X-800 is an extention recommendation of the recommendation X-200 which describes the reference model for Open System Interconnection (OSI). It establishes a framework for coordinating the development of existing and future recommendations for the system interconnection. The objective of OSI is to permit the interconnection of heterogeneous computer systems so that communication between application process may be achieved. At various times, security controls need to be built in order to protect the information exchanged between application processes,but by doing so the cost and time of obtaining and modifying data will be greater than the potential value of the informations.
This recommendation defines the general security related architectural elements for which protection of communication between open system is required. It establishes within the framework of reference model, guidelines and constraints to improve the existing recommendation in order to allow secure communications.
X-800 provides a general description of security services and related mechanisms and defines the positions within the reference model where the services and mechanisms may provide.
The OSI security architecture provides a useful overview of many concepts that take eyes on the mechanisms, services and security attacks which can be described as following :
• Security Attack : any action that compromises the security of information owned by somebody including unauthorized reading of a message of file and traffic analysis.
• Security Mechanism : any process that designed to detect or preventing a security attack to be held.
• Security Service : a process of enhancing / improving the security of data processing system and information exchange between application processes.
In this literature, the term threat and attack are commonly used to have similar definitions but here we try to provide definitions of threat and attack according to RFC 2828 :
• Threat
A potential violation of security which exist when there is an action or event that could breach security and cause harm.
• Attack
An intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.
According to X-800 standards, there are 8 security dimensions addresses to network vulnerability :
1. Access control
2. Authentication
3. Non – repudiation
4. Data consistency
5. Communication security
6. Data integrity
7. Avaliabity
8. Privacy
X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers.The following are considered to be the security services which can be provided optionally within the framework of OSI reference model.
1. Authentication
These services require authentication information compromising locally stored information and data for authenticating.
-. Peer Entity Authentication : this service is provided for use at the establishment or during data transfer phase of a connection to confirm the identities of one or more of the entities connected to one or more of the other entities.
-. Data Origin Authentication : this service provides the corroborations of the source of a data unit, it doesn’t provide protection against duplication or modifications of data units.
2. Access Control
Provides protection against unauthorized use of the resources accessible via OSI, may be applied to various type of access to a resource.
3. Data Confidentiality.
Provides the protection of data from unauthorized disclosure using these methods : connection confidentiality, connectionless confidentiality, selective fields confidentiality, traffic flow confidentiality.
4. Data Integrity
This service counter active threats, at the start of the connection using the peer entity authentication service and the data integrity service during the life of the connection can provide the detection of duplication of data units.
5. Non – Repudiation
This service is divided into 2 types :
1. Non – repudiation with proof of origin : the recipient is provided with proof of the origin data , this will protect any attempt by the sender to falsely deny sending the data or its contents.
2. Non – repudiation with proof of delivery : the sender is provided with proof of delivery, this will protect against any subsequent attempt by recipient to falsely deny receiving the data or its contents.
Specific Security Mechanisms
The following mechanisms may be incorporated into the appropriate layer in order to provide some of the service :
1. Encipherment
2. Digital signature mechanism
3. Access control mechanism
4. Data integrity mechanism
5. Authentication exchange mechanism
6. Traffic padding mechanism
7. Routing control mechanism
8. Notarization mechanism
Pervasive Security Mechanisms
This mechanism describes a number of mechanisms which are not specific to any particular service, they are not explicitly described as being in any particular layer but some can be regarded as aspects of security management directly related to the level of security required.
1. Trusted functionality
2. Security labels
3. Event detection
4. Security audit trail
5. Security recovery
My little little world 