Professional Documents
Culture Documents
TEMA 1
FUNDAMENTOS DE SEGURIDAD
INTRODUCCIN
La poltica de seguridad es
el conjunto de reglas/requisitos
que gobiernan el comportamiento
del sistema, en lo que a
seguridad se refiere
Ejemplos de requisitos:
Generacin (activo)
read contents of
message from Bob
to Alice
Internet or
other comms facility
Bob
Alice
(a) Release
of message contents
Intercepcin
10
Darth
Darth
Internet or
other comms facility
Bob
Internet or
other comms facility
Bob
Alice
(a) Masquerade
Generacin
Darth
Darth
Darth modifies
message from Bob
to Alice
Bob
Bob
Darth
Modicacin
Internet or
other comms facility
Bob
Alice
Alice
(c) Modification of messages
Internet or
other comms facility
Internet or
other comms facility
Darth modifies
message from Bob
to Alice
(b) Replay
Alice
Server
(d) Denial of service
Interrupcin
11
12
13
14
DATA INTEGRITY
The assurance that data received are
exactly as sent by an authorized entity (i.e.,
contain no modification, insertion,
deletion, or replay).
Connection Integrity with Recovery
Provides for the integrity of all user data on a
connection and detects any modification,
insertion, deletion, or replay of any data
within an entire data sequence, with recovery
attempted.
Connection Integrity without Recovery
As above, but provides only detection without
recovery.
Selective-Field Connection Integrity
Provides for the integrity of selected fields
within the user data of a data block transferred
over a connection and takes the form of
determination of whether the selected fields
have been modified, inserted, deleted, or
replayed.
Connectionless Integrity
Provides for the integrity of a single
connectionless data block and may take the
form of detection of data modification.
Additionally, a limited form of replay
detection may be provided.
Selective-Field Connectionless Integrity
Provides for the integrity of selected fields
within a single connectionless data block;
takes the form of determination of whether the
selected fields have been modified.
NONREPUDIATION
Provides protection against denial by one
of the entities involved in a communication
of having participated in all or part of the
communication.
Nonrepudiation, Origin
Proof that the message was sent by the
specified party.
Nonrepudiation, Destination
Proof that the message was received by the
specified party.
15
Connectionless Confidentiality
The protection
of all user data in a single data
ble 1.2 Security Services
(X.800)
block
ION
DATA INTEGRITY
Selective-Field Confidentiality
The The
confidentiality
of selected
fieldsare
within the
ommunicating
assurance that
data received
user
data
on
a
connection
or
in
a
single
data
aims to be.
exactly as sent by an authorized entity
(i.e.,
block.
contain no modification, insertion,
deletion, or replay).
Traffic-flow
Confidentiality
gical connection
The
protection
of the
information
identity of the
Connection Integrity
with
Recovery that might be
derived
from
Provides
for observation
the integrity of
of traffic
all userflows.
data on a
connection and detects any modification,
insertion, deletion, or replay of any data
provides assurance
within an entire data sequence, with recovery
ata is as claimed.
attempted.
ROL
horized use of a
e controls who can
e, under what
cur, and what
urce are allowed to
IALITY
om unauthorized
ta on a connection.
ta in a single data
Connection Integri
As above, but p
recovery.
Selective-Field Con
Provides for the
within the user
over a connecti
determination o
have been mod
replayed.
Connectionless Inte
Provides for the
17
connectionless
form of detectio
Additionally, a
detection may b
Layer 4
Y
Y
Y
Y
Y
Y
Y
Y
Y
Los estndares ISO 7498-2 e ITU X.800 distinguen entre dos tipos
de mecanismos de seguridad:
especficos: estn implementados en una capa especfica de la pila de
protocolos
ubcuos: no son especficos de ninguna capa en particular
19
Access Control
A variety of mechanisms that enforce
access rights to resources.
Data Integrity
A variety of mechanisms used to assure the
integrity of a data unit or stream of data
units.
Security Recovery
Deals with requests from mechanisms, such
as event handling and management
functions, and takes recovery actions.
Authentication Exchange
A mechanism intended to ensure the
identity of an entity by means of
information exchange.
Traffic Padding
The insertion of bits into gaps in a data
stream to frustrate traffic analysis attempts.
Routing Control
Enables selection of particular physically
secure routes for certain data and allows
routing changes, especially when a breach
of security is suspected.
Notarization
The use of a trusted third party to assure
certain properties of a data exchange.
20
TABLE 1/X.800
Illustration of relationship of security services and mechanisms
Encipherment
Digital
signature
Acces
control
Data
integrity
Authentication
exchange
Traffic
padding
Routing
control
Notarization
Y
Y
Y
Y
Y
Y
Y
Y
Mechanism
Service
Peer entity authentication
Data origin
authentication
Access control service
Connection confidentiality
Connectionless
confidentiality
Selective field
confidentiality
Traffic flow
confidentiality
Connection Integrity with
recovery
Connection integrity
without recovery
Selective field connection
integrity
Connectionless integrity
Selective field
connectionless integrity
Non-repudiation. Origin
Non-repudiation. Delivery
Y Yes: the mechanism is considered to be appropiate, either on its own or in combination with other mechanisms.
Note In some instances, the mechanism provides more than is necessary for the relevant service but could nevertheless be used.
21
Referencias bibliogrficas
22
Bibliografa bsica
"User's Guide To Cryptography And Standards
Alex W. Dent, Chris J. Mitchell
Artech House, 2004
"Handbook of Applied Cryptography
Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone,
CRC Press, 1996
23
ISO 7498-2
Information processing systems -- Open Systems Interconnection -- Basic
Reference Model -- Part 2: Security Architecture, 1989.
RFC 2828
RFC2828: Internet Security Glossary, R. Shirey, May 2000.
ITU-T X.800
Recommendation X.800: Security Architecture for Open Systems
Interconnection for CCITT Applications, ITU, 1991.
ITU-T X.509
Recommendation X.509: Information technology Open systems
interconnection The Directory: Public-key and attribute certificate
frameworks, ITU, 2005
SEGURIDAD DE LA INFORMACIN - Tema 1: Fundamentos de Seguridad
24