S 4.90 Use of cryptographic procedures on the various layers of the ISO/OSI reference model

Initiation responsibility: IT Security Management

Implementation responsibility: IT Security Management

The OSI reference model according to the ISO

Cryptographic procedures can be implemented on the various layers of the ISO/OSI reference model. This model, which is explained briefly in this manual in safeguard S 5.13 Appropriate use of equipment for network coupling, defines four transport-oriented layers and three application-oriented layers. Instances on the same layer in various systems communicate with each other with the aid of certain protocols. Each layer offers its services to the next higher layer. In addition to the usual communication services, this may also be a security service. A description of which security service should be placed in which layer of the reference model, and which mechanisms can be used to do so, is given in Part 2 of ISO 7498 (Security Architecture).

Even if particular communication systems, reference models or protocols are not always entirely in conformance with the ISO reference model, knowledge of the ISO reference model helps when assessing the security functions of products and therefore also makes it easier to assemble "secure" complete systems in a systematic manner.

The following sections aim to explain what advantages and disadvantages are associated with the use of cryptographic procedures on the respective layers.

Security services

Cryptographic procedures are used for securing a variety of information that arises in the course of communication, i.e. for encrypting information or for assigning cryptographic checksums or digital signatures to it. The data that can be secured is the data to be transmitted by the user, but also information that is generated implicitly during the exchange of information (such as traffic flow information).

Security relationships may exist for various security services on various OSI layers simultaneously. Above the layer on which a security service is implemented, the information (relating to that service) is not secured. Cryptographic mechanisms (encryption, digital signature, cryptographic checksums) contribute to the implementation of important security services (authenticity, confidentiality, integrity, verification of communication and verification of the origin of data).

First let us look at an overview of the criteria that speak for or against the use of cryptographic procedures on the various OSI layers:

Simple key management procedures are generally obtained if group keys can be used, for example when setting up secure subnetworks (VPNs) in which the access ports are equipped with cryptographic devices.

The purchase price of cryptographic products for the lower layers is usually considerably higher than that of those for higher layers, but it also has to be said that fewer are required. Furthermore, administration and implementation costs are normally also lower, because security services do not have to be implemented in a wide variety of applications. In this way even "exotic" applications - which do not have their own security functionality - can exchange data securely.

In many cases it is a good idea to use a combination of cryptographic services on different layers. The form that this will take depends on the specific security requirements and the conditions of use, such as costs, performance and the extent to which the relevant components are available. Other crucial factors include the assumed threads which the implemented security services are intended to counteract, and the underlying system architecture.

Security terminals <-> security coupling elements

Security systems can take the form of a terminal device or part of a terminal device, or of a coupling element or part of a coupling element. Coupling elements may be active network components, for example, such as routers or gateways.

In contrast with terminal devices, security coupling elements usually have two network interfaces, which are coupled to a layer that is typical for that system via a crypto module (hardware or software). One interface is connected to the "secure" network (e.g. an in-house network), while the other interface is connected to the network considered "insecure" (e.g. a public network).

Security terminals have the advantage that the security mechanisms can be closely adapted to the requirements of the application. Typical security terminals include crypto telephones, crypto fax machines or hardware/software-based security solutions for PCs. Security terminals generally provide solutions for individual workstations. In some cases these solutions support only one service. The boundaries are fluid, however (such as in the case of telephony via an Internet PC, or a crypto telephone with a data input). In terminal devices, as opposed to coupling elements, the choice of security layer is not restricted, because terminals are generally complete - in other words they have 7 layers.

Security coupling elements are often designed with sufficient performance capability to be able to provide security for large work units, up to and including entire properties. The manufacturers of these systems try to support as many services and higher-level protocols as possible, so as to enable them to be put to universal use. The fact that they are largely independent of the operating systems on the terminals also contributes to the universal applicability of coupling elements. It is of course also possible to protect individual terminals with security coupling elements. The performance capability of the equipment, however, often results in higher costs. Coupling elements are by definition incomplete OSI systems. Consequently the implementation of security services is also limited to the layers where the coupling element is located.

