by a system to protect system resources. Security services implement security policies and are
implemented by security mechanisms. Security services are divided into five categories:
• Authentication service: this security service verifies the identities claimed by or for an
entity (cf. p.16, RFC 2828). Authentication services are divided into two groups: data origin
authentication and peer entity authentication.
– Data origin authentication: this security service verifies the identity of a system entity
that is claimed to be the original source of received data (cf. p.53, RFC 2828). It does
not provide protection against duplication or modification of data units even though it is
sometimes thought to enable a recipient to verify that the data have not been tampered
with in transit.
– Peer entity authentication: this service provides corroboration between peer entities at
the connection establishment or during the transfer of information between them. This
service guarantees that an entity is not attempting to masquerade or to replay a previous
connection without authority (cf. p.8, Recommendation X.800).
• Access control: this service provides protection against unauthorized use of resources such
as computing resources, storage resources, communication links, etc. To use a resource, theuser should first be authenticated, after which they can be granted the right to use specific
system resources.
• Data confidentiality: this service protects data from unauthorized disclosure as the data
are transmitted from a source to a destination. Encryption and decryption are often used to
provide data confidentiality. Data confidentiality is divided into four groups:
– Connection confidentiality: this service provides confidentiality of user data on a
connection.
– Connectionless confidentiality: this service provides confidentiality of user data for
connectionless services, i.e. it protects individual data blocks.
– Selective field confidentiality: this service provides confidentiality of selected fields of
user data in a connection or in an individual data block.
– Traffic flow confidentiality: this service protects information which might be derived
from the observation of traffic flows. It serves to protect against traffic analysis.
• Data integrity: this service ensures that the data are received exactly as they were sent and
there has been no modification or replay of the data. Data integrity is classified into five
groups (cf. pp. 9–10, Recommendation X.800):
– Connection integrity with recovery: this service provides integrity for all user data on a
connection, detects any modifications, insertions, deletions or replays of any data within
an entire data sequence and attempts to recover the data if an attack is detected.
– Connection integrity without recovery: this service provides integrity for all user data on
a connection and detects any modifications, insertions, deletions or replays of any data
within an entire data sequence but does not attempt to recover the data when an attack is
detected.
– Selective field connection integrity: this service provides integrity for selected fields
within the user data transferred over a connection and takes the form of determination
of whether the selected fields have been modified, inserted, deleted or replayed.
– Connectionless integrity: this service provides integrity for individual data blocks and
may take the form of determination of whether a received data block has been modified.
Additionally, a limited form of detection of replay may be provided.
– Selective field connectionless integrity: this service provides integrity for selected fields
within individual data blocks and takes the form of determination of whether the selected
fields have been modified.
• Nonrepudiation: this service guarantees that an entity once involved in a communication
cannot later deny its involvement. This service may take one or both of two forms:
– Nonrepudiation with proof of origin: the recipient of the data is provided with proof
of the origin of the data. This will protect against any attempt by the sender to falsely
deny sending the data or their contents. A digital signature is an example of providing
nonrepudiation with proof of origin (cf. p.10, X.800).
– Nonrepudiation with proof of delivery: the sender of data is provided with proof of delivery
of the data. This will protect against any subsequent attempt by the recipient to
falsely deny receiving the data or their contents (cf. p.10, X.800).
So, RFC 2828 is bunch of internet glosarry
Example:
Threat
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause
harm. That is, a threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is,
an intelligent act that is a deliberate attempt (especially in the sense of a
method or technique) to evade security services and violate the security
policy of a system.
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause
harm. That is, a threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is,
an intelligent act that is a deliberate attempt (especially in the sense of a
method or technique) to evade security services and violate the security
policy of a system.
Tidak ada komentar:
Posting Komentar