What is the OSI security Architecture?

The Open System Interconnect (OSI) security architecture was designated by the ITU-
T (International Telecommunication Union - Telecommunication). The ITU-T decided that their
standard "X.800" would be the ISO security architecture.

The OSI architecture focuses on

 Security attacks
 Security services
 Security mechanisms

Security attack

An attack is when the security of a system is compromised by some action of a

perpetrator. Attacks could either be active attacks or passive attacks.

Security mechanism

A mechanism that is designed to detect, prevent, or recover from a security attack.

Security service

A service that enhances the security of the data processing systems and the information
transfers of an organization. The services make use of one or more security mechanisms to
provide the service.

What is the difference between passive and active security threats?

There are various types of threats, attacks and vulnerabilities present to corrupt and breach the
system security. Security attacks are the computer attacks that compromise the security of the
system. Conceptually, the security attacks can be classified into two types that are active and
passive attacks where the attacker gains illegal access to the system’s resources.

BASIS FOR ACTIVE ATTACK ACTIVE ATTACK

COMPARISON
Basic An active attack is a network exploit in A passive attack is a network attack in
which a hacker attempts to make changes which a system is monitored and
to data on the target or data en route to sometimes scanned for open ports and
the target vulnerabilities.
 Modification in the The active threat includes modification of Passive threat aims to achieve data or
information the message scan open ports and vulnerabilities of the
network.
Harm to the system Occurs does not take place

Threat to Integrity and availability Confidentiality

Attack awareness The entity (victim) gets informed about The entity is unaware of the attack.
the attack.

Detection Prevention
Emphasis is on

List and briefly define categories of passive and active threats (attacks).

Active attacks

An Active attack attempts to alter system resources or effect their operations. Active attack
involve some modification of the data stream or creation of false statement. Types of active
attacks are as following:

These attacks can be classified in to four categories:

1. Masquerade: Masquerade attack takes place when one entity pretends to be different
entity. A Masquerade attack involves one of the other form of active attacks.

2. Modification of messages: It means that some portion of a message is altered or that

message is delayed or reordered to produce an unauthorized effect.

3. Replay: It involves the passive capture of a message and its subsequent the
transmission to produce an authorized effect.

4. Denial of Service: It prevents normal use of communication facilities. This attack may
have a specific target. For example, an entity may suppress all messages directed to a
particular destination. Another form of service denial is the disruption of an entire network
wither by disabling the network or by overloading it by messages so as to degrade
performance.

 It is quite difficult to prevent active attacks absolutely, because to do so would require physical
protection of all communication facilities and paths at all times. Instead, the goal is to detect
them and to recover from any disruption or delays caused by them.
Passive attack

A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring of
transmission. The goal of the opponent is to obtain information is being transmitted. Types of
Passive attacks are as following

1. Release of message contents:  The release of message content can be expressed with an

example, in which the sender wants to send a confidential message or email to the
receiver. The sender doesn’t want the contents of that message to be read by some
interceptor.

2. Traffic analysis: By using encryption a message could be masked in order to prevent the
extraction of the information from the message, even if the message is captured. Though
still attacker can analyse the traffic and observe the pattern to retrieve the information.
This type of passive attack refers to as traffic analysis.

  Passive attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks. 

List and briefly define categories of security services.

A service that enhances the security of data processing systems and information transfers. The primary

objective of using cryptography is to provide the following fundamental information security services.

 CONFIDENTIALITY
Confidentiality is the fundamental security service provided by cryptography. It is a security service
that keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical securing to the use of
mathematical algorithms for data encryption.

 DATA INTEGRITY
It is security service that deals with identifying any alteration to the data. The data may get modified
by an unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or
not since it was last created, transmitted, or stored by an authorized user. Data integrity cannot prevent the
alteration of data, but provides a means for detecting whether data has been manipulated in an unauthorized
manner.

 Authentication
 It is concerned with assuring that a communication is authentic . Authentication provides
the identification of the originator. It confirms to the receiver that the data received has been
sent only by an identified and verified sender.

Authentication service has two variants −

 Peer entity authentication: provides corroboration of the identity of a peer entity
in an association;
 Data origin authentication: provides corroboration of the source of a data unit.

Apart from the originator, authentication may also provide assurance about
other parameters related to data such as the date and time of
creation/transmission.
 Non-repudiation
It prevents either sender or receiver from denying a transmitted message. It is a
security service that ensures that an entity cannot refuse the ownership of a previous
commitment or an action. It is an assurance that the original creator of the data cannot deny the
creation or transmission of the said data to a recipient or third party. Non-repudiation is a property
that is most desirable in situations where there are chances of a dispute over the exchange of
data. For example, once an order is placed electronically, a purchaser cannot deny the purchase
order, if non-repudiation service was enabled in this transaction.

 Availability

It means resource accessible/usable. The property of a system / resource being

accessible and usable upon demand by an authorized system entity, according to
performance specifications for the system.

 Access Control

The ability to limit and control the access to host systems and applications via
communications links or prevention of the unauthorized use of a resource

List and briefly define eight security mechanism

Security mechanisms are technical tools and techniques that are used to implement security
services. The various security mechanisms to provide security are as follows-

1. Encipherment:
This is hiding or covering of data which provides confidentiality. It is also used to
complement other mechanisms to provide other services. Cryptography and
Steganography are used for enciphering
2. Data Integrity:
The data integrity mechanism appends to the data a short check value that has been
created by a specific process from the data itself. Data integrity is preserved by
comparing check value received to the check value generated.
3. Digital Signature:
A digital signature is a means by which the sender can electronically sign the data and
the receiver can electronically verify the signature. Public and private keys can be used.
4. Authentication Exchange:
In this two entities exchange some messages to prove their identity to each other.
5. Traffic Padding:
Traffic padding means inserting some bogus data into the data traffic to thwart the
adversary’s attempt to use the traffic analysis.
6. Routing Control:
Routing control means selecting and continuously changing different available routes
between sender and receiver to prevent the opponent from eavesdropping on a
particular route.
7. Notarization:
Notarization means selecting a third trusted party to control the communication between
two entities. The receiver can involve a trusted third party to store the sender request in
order to prevent the sender from later denying that she has made a request.
8. Access Control:
Access control used methods to prove that a user has access right to the data or
resources owned by a system. Examples of proofs are passwords and PINs.