Osi Security Architecture
Osi Security Architecture
OSI Security Architecture is categorized into three broad categories namely Security Attacks,
Security mechanisms, and Security Services. We will discuss each in detail:
1. Security Attacks
A security attack is an attempt by a person or entity to gain unauthorized access to disrupt or
compromise the security of a system, network, or device. These are defined as the actions that
put at risk an organization’s safety. They are further classified into 2 sub-categories:
1. Passive Attack: Attacks in which a third-party intruder tries to access the message/ content/
data being shared by the sender and receiver by keeping a close watch on the transmission or
eave-dropping the transmission is called Passive Attacks. These types of attacks involve the
attacker observing or monitoring system, network, or device activity without actively
disrupting or altering it. Passive attacks are typically focused on gathering information or
intelligence, rather than causing damage or disruption. Here, both the sender and receiver
have no clue that their message/ data is accessible to some third-party intruder. The message/
data transmitted remains in its usual form without any deviation from its usual behavior. This
makes passive attacks very risky as there is no information provided about the attack
happening in the communication process. Passive attacks are further divided into two parts
based on their behavior:
Eavesdropping: Eavesdropping involves the attacker intercepting and listening to
communications between two or more parties without their knowledge or consent.
Eavesdropping can be performed using a variety of techniques, such as packet sniffing, or
man-in-the-middle attacks.
Traffic analysis: This involves the attacker analyzing network traffic patterns and metadata
to gather information about the system, network, or device. Here the intruder can’t read the
message but only understand the pattern and length of encryption. Traffic analysis can be
performed using a variety of techniques, such as network flow analysis, or protocol
analysis.
2. Active Attacks: Active attacks refer to types of attacks that involve the attacker actively
disrupting or altering system, network or device activity. Active attacks are typically focused
on causing damage or disruption rather than gathering information or intelligence. Here, both
the sender and receiver have no clue that their message/ data is modified by some third-party
intruder. The message/ data transmitted doesn’t remain in its usual form and shows deviation
from its usual behavior. This makes active attacks dangerous as there is no information
provided of the attack happening in the communication process and the receiver is not aware
that the data/ message received is not from the sender. Active attacks are further divided into
four parts based on their behavior:
Masquerade: Masquerade is a type of attack in which the attacker pretends to be an
authentic sender in order to gain unauthorized access to a system. This type of attack can
involve the attacker using stolen or forged credentials, or manipulating authentication or
authorization controls in some other way.
Replay: Replay is a type of active attack in which the attacker intercepts a transmitted
message through a passive channel and then maliciously or fraudulently replays or delays it
at a later time.
Modification of Message: Modification of Message involves the attacker modifying the
transmitted message and making the final message received by the receiver look like it’s
not safe or non-meaningful. This type of attack can be used to manipulate the content of the
message or to disrupt the communication process.
Denial of service (DoS): Denial of Service attacks involve the attacker sending a large
volume of traffic to a system, network, or device in an attempt to overwhelm it and make it
unavailable to users.
2. Security Mechanism
The mechanism that is built to identify any breach of security or attack on the organization, is
called a security mechanism. Security Mechanisms are also responsible for protecting a system,
network, or device against unauthorized access, tampering, or other security threats.
Encipherment (Encryption): Encryption involves the use of algorithms to transform data
into a form that can only be read by someone with the appropriate decryption key. Encryption
can be used to protect data it is transmitted over a network, or to protect data when it is stored
on a device.
Digital signature: Digital Signature is a security mechanism that involves the use of
cryptographic techniques to create a unique, verifiable identifier for a digital document or
message, which can be used to ensure the authenticity and integrity of the document or
message.
Traffic padding: Traffic Padding is a technique used to add extra data to a network
traffic stream in an attempt to obscure the true content of the traffic and make it more difficult
to analyze.
Routing control: Routing Control allows the selection of specific physically secure routes for
specific data transmission and enables routing changes particularly when a gap in security is
suspected.
3. Security Services
Security services refer to the different services available for maintaining the security and safety
of an organization. They help in preventing any potential risks to security. Security services are
divided into 5 types:
Authentication: Authentication is the process of verifying the identity of a user or device in
order to grant or deny access to a system or device.
Access control: Access Control involves the use of policies and procedures to determine
who is allowed to access specific resources within a system.
Data Confidentiality: Data Confidentiality is responsible for the protection of information
from being accessed or disclosed to unauthorized parties.
Data integrity: Data Integrity is a security mechanism that involves the use of techniques to
ensure that data has not been tampered with or altered in any way during transmission or
storage.
Non- repudiation: Non-repudiation involves the use of techniques to create a verifiable
record of the origin and transmission of a message which can be used to prevent the sender
from denying that they sent the message.
Benefits of OSI Security Architecture
Providing Security: OSI Architecture in an organization provides the needed security and
safety preventing potential threats and risks.
Organising Task: The OSI architecture makes it easy for managers to build a security model
for the organization based on strong security principles.
Meets International Standards: Security services are defined and recognized internationally
meeting international standards.
