Security Services

X.800 defines a security service as a service provided by a protocol layer of communicating open systems to ensure adequate security of systems or data transfers. A clearer definition is found in RFC 2828, which states that a security service provides specific protection to system resources through implemented security policies and mechanisms. X.800 categorizes these services into five categories and fourteen specific services.

Authentication

The authentication service assures that a communicating entity is who it claims to be. It includes:

Peer Entity Authentication: Used in association with a logical connection to provide confidence in the identity of the connected entities. It's crucial for preventing masquerade or unauthorized replay of connections.

Data-Origin Authentication: Offers assurance that the source of received data is as claimed, supporting applications like electronic mail where no prior interactions occur between entities.

Access Control

Access control prevents unauthorized use of resources. It controls who can access resources, under what conditions, and what actions are permissible. In network security, this involves identifying or authenticating entities to tailor access rights accordingly.

Data Confidentiality

Confidentiality protects data from unauthorized disclosure. Protection levels vary:

• Connection Confidentiality: Protects all user data on a connection.
• Connectionless Confidentiality: Secures user data in a single data block.
• Selective-Field Confidentiality: Ensures confidentiality of selected fields within user data.
• Traffic-Flow Confidentiality: Protects information derived from observing traffic flows.

The other aspect involves protecting traffic flow characteristics like source, destination, frequency, or length from analysis.

Data Integrity

Data integrity ensures received data remains unaltered. It applies to message streams, single messages, or specific fields. The service can provide:

• Connection Integrity with Recovery: Ensures integrity and attempts recovery from modification or replay in data sequences.
• Connection Integrity without Recovery: Detects integrity violations without recovery.
• Selective-Field Connection Integrity: Focuses on selected fields within data.
• Connectionless Integrity: Secures individual connectionless data blocks.
• Selective-Field Connectionless Integrity: Protects selected fields in a single block.
• Services with recovery mechanisms are often preferable as they allow for automated correction after integrity breaches.

Nonrepudiation

Nonrepudiation protects against denial of participation in communication. It provides proof that:

• Nonrepudiation, Origin: The specified party sent the message.
• Nonrepudiation, Destination: The specified party received the message.

Availability Service

Availability ensures system resources are accessible and usable on demand by an authorized entity, following system performance specifications. Both X.800 and RFC 2828 view availability as crucial, focusing on protection against denial-of-service attacks through resource management and access control to maintain service availability.