Joos Vandewalle

Efficient Realisation of Security Services in the Osi-Rm

The IS0 Reference Model for Open Systems Interconnection (0%-RM) enables Application Processes (APs) on different computersystems to exchange information. In case sensitive infomation is exchanged, APs will intend to protect their information according to their respective security policies. In this article the assumption is made that the security policies of the APs intending to communicate are the same: they are defmed by the Bell-LaPadula model. I t is investigated how the OSI-security services can help in realising a security policy defined by the Bell-LaPadula model. I t turned out that enforcement of the BellLaPadula security policy on a network wide basis not only requires the confidentiality service to be implemented. Also integrity services are important in order to prevent undetected modification of the sensitivity class of the data transferred. To deal with the considerable amount of cryptographic mechanisms which can be applied, we chose to indicate them globally: it is specified what keys can be used by each AP. Thus it follows what key is available for enciphering information or for providing the integrity of informat ion. Several distributions of keys emerge, all of them able to support the B-LP-model. A selection out of these is made, after discussing their strong and weak points. For both individuals and companies, it is essential that they can exchange and receive information. Several ways can be used to do this e.g. by talking or by writing. Electronic exchange of messages (by means of e-mail for example) is also a possibility. As information can be very critical and important for individuals and certainly for companies, it is of the utmost importance that they keep control over it. Therefore the possessor of information has a security policy i.e. a set of laws, rules and practices that regulate how sensitive information is to be managed, protected and distributed. As these rules are written in a natural language, they are in general susceptible to multiple interpretations on specific points. To avoid this ambiguity, the policy needs to be restated in a formal language thus resulting in a so called formal security policy model (FSPM). The Bell-LaPadula (B-LP) model [l] is an example of a FSPM. The security policy needs to be fulfilled independent of the configuration which is used to transfer the information. More specifically, one can imagine a stand-alone configuration where communication takes place between two Application Processes (APs) which are both resident on the (same) machine. It is also possible that APs are running on different end-systems which are connected by means of public telecommuni-