Lecture2 of Information Security for Diploma 2018-2019

Lecture 2 Title : Security Services, Mechanisms and Techniques.

Lecture Outlines:
2.1 Security Services.
2.2 Security Mechanism
2.3 Security Techniques

Objectives :
After studying this lecture, you will be able to discuss:
? Essential Security services to be provided by communication system.
? Methods/mechanisms that can ensure various services.
? Techniques to realize security goals.
?
2.1 Security Services.
Security Service is processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
X.800 (Security Architecture for OSI)* divides these services into many categories and specific services (see Table 2.1). Figure 7 below shows all specific services and the category they belong to.

Figure 6 : All specific services and the category they belong to
* Used as references to systematically evaluate and define security requirements.











Table 2.1: Category of services and specific tasks

Service and Definition Specific Tasks
Data Confidentiality - Protection of data from unauthorized disclosure (from passive attacks) 1. Connection confidentiality (prevents the release of any user data transmitted over the TCP connection).

2. Connectionless confidentiality.

3. Selective field confidentiality (message or even specific fields within).


4. Traffic flow confidentiality (protection of traffic flow from analysis).
5.
Data Integrity - Assurance that data is as sent by authorized entity (contains no modifications, insertion, deletion, or replay)

(As with confidentiality, integrity can apply to a stream of messages, a single message, or selected fields within a message) 1. Connection integrity with recovery.
2. Connection integrity without recovery.
3. Selective field connection integrity.
4. Connectionless integrity.
5. Selective field connectionless integrity.
Authentication - Assurance that
communicating entity is the one that it claims to be from. 1. Peer entity authentication
(for participating entities).

2. Data origin authentication
(for the corroboration of the source of a message (sender)
Non repudiation -provides protection against one of the entities from denying all or part of the communication.

(It prevents either sender or receiver from denying message transmission or receipt of message) 1. Non repudiation of origin

2. non repudiation of destination
Access Control - Prevention of unauthorized
use of a resource.
(each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual)
Availability of Service - A system is available if it provides services according to the system design whenever users request them).


2.2 Security Mechanisms
Security mechanism is process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack.
The mechanisms are divided into those that are implemented in a specific protocol layer, such as TCP or an application-layer protocol, and those that are not specific to any particular protocol layer or security service. These mechanisms are called “specific security mechanisms” and “pervasive security mechanism”.

2.2.1 Specific Security Mechanisms
Some techniques for realizing security are listed here.
1. Encripherment: This is the process of using mathematical algorithms to transform data into a form that is not readily intelligible.
2. Digital Signature: Data or cryptographic transformation of a data unit is appended to the data, so that the recipient of the data unit is convinced of the source and integrity of the data unit and this can also serve to protect the data against forgery (e.g., by the recipient).
3. Access Control: A variety of mechanisms are available that enforce access rights to resources.
4. Data Integrity: A variety of mechanisms may be used to assure the integrity of a data unit or stream of data units.
5. Authentication Exchange: This is a mechanism intended to ensure the identity of an entity by means of information exchange.
6. Traffic Padding: The insertion of bits into gaps in a data stream is called traffic padding. This helps to thwart traffic analysis attempts.
7. Routing Control: enables selection of particular physically secure routes for certain data transmission and allows routing changes, especially when a breach of security is suspected.
8. Notarization: This is the use of a trusted third party to assure certain properties of a data exchange.

2.2.2 Pervasive Security Mechanisms
These are the mechanisms that are not specific to any particular OSI security service or protocol layer.
1. Trusted Functionality: The process that which is perceived to be correct with respect to some criteria (e.g., as established by a security policy).
2. Security Label: This is the