There are also mixed forms in use. This relies on the precondition that security terminals and security coupling elements must be dovetailed with each other, particularly with regard to the security mechanisms and security parameters that they use (such as cryptographic keys).

User, control and management information

A user is primarily interested in the transmission of user information to remote users. Depending on the actual reference model being used, however (e.g. ISDN), control, signalling and management information is also transferred between the systems (terminal devices, coupling elements) for the purpose of setting up and clearing down connections, negotiating quality of service parameters, and configuring and monitoring the network by network providers etc.

The network concerned has the task of transmitting user information without changing it and without interpreting it; i.e. only the terminal devices must be capable of interpreting user information. In this way the information can be secured irrespective of the rest of the network infrastructure, if necessary even using proprietary security functions (closed user group). It must be possible for control, signalling and management information on the transport layers to be evaluated, modified or generated by network elements belonging to the network provider. As a result, this information largely avoids any protection provided independently of the network provider (e.g. encryption). The safeguarding of this information calls for trusting co-operation with the network provider, as well as application of the relevant standards. Threats may arise from the fact that the security functions of certain products are incorrectly assessed. When cryptographic devices are selected, it is essential to examine precisely which components of the information are secured or filtered. Likewise, looking at it the other way, it is necessary to check which information remains unsecured despite the use of crypto devices, and to what extent this can be tolerated.

Example: With ISDN, the user information is generally carried via the B channels. However, the D channel, which is primarily used for signalling, can also be used for the transmission of packetised data. If the objective is to protect all user data, it is plain that safeguarding the B channels is not sufficient in cases where packetised data is transmitted via the D channel.

Security in circuit-switched networks

In circuit-switched networks, the establishment of a connection sets up channels of a defined bandwidth, which are exclusively available to the communicating parties. After the connection has been established, the user data is transmitted, then the connection is cleared down. The network provider can set up fixed connections, in which case there is no need for the connection to be established and cleared down - usually performed by the subscriber. One example of a circuit-switched network is ISDN.

When a connection is established, user data channels are set up between the communication partners on OSI layer 1; in ISDN these are referred to as B channels. In order to ensure the confidentiality of the transferred user data, the channel can be encrypted. If it is also intended to secure the signalling channel, in the case of NISDN therefore the D channel (layers 13), it must be borne in mind that both the communication partner's terminal and the network provider's exchanges can appear as distant stations for a terminal transmitting data. The D channel is not normally encrypted, because this would mean imposing particular requirements on the network provider. In this case provision should be made for monitoring and filtering the D-channel (see also S 4.62 Use of a Dchannel filter).

Circuit encrypters: The encryption of synchronous full-duplex permanent connections must be seen as a special case, because in this case confidentiality - even confidentiality of the traffic flow - can be guaranteed. If there is no data pending transmission, filler data is encrypted, so that continuous "noise" is always present on the line. The circuit encrypter represents an alternative to installing protected circuits.

Security in packet-switched networks

In packet-switched networks it is necessary to distinguish between connection-oriented and connectionless packet switching. In connection-oriented packet switching, a virtual connection is set up during the connection setup phase, as a result of which the data path through the packet network is subsequently established. After the connection is set up, packets are routed through the network along the same path on the basis of the assigned virtual channel number. Transmit and/or receive addresses are no longer necessary for this. One example is the X.25 network.

In the case of connectionless packet switching there are no connection setup and cleardown phases. Packets are switched individually - among other things furnished with a source address and destination address. This is typical of LAN data traffic.

The choice of layer on which the security mechanisms take effect determines which information components will be protected. The lower the chosen security layer, the more comprehensive the protection of the information. When the user data passes through the instances of layers 7 to 1 (transmitter), additional control information is added to the data. If therefore it is important to protect not only the user data but also the traffic flow, it makes sense to choose a low OSI layer. On the other hand it is also the case that the lower the chosen OSI layer, the fewer coupling elements (repeaters, bridges, switches, routers, gateways) can be overcome transparently.

