1 Introduction ISO 7498-2: définition de la terminologie de la sécurite, description des services et mécanismes sécuritaires, définition des points d’application des services de sécurité dans le modèle OSI, définition es concepts de gestion de la sécurité. ISO 7498-2 is intended to serve as a security-specific addition to ISO 7498, the OSI reference model. In doing so it defines many security-related terms and ideas which are of importance to a variety of application areas, including many not covered by the OSI model. Of particular importance is the terminology it introduces for the description of security services and mechanisms.

Le cycle de vie de la sécurité Définition de la politique de sécurité, Analyse des menaces (en fonction de la politique), Définition des services de sécurité protégent des menaces, Définition des mécanismes fournissant les services, Gestion courante de la sécurité The underlying model, implicit to the discussion in ISO 7498-2, is that there is a generic security life-cycle, containing the following steps: definition of a security policy, containing a rather abstract series of security requirements for the system, a security requirements analysis, including a risk analysis, possibly using a tool such as CRAMM, and an analysis of governmental, legal and standards requirements, definition of the security services necessary to meet the identified security requirements, system design and implementation, including selection of security mechanisms to provide the chosen security services, and continuing security management.

Menaces, services et mécanismes Une menace est une action possible violant la politique de sécurité (exemple : perte d ’intégrité ou de confidentialité). Un service est une mesure qui peut être prise pour faire face à une menace (exemple : service de confidentialité) Un mécanisme est un moyen qui permet de fournir le service (exemple : chiffrement, signature électronique). In the context of this model, a security threat is something that poses a danger to a system’s security. A security service is selected to meet an identified threat, and a security mechanism is the means by which a service is provided. It is important to note the distinction between a security service, i.e. what is provided for a system, and a security mechanism, i.e. the means by which a service is provided. Hence confidentiality is a service, whereas encryption is a mechanism which can be used to provide confidentiality. In fact encryption can be used to provide other services, and data confidentiality can also be provided by means other than encryption (e.g. by physical protection of data).

2 Domaine et politiques Dans un système sécurisé, les règles gouvernant la sécurité doivent être rendu explicites sous la forme d ’une politique de sécurité. Politique de sécurité : ensemble des critères de fourniture des services de sécurité. Domaine de sécurité : domaine auquel s ’applique la politique de sécurité. When designing a secure system, the scope of the system and the set of rules governing the security behaviour of the system are of fundamental importance; these are the security domain and the security policy respectively. A security policy is defined in ISO 7498-2 as ‘the set of criteria for the provision of security services’. A security domain can be regarded as the scope of a single security policy. It is possible to have nested or overlapping security domains, and thus nested or overlapping scopes for security policies.

Types de politiques La norme ISO 7498-2 distingue deux types : identity-based: l ’accès et l usage sont déterminés sur la base des identités des utilisateurs et des ressources, rule-based: l ’accès et l usage sont contrôlés par des règles globales s ’imposant à tout utilisateurs, exemple un étiquetage . ISO 7498-2 distinguishes between two types of security policy: identity-based and rule-based, depending on how authorisation is granted. Identity-based policies authorise system access on the basis of the identity of the client and the identity of the resource which the client wishes to make use of. Rule-based policies rely on global rules imposed on all users, with access decisions typically made using a comparison of the sensitivity of the resources with the user attributes (e.g. the ‘clearance’ of the user).

3 Les menaces Une menace est : une personne, chose, événement ou idée mettant en danger un bien (en termes de confidentialité, intégrité, disponibilité ou usage légitime). Une attaque est une réalisation de la menace. Protections = mesures (contrôles, procédures) contre les menaces. Vulnérabilités = faiblesses des protections. A threat is a person, thing, event, or idea which poses some danger to an asset, in terms of that asset’s Confidentiality, Integrity, Availability or Legitimate use (CIA + ). An attack is an actual realisation of a threat. Safeguards are measures to protect assets against threats, including: physical controls, mechanisms, policies and procedures. Vulnerabilities are weaknesses in a safeguard, or the absence of a safeguard.

Risque C ’est une mesure du coût d ’une vulnérabilité (prenant en compte la probabilité d ’une attaque réussie). L ’analyse du risque vise à déterminer l ’intérêt du coût d ’une protection nouvelle ou améliorée. Risk is a measure of the cost of vulnerability, which takes into account the probability of a successful attack. The risk is high if the value of a vulnerable asset is high and the probability of a successful attack is also high. The risk is low if the value of a vulnerable asset is low and the probability of a successful attack is also low. Risk analysis can provide a quantitative means of determining whether expenditure on safeguards is warranted.

