The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication:
Authentication
These services provide for the
authentication of a communicating peer entity and the source of data as
described below.
Peer entity
authentication
This service, when provided by the
(N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is
the claimed (N + 1)-entity.
Data origin
authentication
This service, when provided by the
(N)-layer, provides corroboration to an (N + 1)-entity that the source of the
data is the claimed peer (N + 1)-entity.
Access
control
This service provides protection
against unauthorized use of resources accessible via OSI. These may be OSI or
non-OSI resources accessed via OSI protocols. This protection service may be
applied to various types of access to a resource (e.g., the use of a
communications resource; the reading, the writing, or the deletion of an
information resource; the execution of a processing resource) or to all
accesses to a resource.
Data
confidentiality
These services provide for the
protection of data from unauthorized disclosure as described below
Connection
confidentiality
This service provides for the
confidentiality of all (N)-user-data on an (N)-connection
Connectionless
confidentiality
This service provides for the
confidentiality of all (N)-user-data in a single connectionless (N)-SDU
Selective
field confidentiality
This service provides for the
confidentiality of selected fields within the (N)-user-data on an
(N)-connection or in a single connectionless (N)-SDU.
Traffic
flow confidentiality
This service provides for the
protection of the information which might be derived from observation of
traffic flows.
Data
integrity
These services counter active threats and may take one of the forms
described below.
Connection integrity
with recovery
This service provides for the
integrity of all (N)-user-data on an (N)-connection and detects any
modification, insertion, deletion or replay of any data within an entire SDU
sequence (with recovery attempted).
Connection
integrity without recovery
As for the previous one but with no
recovery attempted.
Selective field connection integrity
This service provides for the
integrity of selected fields within the (N)-user data of an (N)-SDU transferred
over a connection and takes the form of determination of whether the selected
fields have been modified, inserted, deleted or replayed.
Connectionless
integrity
This service, when provided by the
(N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This
service provides for the integrity of a single connectionless SDU and may take
the form of determination of whether a received SDU has been modified.
Additionally, a limited form of detection of replay may be provided.
Selective
field connectionless integrity
This service provides for the
integrity of selected fields within a single connectionless SDU and takes the
form of determination of whether the selected fields have been modified.
Non-repudiation
This service may take one or both of
two forms.
Non-repudiation with
proof of origin
The recipient of data is provided with
proof of the origin of data. This will protect against any attempt by the
sender to falsely deny sending the data or its contents.
Non-repudiation
with proof of delivery
The sender of data is provided with
proof of delivery of data. This will protect against any subsequent attempt by
the recipient to falsely deny receiving the data or its contents.
No comments:
Post a Comment