Security service (telecommunication)
Encyclopedia
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T
X.800 Recommendation.
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture) are technically aligned. This model is widely recognized
A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems
of United States of America
:
Another authoritative definition is in W3C Web service
Glossary adopted by NIST SP 800-95:
and Computer security
are disciplines that are dealing with the requirements of Confidentiality
, Integrity
, Availability
, the so called CIA Triad, of information assett of an organization(company or agency) or the information managed by computers respectively.
There are threats
that can attack
the resources (information or devices to manage it) exploiting
one or more vulnerabilities
. The resources can be protected by one or more countermeasures
or security controls.
So security services implement part of the countermeasures, trying to achieve the security requirements of an organization.
The ITU-T
organization published a large set of protocols. The general architecture of these protocols is defined in reccomandation X.200.
The different means (air, cables) and ways (protocols and protocol stack
s) to communicate are called a communication network.
Security requirements are applicable at the information sent over the network. The discipline dealing with security over a network is called Network security
X.800 Recommendation:
This Recommendation extends the field of application of Recommendation X.200, to cover secure communication
s between open systems
.
According to X.200 Recommendation, in the so called OSI Reference model
there are 7 layers
, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity.
At each level two entities ((N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units
(PDU).
Service Data Unit
(SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated
into a Protocol data Unit (PDU), by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user .
The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes enapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination.
Authentication
Access control
Data confidentiality
Data integrity
Non-repudiation
: :
The table1/X.800 shows the relationships between services and mechanisms
Some of them can be applied to connection oriented protocols, other to connectionless protocols or both.
The table 2/X.800 illustrates the relationship of security services and layers::
(MSS) are network security
services that have been outsourced
to a service provider.
ITU-T
The ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
X.800 Recommendation.
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture) are technically aligned. This model is widely recognized
A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems
Committee on National Security Systems
The Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
of United States of America
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
:
- A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.
Another authoritative definition is in W3C Web service
Web service
A Web service is a method of communication between two electronic devices over the web.The W3C defines a "Web service" as "a software system designed to support interoperable machine-to-machine interaction over a network". It has an interface described in a machine-processable format...
Glossary adopted by NIST SP 800-95:
- A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.
Basic security terminology
Information securityInformation security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
and Computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
are disciplines that are dealing with the requirements of Confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, Integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
, Availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
, the so called CIA Triad, of information assett of an organization(company or agency) or the information managed by computers respectively.
There are threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
that can attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
the resources (information or devices to manage it) exploiting
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
one or more vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. The resources can be protected by one or more countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
or security controls.
So security services implement part of the countermeasures, trying to achieve the security requirements of an organization.
Basic OSI terminology
In order to let different devices (computers, routers, cellular phones) to communicate data in a standardized way, communication protocols had been defined.The ITU-T
ITU-T
The ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
organization published a large set of protocols. The general architecture of these protocols is defined in reccomandation X.200.
The different means (air, cables) and ways (protocols and protocol stack
Protocol stack
The protocol stack is an implementation of a computer networking protocol suite. The terms are often used interchangeably. Strictly speaking, the suite is the definition of the protocols, and the stack is the software implementation of them....
s) to communicate are called a communication network.
Security requirements are applicable at the information sent over the network. The discipline dealing with security over a network is called Network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
X.800 Recommendation:
- provides a general description of security services and related mechanisms, which may be provided by the Reference ModelOSI modelThe Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
; and - defines the positions within the Reference Model where the services and mechanisms may be provided.
This Recommendation extends the field of application of Recommendation X.200, to cover secure communication
Secure communication
When two entities are communicating and do not want a third party to listen in, they need to communicate in a way not susceptible to eavesdropping or interception. This is known as communicating in a secure manner or secure communication...
s between open systems
Open Systems Interconnection
Open Systems Interconnection is an effort to standardize networking that was started in 1977 by the International Organization for Standardization , along with the ITU-T.-History:...
.
According to X.200 Recommendation, in the so called OSI Reference model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
there are 7 layers
Abstraction layer
An abstraction layer is a way of hiding the implementation details of a particular set of functionality...
, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity.
At each level two entities ((N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units
Protocol data unit
In telecommunications, the term protocol data unit has the following meanings:#Information that is delivered as a unit among peer entities of a network and that may contain control information, address information, or data....
(PDU).
Service Data Unit
Service Data Unit
In Open Systems Interconnection terminology, a service data unit is a unit of data that has been passed down from an OSI layer to a lower layer and that has not yet been encapsulated into a protocol data unit by the lower layer...
(SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated
Encapsulation (networking)
In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects....
into a Protocol data Unit (PDU), by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user .
The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes enapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination.
OSI Security Services General description
The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication::Authentication
- These services provide for the authentication of a communicating peer entity and the source of data as described below.
- Peer entity authentication
- This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.
- Data origin authentication
- This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.
Access control
- This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.
Data confidentiality
- These services provide for the protection of data from unauthorized disclosure as described below
- Connection confidentiality
- This service provides for the confidentiality of all (N)-user-data on an (N)-connection
- Connectionless confidentiality
- This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU
- Selective field confidentiality
- This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.
- Traffic flow confidentiality
- This service provides for the protection of the information which might be derived from observation of traffic flows.