Les menaces fondamentales Quatre menaces (selon les critères CIA) : Fuite d ’information (confidentialité), les conversations téléphoniques du Prince Charles 1993, Violation de l ’intégrité USA Today, falsified reports of missile attacks on Israel, 7/2002 Déni de service Yahoo 2/2000, Usage illégitime Vladimir Levin détourne 50 MMFdu réseau SWIFT (1995) . Threats can be classified into deliberate (e.g. hacker penetration) and accidental (e.g. a secret message being sent to the wrong address). Deliberate threats can be further sub-divided into passive or active. Passive threats involve monitoring but not alteration of information, e.g. wire-tapping. Active threats involve deliberate alteration of information, e.g. changing the value of a financial transaction. In general passive threats are easier to mount than active ones. There is no universally agreed way to identify or classify security threats. The relevance of different threats will vary from environment to environment. However, we can identify four fundamental threats, which directly relate to the four ‘standard’ security goals of ‘CIA’ together with the goal of legitimate use (i.e. ensuring that resources are not used by unauthorised persons or in unauthorised ways). Information leakage. Information is disclosed or revealed to unauthorised parties. Integrity violation. Data consistency is compromised. Denial of service. Legitimate access to resources (e.g. information or processing power) is deliberately impeded. Illegitimate use. A resource is used by an unauthorised person or in an unauthorised way.

Les menaces élémentaires Elles conduisent à la réalisation d’une menace fondamentale: Mascarade, Royal Opera House web site, 8/2002 Contournement des contrôles, ADSL modem passwords – Illegitimate Use Violation des autorisations, Cross site scripting – Information Leakage Cheval de Troie, PWSteal.Trojan, 1999 – Information Leakage Piègeage des portes d ’accès Ken Thompson, Unix login – Reflections on Trusting Trust, 1975 - Illegitimate Use We also consider five primary enabling threats, which are significant because a realisation of any of these threats can lead directly to a realisation of one of the four fundamental threats. These threats therefore make possible the fundamental threats. They can be sub-divided into penetration and planting threats; we start by looking at the three penetration threats: Masquerade, where an entity pretends to be a different entity, Bypassing controls, where an attacker exploits system flaws or security weaknesses, in order to acquire unauthorised rights, Authorised violation, where an entity authorised to use a system for one purpose uses it for another, unauthorised purpose. The two planting threats are: Trojan horse, where software contains an invisible part which, when executed, compromises the security of the system, Trapdoor, which is a feature built into a system such that the provision of specific input data allows the security policy to be violated.

4 Services de sécurité 5 services principaux : Authentification (y compris authentification des entités et origines), Contrôle d ’accés, Confidentialité, Intégrité des données, Non-répudiation. ISO 7498-2 defines five main categories of security service: authentication, including entity authentication and origin authentication, access control, data confidentiality, data integrity, non-repudiation. There are specific security framework standards (ISO/IEC 10181 Parts 1 to 7) corresponding to each of these five categories of service. They give a much more detailed discussion of the general ways in which these services can be provided. One additional topic covered in the frameworks is security audit. We will not consider these framework standards in any detail in this course.

Authentification Niveau entité : vérification d ’une identité revendiquée à un instant donné. Utilisé généralement au début d ’une connexion. Combat les menaces par mascarade et rejeu. Niveau origine : vérification de la source des données. Ne suffit pas à se protéger contre le rejeu. GSM, serveur web Entity authentication provides corroboration to one entity that another entity is as claimed. This service may be used at the establishment of (or during) a connection, to confirm the identities of one or more of the connected entities. This service provides confidence, at the time of usage only, that an entity is not attempting a masquerade or an unauthorised replay of a previous connection. Origin authentication provides corroboration to an entity that the source of received data is as claimed. However, the service does not, in itself, provide protection against duplication or modification of data units.

Contrôle d ’accès Protection contre les usages non autorisés d ’une ressource : utilisation des ressources de communications,, lecture/écriture d ’une ressource, exécution sur une ressource. Remote users This service provides protection against unauthorised use of resources. This protection may be applied to various types of access to a resource, e.g. the use of a communications resource, the reading, writing, or deletion of an information resource, the execution of a processing resource.

