OSI Security Concern

I have a few questions based on the OSI model and security.
----
For reference:

7-Application
6-Presentation
5-Session
4-Transport
3-Network
2-Data-Link
1-Physical
--------

I am no where near an expert in the topic, but have begun to closley study the open-systems interface face model, and have been very interested in what I have found.

My first question would be, to any one who may be willing to participate in this open-ended discussion... What security risks/issues are commonly associated with what layers?

Thus far, I have found that data encryption resides @ the Layer 6 (Presentation) layer. This concerns me. While this is data manipulation is done very early on the system building the data frames, it is consequently not recognized or 'decrypted' until very late on the recieving system, or the system that is 'un-packing' the information.

I am interested in hearing if anyone is familiar with a Layer 1, or PHYSICAL device, that encrypts information @ lower layers, such as @ the bit level. If it were necessary for any computer to be able to recognize that a data 'group' was indeed a legitimate packet, then this device would not be able to be a layer 1 device, as fields, as well as data fields would be altered(processed) with the encryption algorithm. In this case, the device would need to be a physical, but 'thinking' device (i.e, a layer 2 device).

However, if individual computers were configured with similiar or corresponding devices, then the header fields, as well as data fields, could necesarily be included in the encryption process, and only the computer(s) fitted with the appropriate physical mechanisms would be able to comprehend that these 'information groups' were even legitimate packets. Anyone else, (i.e., unauthenticated or remote users), would simply discard the information, and if used under some sort of connectionless (say, udp-like) standards, would move on, as if the data were never recieved.

If this were so, the only hurdle we would be facing now would be actually using this system in a switched, or rather, routing orientated network topology, as the router interfaces, using the example above, if not fitted properly, would not be able to comprehend the encrypted header fields, and would discard the information.

Please let me hear any thoughts one may have on what I have said.

Thank you.
comJo

Quote:

---

I am interested in hearing if anyone is familiar with a Layer 1, or PHYSICAL device

---

I'm familiar with it - its just cable, be it cat 5/co-ax/serial/whatever, its just cable.

Seriously though, kudos to you for wanting to discuss such an in depth topic - i just don't think this is the place to try and redesign the osi model.

I remember doing this back in the 80's with Telebit modems on direct connections, the modems themselves actually took care of the encryption of the uucp data being transmitted.

I would imagine that the encryption being performed by todays wireless devices would classify as the same.

I think the problem arises that devices not understanding the encryption methods would probably just discard the packets as bad. It would probably only work on point to point links.

cheers

Sorry Petemcevoy, but I happen to like this stuff ;)

Quote:

---

My first question would be, to any one who may be willing to participate in this open-ended discussion... What security risks/issues are commonly associated with what layers?
Thus far, I have found that data encryption resides @ the Layer 6 (Presentation) layer. This concerns me. While this is data manipulation is done very early on the system building the data frames, it is consequently not recognized or 'decrypted' until very late on the recieving system, or the system that is 'un-packing' the information.

---

You're right about the data encryption residing at Layer 6. It indeed is the only 'security' layer...
Data compression for example is a Layer 6 process (be it Compress, GZIP, PKZIP,..)
Encryption / Authentication are the other Layer 6 processes. Different computers handle data in a different way; the function of Layer 6 is to make an abstraction of the data, and provide a key to encode that data on the wire.

The lower Layers are just interested in moving data...

Quote:

---

I am interested in hearing if anyone is familiar with a Layer 1, or PHYSICAL device, that encrypts information @ lower layers, such as @ the bit level.

---

No encryption at Layer 1, only encoding/decoding, modulation/demodulation ...
May I suggest this link on the TLS protocol: " This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery"

Quote:

---

If it were necessary for any computer to be able to recognize that a data 'group' was indeed a legitimate packet, then this device would not be able to be a layer 1 device, as fields, as well as data fields would be altered(processed) with the encryption algorithm. In this case, the device would need to be a physical, but 'thinking' device (i.e, a layer 2 device).