Data integrity
- These services counter active threatsThreat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
and may take one of the forms described below.- Connection integrity with recovery
- This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).
- Connection integrity without recovery
- As for the previous one but with no recovery attempted.
- Selective field connection integrity
- This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.
- Connectionless integrity
- This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.
- Selective field connectionless integrity
- This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.
Non-repudiation
- This service may take one or both of two forms.
- Non-repudiation with proof of origin
- The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.
- Non-repudiation with proof of delivery
- The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.
Specific security mechanisms
The security services may be provided by means of security mechanismMechanism
Mechanism may refer to:*Mechanism , rigid bodies connected by joints in order to accomplish a desired force and/or motion transmission*Mechanism , explaining how a feature is created...
: :
- Encipherment
- Digital signatureDigital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Data integrityData integrityData Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
- Authentication exchange
- Traffic padding
- Routing control
- Notarization
The table1/X.800 shows the relationships between services and mechanisms
| Service | Mechanism | |||||||
| Encipherment | Digital signature | Access control | Data integrity | Authentication exchange | Traffic padding | Routing control | Notarization | |
| Peer entity authentication | Y | Y | · | · | Y | · | · | · |
| Data origin authentication | Y | Y | · | · | · | · | · | · |
| Access control service | · | · | Y | · | · | · | · | · |
| Connection confidentiality | ||||||||
| Y | . | · | · | · | · | Y | · | |
| Connectionless confidentiality | Y | · | · | · | · | · | Y | · |
| Selective field confidentiality | Y | · | · | · | · | · | · | · |
| Traffic flow confidentiality | Y | · | · | · | · | Y | Y | · |
| Connection Integrity with recovery | Y | · | · | Y | · | · | · | · |
| Connection integritywithout recovery | Y | · | · | Y | · | · | · | · |
| Selective field connection integrity | Y | · | · | Y | · | · | · | · |
| Connectionless integrity | Y | Y | · | Y | · | · | · | · |
| Selective field connectionless integrity | Y | Y | · | Y | · | · | · | · |
| Non-repudiation. Origin | · | Y | · | Y | · | · | · | Y |
| Non-repudiation. Delivery | Y | · | Y | · | · | · | Y | |
Some of them can be applied to connection oriented protocols, other to connectionless protocols or both.
The table 2/X.800 illustrates the relationship of security services and layers::
| Service | Layer | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7* | |
| Peer entity authentication | · | · | Y | Y | · | · | Y |
| Data origen authentication | · | · | Y | Y | · | · | Y |
| Access control service | · | · | Y | Y | · | · | Y |
| Connection confidentiality | Y | Y | Y | Y | · | Y | Y |
| Connectionless confidentiality | · | Y | Y | Y | · | Y | Y |
| Selective field confidentiality | · | · | · | · | · | Y | Y |
| Traffic flow confidentiality | Y | · | Y | · | · | · | Y |
| Connection Integrity with recovery | · | · | · | Y | · | · | Y |
| Connection integrity without recovery | · | · | Y | Y | · | · | Y |
| Selective field connection integrity | · | · | · | · | · | · | Y |
| Connectionless integrity | · | · | Y | Y | · | · | Y |
| Selective field connectionless integrity | · | · | · | · | · | · | Y |
| Non-repudiation Origin | · | · | · | · | · | · | Y |
| Non-repudiation. Delivery | · | · | · | · | · | · | Y |
Managed Security Service
Managed Security ServiceManaged Security Service
In computing, managed security services are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider Also Managed security services is a systematic approach to managing an organization's security needs...
(MSS) are network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
services that have been outsourced
Outsourcing
Outsourcing is the process of contracting a business function to someone else.-Overview:The term outsourcing is used inconsistently but usually involves the contracting out of a business function - commonly one previously performed in-house - to an external provider...
to a service provider.
See also
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- AvailabilityAvailabilityIn telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
- Communication network
- Communication protocol
- ConfidentialityConfidentialityConfidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
- countermeasureCountermeasure (computer)In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
- Data integrityData integrityData Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
- Digital signatureDigital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
- Exploit (computer security)Exploit (computer security)An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- IntegrityIntegrityIntegrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
- ITU-TITU-TThe ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
- Managed Security ServiceManaged Security ServiceIn computing, managed security services are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider Also Managed security services is a systematic approach to managing an organization's security needs...
- Network securityNetwork securityIn the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
- OSI modelOSI modelThe Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
- Protocol (computing)
- Protocol data unitProtocol data unitIn telecommunications, the term protocol data unit has the following meanings:#Information that is delivered as a unit among peer entities of a network and that may contain control information, address information, or data....
- Protocol stackProtocol stackThe protocol stack is an implementation of a computer networking protocol suite. The terms are often used interchangeably. Strictly speaking, the suite is the definition of the protocols, and the stack is the software implementation of them....
- Security architectureSecurity ArchitectureSecurity provided by IT Systems can be defined as the IT system’s ability to be able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data....
- security control
- Security Requirements Analysis
- Service Data UnitService Data UnitIn Open Systems Interconnection terminology, a service data unit is a unit of data that has been passed down from an OSI layer to a lower layer and that has not yet been encapsulated into a protocol data unit by the lower layer...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...