Interoperability: The OSI model divides network functions into multiple levels makes it
easier for different hardware and software components to work together.
Scalability: The layered method makes networks scalable. New technologies and protocols
can be seamlessly added without interrupting the overall system.
Flexibility: Each layer can evolve separately and provide flexibility for technology and
application changes.
Packet sniffing:
When any data has to be transmitted over the computer network, it is broken down into smaller
units at the sender’s node called data packets and reassembled at receiver’s node in original
format. It is the smallest unit of communication over a computer network. It is also called a
block, a segment, a datagram or a cell. The act of capturing data packet across the computer
network is called packet sniffing. It is similar to as wire tapping to a telephone network. It is
mostly used by crackers and hackers to collect information illegally about network. It is also
used by ISPs, advertisers and governments. ISPs use packet sniffing to track all your activities
such as:
who is receiver of your email
what is content of that email
what you download
sites you visit
what you looked on that website
downloads from a site
streaming events like video, audio, etc.
Advertising agencies or internet advertising agencies are paid according to:
number of ads shown by them.
number of clicks on their ads also called PPC (pay per click).
To achieve this target, these agencies use packet sniffing to inject advertisements into the
flowing packets. Most of the time these ads contain malware.
Government agencies use packet sniffing to:
ensure security of data over the network.
track an organisation’s unencrypted data.
Packet Sniffer – Packet sniffing is done by using tools called packet sniffer. It can be
either filtered or unfiltered. Filtered is used when only specific data packets have to be captured
and Unfiltered is used when all the packets have to be captured. WireShark, SmartSniff are
examples of packet-sniffing tools.
How to prevent packet sniffing –
Encrypting data you send or receive.
using trusted Wi-Fi networks.
Scanning your network for dangers or issues.
Advantages:
Network troubleshooting: Packet sniffing can be used to identify network problems by
examining the packets and identifying issues such as network congestion, packet loss, or
improper configuration.
Security analysis: Packet sniffing can be used to detect and analyze security threats, such as
network intrusions, malware infections, or unauthorized access attempts.
Network optimization: Packet sniffing can be used to optimize network performance by
identifying bottlenecks and optimizing the network configuration.
Protocol analysis: Packet sniffing can be used to analyze network protocols and identify
areas where they can be improved or optimized.
Disadvantages:
Privacy violations: Packet sniffing can be used to intercept sensitive information, such as
passwords, credit card numbers, or personal information, which can be used for malicious
purposes.
Legal issues: In many jurisdictions, packet sniffing is illegal without the express consent of
all parties involved in the communication.
Resource usage: Packet sniffing can consume a significant amount of system resources,
especially if large amounts of network traffic are being analyzed.
Complexity: Packet sniffing can be a complex process, requiring specialized knowledge and
tools to analyze network traffic effectively.
Digital signature and Certificate:
Digital signatures and certificates are two key technologies that play a crucial role in ensuring
the security and authenticity of online activities. They are essential for activities such as online
banking, secure email communication, software distribution, and electronic document signing.
By providing mechanisms for authentication, integrity, and non-repudiation, these technologies
help protect against fraud, data breaches, and unauthorized access.
Experience the ease of obtaining legally binding signatures online, all while maintaining the
highest standards of security and compliance with the leading e-signature platform, SignNow. It
is a secure and efficient electronic signature solution designed to streamline your document
signing process while ensuring top-tier security features.
Digital Signature
A digital signature is a mathematical technique used to validate the authenticity and integrity of
a message, software, or digital document. These are some of the key features of it.
1. Key Generation Algorithms: Digital signatures are electronic signatures, which assure that
the message was sent by a particular sender. While performing digital transactions
authenticity and integrity should be assured, otherwise, the data can be altered or someone
can also act as if he were the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like email programs
create a one-way hash of the electronic data which is to be signed. The signing algorithm then
encrypts the hash value using the private key (signature key). This encrypted hash along with
other information like the hashing algorithm is the digital signature. This digital signature is
appended with the data and sent to the verifier. The reason for encrypting the hash instead of
the entire message or document is that a hash function converts any arbitrary input into a
much shorter fixed-length value. This saves time as now instead of signing a long message a
shorter hash value has to be signed and hashing is much faster than signing.
3. Signature Verification Algorithms: The Verifier receives a Digital Signature along with the
data. It then uses a Verification algorithm to process the digital signature and the public key
(verification key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. If they both are equal, then the digital signature is
valid else it is invalid.
The steps followed in creating a digital signature are:
1. Message digest is computed by applying the hash function on the message and then message
digest is encrypted using the private key of the sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest = message
digest algorithm (message)).
2. A digital signature is then transmitted with the message. (message + digital signature is
transmitted)
3. The receiver decrypts the digital signature using the public key of the sender. (This assures
authenticity, as only the sender has his private key so only the sender can encrypt using his
private key which can thus be decrypted by the sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual message is sent with
the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash value
of the message is very difficult.