However, if individual computers were configured with similiar or corresponding devices, then the header fields, as well as data fields, could necesarily be included in the encryption process, and only the computer(s) fitted with the appropriate physical mechanisms would be able to comprehend that these 'information groups' were even legitimate packets. Anyone else, (i.e., unauthenticated or remote users), would simply discard the information, and if used under some sort of connectionless (say, udp-like) standards, would move on, as if the data were never recieved. If this were so, the only hurdle we would be facing now would be actually using this system in a switched, or rather, routing orientated network topology, as the router interfaces, using the example above, if not fitted properly, would not be able to comprehend the encrypted header fields, and would discard the information

---

Hehe, I like your thinking...
I guess what you suggest would indeed, as Petemcevoy stated, redesign the OSI-model, and that's exactly what the TLS model is about ;)

The wireless medium is coming up in the security world. That is where Layer 1 and 2 security should prove most interesting at this time. An example is the frequency switching schemes that the military and intelligence organizations use being implemented with infrared NICs.

The other thing you could look into is eavesdropping. That is deffinitely classified under the physical layer.

Don't let anyone tell you that fiber optic is secure in any way, it isn't. Give me twenty minutes with a soldering iron, some parts and my trusty schematic notebook and I'll show you how to circumvent Fiber security without downgrading the signal too much.

You've get 20 minutes, a soldering iron, some parts and your trusty schematic notebook, tell us how to circumvent "fiber" optic security without downgrading the signal too much.

Im typing up my notes right now, hold on.

Why do you need to type up notes? If you could do it in 20 minutes then surely you could give us an idea of the methods employed off the top of your head.

Fiber phototransistor Q1 recieves the input signal. It recieves its DC bias through R1(3.9k). Since the wire impeadance and the tap arises problems to signal reception a simple one-transistor amplifier has been added. The amplifier must be configured for the frequency being tapped. This is done through two 5k pots to replace the standard resistors so the device is re-useable. After amplification the signal is sent through the 10k:600 Transformer loaded by R4. The output signal through labeld leads 3 and 4 are connected to another fiber LED to be sent to the mux and recorded. From T1(note to antionline that this is the transformer) the signal should go through a buffer to remove static and further enhace the signal, unfortunately I do not have access to such a schematic so a overly strong signal should suffuce.

Parts include
2 fiber leds (Motorola MFOE71 Ir leds in coupler)
1 fiber phototransistor (Motorola MFOD72 IR in coupler)
2 5k pots or 2 tested resistors

resistors
1 10k
1 3.9k
1 1.2k

capacitors
3 .1 uF coupling
22 pF ceramic
10 uF aluminum electrolyte or tantalum

600:10k trans (Mouser p/n 42TL019)

battery, electronic cutter, pc board..etc.






this is directly from my notes, this stuff comes from a few electronic books such as the amplifier from 'The Encyclopedia of electronic circuits' I'm not sure what volume but I only have the first two. I used 'The Circuit Designers companion' for the layout with some help from a published author(paladin-press) when he was doing an IRC discussion forum.

I will not post the schematics because
1. it will look like crap similar to the old phreaking manuals and
2. I don't want anyone to go around hacking up T1s and it leading back to me

Disclaimer
I am not responsible for anything, including my own actions.

The method is simple and straight-foreward. You woud not belive me unless I posted details.

Granted that a custom pc board takes close to four hrs to burn but this is assuming that you do not need to hide the tap and you can use a generic board. This circuit will, theoretically, have serious problems when frequency, amplitude and...arggh..i cant remember the third type of modulation..ahh anyway when all three types of modulation are used it experiences problems. It, theoretically, works great with digital and even acts as a repeater so with long connections it would probably improve the speed.

The wires have to be electronically cut, then both ends stripped and connected to the couplings. Also note that unless you have a way to configure your mux the same as the other two, the output will look scrambled most of the time. The ideal connection would be baseband that is a few miles long. I didn't say it is perfect.