g. to indicate a sensitivity level. It is often necessary to convey the appropriate
security label with data in transit.
– Event detection: security-relevant event detection includes the detection of apparent
violations of security and may also include detection of ‘normal’ events– Security audit trails: provide a valuable security mechanism, as potentially they permit
detection and investigation of breaches of security by permitting a subsequent security
audit. A security audit is an independent review and examination of system records
and activities in order to test for adequacy of system controls, to ensure compliance
with established policy and operational procedures, to aid in damage assessment and to
recommend any indicated changes in controls, policy and procedures.
– Security recovery: security recovery deals with requests from mechanisms such as event
handling and management functions and takes recovery actions as the result of applying
a set of rules. These recovery actions may be of three kinds: immediate, temporary or
long term.

Security Services, According to RFC 2828

According to RFC 2828, a security service is a processing or communication service provided
by a system to protect system resources. Security services implement security policies and are
implemented by security mechanisms. Security services are divided into five categories:
• Authentication service: this security service verifies the identities claimed by or for an
entity (cf. p.16, RFC 2828). Authentication services are divided into two groups: data origin
authentication and peer entity authentication.
– Data origin authentication: this security service verifies the identity of a system entity
that is claimed to be the original source of received data (cf. p.53, RFC 2828). It does
not provide protection against duplication or modification of data units even though it is
sometimes thought to enable a recipient to verify that the data have not been tampered
with in transit.
– Peer entity authentication: this service provides corroboration between peer entities at
the connection establishment or during the transfer of information between them. This
service guarantees that an entity is not attempting to masquerade or to replay a previous
connection without authority (cf. p.8, Recommendation X.800).
• Access control: this service provides protection against unauthorized use of resources such
as computing resources, storage resources, communication links, etc. To use a resource, theuser should first be authenticated, after which they can be granted the right to use specific
system resources.
• Data confidentiality: this service protects data from unauthorized disclosure as the data
are transmitted from a source to a destination. Encryption and decryption are often used to
provide data confidentiality. Data confidentiality is divided into four groups:
– Connection confidentiality: this service provides confidentiality of user data on a
connection.
– Connectionless confidentiality: this service provides confidentiality of user data for
connectionless services, i.e. it protects individual data blocks.
– Selective field confidentiality: this service provides confidentiality of selected fields of
user data in a connection or in an individual data block.
– Traffic flow confidentiality: this service protects information which might be derived
from the observation of traffic flows. It serves to protect against traffic analysis.
• Data integrity: this service ensures that the data are received exactly as they were sent and
there has been no modification or replay of the data. Data integrity is classified into five
groups (cf. pp. 9–10, Recommendation X.800):
– Connection integrity with recovery: this service provides integrity for all user data on a
connection, detects any modifications, insertions, deletions or replays of any data within
an entire data sequence and attempts to recover the data if an attack is detected.
– Connection integrity without recovery: this service provides integrity for all user data on
a connection and detects any modifications, insertions, deletions or replays of any data
within an entire data sequence but does not attempt to recover the data when an attack is
detected.
– Selective field connection integrity: this service provides integrity for selected fields
within the user data transferred over a connection and takes the form of determination
of whether the selected fields have been modified, inserted, deleted or replayed.
– Connectionless integrity: this service provides integrity for individual data blocks and
may take the form of determination of whether a received data block has been modified.
Additionally, a limited form of detection of replay may be provided.
– Selective field connectionless integrity: this service provides integrity for selected fields
within individual data blocks and takes the form of determination of whether the selected
fields have been modified.
• Nonrepudiation: this service guarantees that an entity once involved in a communication
cannot later deny its involvement. This service may take one or both of two forms:
– Nonrepudiation with proof of origin: the recipient of the data is provided with proof
of the origin of the data. This will protect against any attempt by the sender to falsely
deny sending the data or their contents. A digital signature is an example of providing
nonrepudiation with proof of origin (cf. p.10, X.800).
– Nonrepudiation with proof of delivery: the sender of data is provided with proof of delivery
of the data. This will protect against any subsequent attempt by the recipient to
falsely deny receiving the data or their contents (cf. p.10, X.800).

Security Threats and Attacks, According to X.800?

According to X.800, ‘A threat to a system security includes any of the following: destruction
of information and/or other resources; corruption or modification of information; theft,
removal or loss of information and/or other resources; disclosure of information and interruption
of services’. Another, clearer definition comes from RFC 2828, which defines a threat
as ‘A potential violation of security exists when there is a circumstance, capability, action, or
event that could breach security and cause harm’. In other words, a threat is a possible danger
that might exploit vulnerability.

Threats can be classified as accidental or intentional and may be active or passive:
• Accidental vs. intentional threats – as their names imply, accidental threats exist with no
premeditated intent; for example, system malfunctions or software bugs. On the other hand,
intentional threats are planned actions for specific purposes.
• Passive vs. active threats – passive threats do not modify the information in or operations
of the victim systems; for example, wire tapping. Active threats, on the other hand, involve
modification of information in or operation of the victim systems; for example, changing
the firewall rules of a system to allow unauthorized access.
While a threat is a potential security problem that may lead to a security breach, it is not yet
an action. An attack, on the other hand, is an action to exploit a security breach. Attacks can
also be classified as insider or outsider attacks, and active or passive attacks:
• Insider vs. outsider attacks – insider attacks occur when legitimate users of a system behave
in unintended ways. Outsider attacks are initiated from outside the security perimeter by
illegitimate system users.
• Active vs. passive attacks – active attacks attempt to change system resources or affect their
operation. Examples of active attacks are masquerade, replay, modification of message and
denial of service. Passive attacks attempt to make use of information from the system without
changing system resources. Examples of passive attacks are message content disclosure
and traffic analysis.

Introduction to X 800 and RFC 2828

ITU-T Recommendation X.800 (Security Architecture for OSI) and IETF RFC 2828 (Internet
Security Glossary) are used as references to systematically evaluate and define security
requirements. Though coming from different standardization bodies, the two standards
have many points in common. X.800 is used to define general security-related architectural
elements needed when protection of communication between open systems is
required. X.800 establishes guidelines and constraints to improve existing recommendations
and/or to develop new recommendations in the context of OSI. Similarly, RFC 2828
provides abbreviations, explanations and recommendations for information system security
terminology.

Both X.800 and RFC 2828 are designed to assist security managers in defining security
requirements and possible approaches to meeting those requirements. They also
help hardware and software manufacturers to develop security features for their products
and services that follow certain standards. X.800 and RFC 2828 both mention
several aspects of security systems, namely security threat and attack, security services
and mechanisms and security management. This section gives a brief introduction to
these standards. We urge readers to read the original standard documents for more
information.