If it is intended that security services should take effect beyond coupling elements, they must be implemented in a layer above the highest layer (or sublayer) of the coupling elements. This ensures that the communication equipment can forward the secured information unprocessed and uninterpreted.

Examples and consequences of incorrect network configurations:

Example 1: In order to guarantee confidentiality, in particular in the sphere of public communication networks, all terminal devices in two LANS coupled via a router and public communication networks are to be equipped with layer-2 encryption components. The router has to evaluate the addresses of layer 3 in order to forward the LAN packets via the public network. However, as all layer3 data is hidden as a result of layer2 encryption, evaluation of the layer3 addresses cannot be successfully carried out. Data transmission is prevented because of this. To remedy this situation, the encryption components must be used for layer 3 (upper sublayer) or higher.

Example 2: In future, a large proportion of a certain institution's correspondence is to be sent electronically using X.400 (layer 7). In order to safeguard data integrity, the institution plans to use layer4 crypto components in the terminal devices (in this case PCs). For security purposes, cryptographic checksums are assigned to the data packets at the sender on layer 4; these are then checked by the associated layer4 crypto component belonging to the receiver. Only packets with correct checksums are to be delivered. However, if some MTAs (Message Transfer Agents, i.e. the intermediaries for electronic messages on layer 7) are not equipped with interoperable crypto components, the MTAs with no crypto component cannot generate valid checksums. This means that subsequent MTAs or terminal devices with a crypto component have to discard the data, in accordance with the specification.

However, even if all of the MTAs that are used are equipped with interoperable crypto components and security parameters in the same way as the terminal devices, data integrity is not assured. Although it is possible to safeguard the data transmission section by section, corruption of the data within the MTAs can occur without being noticed. Furthermore (depending on the protocol) individual layer4 data packets could be lost, which would result in gaps in the message as a whole - and it is the integrity and completeness of this that is actually supposed to be protected. One remedy is to protect the integrity of the data on layer 7.

As the examples illustrate, it is essential to investigate precisely the nature of the network topology and to determine which network areas have to be secured, and how, so that an appropriate solution can be found with the desired (security) features.

Section-by-section security <-> end-to-end security

Users of communication systems often expect security services to be provided seamlessly throughout the system (end-to-end security), in other words from the input of information (data, speech, images, text) at terminal A through to output of the information at a remote terminal B. If there is no guarantee of continuous security service, there are other systems apart from the terminal equipment on which the information is present in an insecure form. For example, if there is no end-to-end encryption to safeguard the confidentiality of a communications relationship between two parties, the data is available in unencrypted form in at least one other network element. These network elements must be located, and secured by additional safeguards. Staff who have access to insecure network elements, in particular (such as administrators) must be accordingly trustworthy. In this case security services are not provided seamlessly but section by section. Care must be taken that all relevant sections are appropriately secured.

Multiple protection on various OSI layers

There is no objection to multiple protection of the transmitted information on different layers of the OSI model, provided certain rules are observed. In products that conform to the relevant standards, though, this is implicitly guaranteed. Especially with regard to encryption, it is necessary to apply bracket rules, familiar from school. Accordingly, encryption corresponds to opening a bracket, and decryption to closing a bracket. Between these brackets it is possible, in turn, to apply additional security mechanisms.

Multiple protection can also have a detrimental effect, in that data throughput may be reduced as a result of additional operations or that the amount of user data that can be transmitted is smaller, for the same reason, or that additional data has to be transmitted in order to increase redundancy (for example cryptographic checksums). Multiple protection is also obtained implicitly if data is secured by means of crypto systems before it is transferred, for example in the case of digitally signed documents. This increases the security of the data transfer with respect to the security services used.

Often it is only possible to ensure the security of an entire system by combining several security protocols or security products. If, for example, application-oriented security solutions are available but the trustworthy implementation of these solutions has not been (independently) scrutinised (e.g. by evaluation according to ITSEC or CC), and at the same time there are trustworthy transport-oriented security products available for protecting insecure network sections between remote properties, it may be possible to create an overall security solution to satisfy the requirements by combining the safeguards. Usually the increased administration expenditure and/or higher procurement costs prove disadvantageous in such cases.