Confidentialité Protection contre les accès non autorisés à l ’information. Plusieurs types : confidentialité de la connexion, confidentialité en mode non connecté, confidentialité au niveau d ’un champ de données, confidentialité d ’un flot de trafic. Banque sur Internet Routeurs à chiffrement sur le réseau SWIFT. ISO 7498-2 defines four types of data confidentiality service; all these services provide for the protection of data against unauthorised disclosure. Connection confidentiality. This service provides for the confidentiality of all user data transferred using a connection. Connectionless confidentiality. This service provides for the confidentiality of all user data transferred in a single connectionless data unit (i.e. a packet). Selective field confidentiality. This service provides for the confidentiality of selected fields within user data transferred in either a connection or a single connectionless data unit. Traffic flow confidentiality. This service provides for the confidentiality of information which might be derived from observation of traffic flows.

Intégrité des données protection contre les menaces portant sur la validité des données. 5 types: intégrité de la connexion avec/sans récupération, Intégrité en mode non connecté, Intégrité de champs particuliers avec/sans connexion,. MD5 hashes http://www.apache.org/dist/httpd/binaries/linux/ ISO 7498-2 defines five types of data integrity service; all these services counter active threats to the validity of transferred data. Connection integrity with recovery. This service provides for the integrity of all user data on a connection, and detects any modification, insertion, deletion or replay of data within an entire data unit sequence (with recovery attempted). Connection integrity without recovery. As previously but with no recovery attempted. Selective field connection integrity. This service provides for the integrity of selected fields within the user data of a data unit transferred over a connection. Connectionless integrity. This service provides integrity assurance to the recipient of a data unit. More specifically, it enables the recipient of a connectionless data unit to determine whether that data unit has been modified. Additionally, a limited form of replay detection may be provided. Selective field connectionless integrity. This service provides for the integrity of selective fields within a single connectionless data unit.

Non-répudiation Protection contre un émetteur de données prétendant ne pas les avoir émises (non-répudiation de l’origine). Protection conre un récepteur prétendant ne pas les avoir reçues. Signature et accusé de réception d ’un courrier ISO 7498-2 defines two types of non-repudiation service. Non-repudiation with proof of origin. The recipient of data is provided with proof of the origin of data. This will protect against any subsequent attempt by the sender to falsely deny sending the data. Non-repudiation with proof of delivery. The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data.

5 Mécanismes Fournissent et supportent les services de sécurité. Deux classes: Mécanismes spécifiques à certains services Mécanismes génériques. Security mechanisms exist to provide and support security services. ISO 7498-2 divides mechanisms into two types: Specific security mechanisms, i.e. those specific to providing certain security services, and Pervasive security mechanisms, i.e. those not specific to the provision of individual security services.

Mécanismes spécifiques Huit types: Chiffrement, fournit la confidentialité des données signature numérique, procédure de signature (privée), procédure de vérification (publique). Permet la non-répudiation, authentification de l origine et services d ’intégrité des données Contrôle d ’accès Usage d ’une information sur le client pour prendre la décision l ’autorisant à accéder aux ressources ex access control lists,, labels de securité, Eight types of specific security mechanism are listed: Encipherment, Digital signature mechanisms, Access control mechanisms, Data integrity mechanisms, which include Cryptographic check functions, Authentication exchange mechanisms, Traffic padding mechanisms, Routing control mechanisms, and Notarisation mechanisms. We now consider each of these eight classes in a little more detail. In doing so we give some general information about the progress in standardising specific security mechanisms. Specific standards have been developed (and continue to be developed) within ISO/IEC SC27 to provide examples of most of these different classes of mechanism. We do not discuss these standards in any detail in this course.

Mécanismes spécifiques Huit types (2): mécanismes de maintien de l ’intégrité des données Protection contre la modification des données. Permet authentification de l origine et services d ’intégrité des données, également à la base de certains mécanismes d ’authentificationdes échanges authentification des échanges, Basée sur les mécanismes de signature et de chiffrement bourrage de trafic Addition d ’un trafic fictif destiné à masquer les volumes réels Permet la confidentialité au niveau flux, Eight types of specific security mechanism are listed: Encipherment, Digital signature mechanisms, Access control mechanisms, Data integrity mechanisms, which include Cryptographic check functions, Authentication exchange mechanisms, Traffic padding mechanisms, Routing control mechanisms, and Notarisation mechanisms. We now consider each of these eight classes in a little more detail. In doing so we give some general information about the progress in standardising specific security mechanisms. Specific standards have been developed (and continue to be developed) within ISO/IEC SC27 to provide examples of most of these different classes of mechanism. We do not discuss these standards in any detail in this course.