Assurances About Digital Signatures
The definitions and words that follow illustrate the kind of assurances that digital signatures
offer.
1. Authenticity: The identity of the signer is verified.
2. Integration: Since the content was digitally signed, it hasn’t been altered or interfered with.
3. Non-repudiation: demonstrates the source of the signed content to all parties. The act of a
signer denying any affiliation with the signed material is known as repudiation.
4. Notarization: Under some conditions, a signature in a Microsoft Word, Microsoft Excel, or
Microsoft PowerPoint document that has been time-stamped by a secure time-stamp server is
equivalent to a notarization.
Benefits of Digital Signatures
Legal documents and contracts: Digital signatures are legally binding. This makes them
ideal for any legal document that requires a signature authenticated by one or more parties
and guarantees that the record has not been altered.
Sales contracts: Digital signing of contracts and sales contracts authenticates the identity of
the seller and the buyer, and both parties can be sure that the signatures are legally binding
and that the terms of the agreement have not been changed.
Financial Documents: Finance departments digitally sign invoices so customers can trust
that the payment request is from the right seller, not from a attacker trying to trick the buyer
into sending payments to a fraudulent account.
Health Data: In the healthcare industry, privacy is paramount for both patient records and
research data. Digital signatures ensure that this confidential information was not modified
when it was transmitted between the consenting parties.
Drawbacks of Digital Signature
Dependency on technology: Because digital signatures rely on technology, they are
susceptible to crimes, including hacking. As a result, businesses that use digital signatures
must make sure their systems are safe and have the most recent security patches and upgrades
installed.
Complexity: Setting up and using digital signatures can be challenging, especially for those
who are unfamiliar with the technology. This may result in blunders and errors that reduce the
system’s efficacy. The process of issuing digital signatures to senior citizens can occasionally
be challenging.
Limited acceptance: Digital signatures take time to replace manual ones since technology is
not widely available in India, a developing nation.
Digital Certificate
Digital certificate is issued by a trusted third party which proves sender’s identity to the receiver
and receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate
Authority (CA) to verify the identity of the certificate holder. Digital certificate is used to attach
public key with a particular individual or an entity.
Digital Certificate Contains
Name of certificate holder.
Serial number which is used to uniquely identify a certificate, the individual or the entity
identified by the certificate
Expiration dates.
Copy of certificate holder’s public key. (used for decrypting messages and digital signatures)
Digital Signature of the certificate issuing authority.
Digital certificate is also sent with the digital signature and the message.
Advantages of Digital Certificate
NETWORK SECURITY: A complete layered strategy is required by
modern cybersecurity methods, wherein many solutions cooperate to offer the highest level of
protection against attackers. An essential component of this puzzle is digital certificates,
which offer strong defense against manipulation and man-in-the-middle attacks.
VERIFICATION: Digital certificates facilitate cybersecurity by restricting access to
sensitive data, which makes authentication a crucial component of cybersecurity. Thus, there
is a decreased chance that attackers will cause disturbance. At many different endpoints,
certificate-based authentication provides a dependable method of identity verification.
Compared to other popular authentication methods like biometrics or one-time passwords,
certificates are more flexible.
BUYER SUCCESS: Consumers demand complete assurance that the websites they visit are
It is generated by CA (Certifying
Hashed value of original data is
Authority) that involves four
encrypted using sender’s
Process / Steps steps: Key Generation,
private key to generate the
Registration, Verification,
digital signature.
Creation.
Authenticity of
It provides security
Sender, integrity of the
Security Services and authenticity of certificate
document and non-
holder.
repudiation.
Symmetric Encryption
Asymmetric Encryption
Asymmetric Cryptography is also known as public-key cryptography. It uses public and
private keys for the encryption and decryption of message. One key in the pair which can be
shared with everyone is called the public key. The other key in the pair which is kept secret
and is only known by the owner is called the private key.
Asymmetric Encryption
1. Public key– Key which is known to everyone. Ex-public key of A is 7, this information is
known to everyone.
2. Private key– Key which is only known to the person who’s private key it is.
3. Authentication-Authentication is any process by which a system verifies the identity of a
user who wishes to access it.
4. Non- repudiation– Non-repudiation is a way to guarantee that the sender of a message
cannot later deny having sent the message and that the recipient cannot deny having received
the message.
5. Integrity– To ensure that the message was not altered during the transmission.
6. Message digest -The representation of text in the form of a single string of digits, created
using a formula called a one way hash function. Encrypting a message digest with a private key
creates a digital signature which is an electronic means of authentication.
Conclusion
Digital signatures and certificates are essential tools for ensuring secure and trustworthy online
communications. Digital signatures verify the authenticity and integrity of digital messages or
documents, ensuring they haven’t been tampered with and confirming the sender’s identity.
Certificates act as digital ID cards, issued by trusted authorities, that validate the legitimacy of
websites, organizations, or individuals. Together, they help protect against fraud, ensure data
security, and build trust in digital interactions. Understanding and using digital signatures and
certificates is crucial for maintaining privacy and security in today’s digital world.