The OSI security architecture helps the managers responsible for the security of an organization in defining the requirements for security. The OSI security architecture was introduced as an ‘international standard’ which let the computer and communication vendor develop the products that have security features based on this architecture.
The OSI security architecture has a structure definition of services and mechanism for providing security to the organization’s information.
OSI Security Architecture Defines:
- Security Attacks
- Security Mechanism
- Security Services
Security attacks can be defined as an action that risks the security of information owned by the company. X.800 and RFC 4949 classifies the security attack into two types as discussed below:
- Passive Attack
In a passive attack, the attacker monitors or eavesdrops the transmission between and sender and receiver and the attacker try to retrieve the information being transmitted. In passive attack neither the sender nor the receiver is aware of the attack as the attacker only retrieve the message, he doesn’t perform any alteration to the captured message. The message is sent and received in the normal fashion.
Therefore, is more difficult to identify the passive attack. Though identification of passive attack is tedious, you can definitely implement encryption in order to prevent the success of this attack which means even if the attack happens the attacker is unable to extract the information.
The passive attack is further classified into two types.
- Release of message content
The release of the message content is a kind of attack where the attacker listens to the telephone conversation, tracks electronic mail or the transferred file to retrieve the confidential message being transmitted. The opponent is quite interested in the content of the released message.
- Traffic analysis
To protect the released message content the organization may apply a mask over the content of the message so that even if the attacker captures the message, he would not be able to understand the message. This technique of masking the released message is termed as encryption.
In traffic analysis passive attack, the attacker monitors the pattern, length and frequency of the released message to guess the original message.
- Release of message content
- Active Attack
We have seen that in the passive attack the attacker does not alter the message, but in the active attack the attacker alters, modify the transmitted message by creating a false data stream.
It is quite difficult to prevent the active attack instead the goal is to identify the source of active attack and apply a recovery measure.
The active attack is further classified into four types
In masquerade active attack, the attacker pretends to be the sender. To understand it better consider that in the above figure 2 only path 2 is active in masquerade attack.
In the replay, the message is captured in a passive way and is retransmitted to produce an unauthorized effect. To understand replay, consider that in figure 2 path 1, 2 and 3 are active.
- Modification of message
Modification of message means some data stream of the message is altered or modified to create an unauthorized effect. Path 1 and 2 are active in this kind of attack.
- Denial of services
The attacker suppresses all the messages directed to a particular receiver by overloading the network to degrade the network performance
The security mechanism is an entire process that is specifically designed to identify the attack and develops a strategy to recover or prevent the attack.
Considering X.800’s security services the services can be classified into five categories as discussed below.
- Authentication: It assures that the entity involves in the communication is the one it is claiming for.
- Access Control: This service assures that only the authorized entities are accessing the resources and prevents unauthorized access.
- Data Confidentiality: This service manages to maintain the confidentiality of data by preventing the exposure of the message content to the attacker.
- Data Integrity: This service makes it sure that the data received at the receiver end is from an authorized entity.
- Nonrepudiation: This service restricts the sending and receiving entity from denying the transmitted message.
In all the OSI security architecture the things that need to be concentrated are security attack, service and mechanism to prevent the risk to the security of information of an organization.