Mécanismes spécifiques Huit types (3): contrôle du routage empêche la circulation des données sensibles sur des canaux non protégés. ex. choix d ’une route en fonction de la sécurité physique de ses composantes. Notarisation Utilisation d ’une tierce partie fiable pour valider  intégrité, origine et/ou destination des données. S ’appuie généralement sur des fonctions cryptographique. Eight types of specific security mechanism are listed: Encipherment, Digital signature mechanisms, Access control mechanisms, Data integrity mechanisms, which include Cryptographic check functions, Authentication exchange mechanisms, Traffic padding mechanisms, Routing control mechanisms, and Notarisation mechanisms. We now consider each of these eight classes in a little more detail. In doing so we give some general information about the progress in standardising specific security mechanisms. Specific standards have been developed (and continue to be developed) within ISO/IEC SC27 to provide examples of most of these different classes of mechanism. We do not discuss these standards in any detail in this course.

Mécanismes génériques Cinq types : Fonction de confiance Toute fonctions impliquées dans un mécanisme de sécurité doit être digne de confiance (trustworhy) logiciel et matériel. (étiquette de sécurité) security labels Toute ressource (ex : donnée stockée, processeur, canal de communications) peut se voir affectée une étiquette indiquant sa sensibilité. Idem pour les utilisateurs L ’étiquette doit souvent être attachée aux données transférées Five types of pervasive security mechanism are listed in ISO 7498-2: Trusted functionality, Security labels, Event detection, Security audit trail, and Security recovery. We consider each of these in a little more detail.

Mécanismes génériques Cinq types (2): détection d ’événement (event detection,) détection des tentatives de violations, détection des activités légitimes Peut déclencher des événements (alarmes), logging, récupération automatique audit, Log des évènements passés à fin d ’investigation des brêches de sécurité. Récupération Peut impliquer un abandon de l ’opération, l ’invalidation temporaire ou permanente (blacklist) d ’une entité; Five types of pervasive security mechanism are listed in ISO 7498-2: Trusted functionality, Security labels, Event detection, Security audit trail, and Security recovery. We consider each of these in a little more detail.

Services versus mécanismes La norme ISO 7498-2 indique les mécanismes qui peuvent être utilisés pour fournir les services. Les omissions incluent: l ’usage des mécanisme d ’intégrité à es fins d ’authentification, l usage des techniques cryptographiques pour la non répudiation (et éventuelleùment la notarisation) ISO 7498-2 gives an indication of which mechanisms are appropriate to the provision of which services in the form of a table (Table 1 on page 9). It is important to note that this table is illustrative and not definitive (see clause 5.5 on page 8). Obvious omissions include: the possible use of data integrity mechanisms to help provide peer entity authentication and data origin authentication services, and the possible use of encipherment to help provide non-repudiation services (as part of a notarisation mechanism).

Service/mécanismes I Part 1 of the ISO 7498-2 table.

Service/mécanismes II Part 2 of the ISO 7498-2 table.

Services versus couches OSI Les couches 1 and 2 peuvent fournir les services de confidentialité. Les couches 3/4 sont concernées par de nombreux services. La couche 7 peut fournir la totalité des services. ISO 7498-2 lays down which security services may be provided in what parts of the OSI model. The information is summarised in the form of a table (Table 2 on page 16), which indicates which services may be placed in which layers of the OSI model. Layers 1 and 2 are restricted to providing certain types of confidentiality services. Layers 3 and 4 can provide authentication, access control, confidentiality (layer 3 only) and integrity services. No security services can be provided in Layer 5 or Layer 6, although Layer 6 may contain facilities to support the provision of services at Layer 7. All security services may be provided at Layer 7. There are good reasons for varying the position of security functionality within the OSI layer hierarchy depending on the type of network in use. For the maximum degree of traffic flow confidentiality, data encryption needs to be placed at the lowest possible layer (to hide the protocol addresses). Low level placement also offers common security support for all the different applications running across the network. If end-to-end security is required, then the security services must be placed in Layer 3 or above. If application-specific security services are required, then the security must be placed in Layer 7.

Service/layer table Service/layer table from ISO 7498-2.