Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding ISO/IEC 10745:2004 – The Upper Layers Security Model for Open Systems Interconnection
A comprehensive technical overview of the international standard that defines the security architecture for the Application, Presentation, and Session layers.
Scope and Overview
ISO/IEC 10745:2004, titled Information technology — Open Systems Interconnection — Upper layers security model, is a key international standard that defines a comprehensive security model for the upper layers (Session, Presentation, and Application) of the OSI reference model. It is part of the broader OSI security architecture framework established by ISO/IEC 7498-2. The standard provides a generic, abstract model for describing the provision of security services at or above the Session Layer, independent of any particular implementation or protocol.
This standard is intended for designers, implementers, and evaluators of secure communication systems that rely on OSI upper layer protocols. It addresses the need for interoperable security across different vendors’ products by establishing a common terminology, a structured set of security services and mechanisms, and a consistent method for describing how these services are realized.
Technical Requirements and Architectural Model
Security Services and Their Provision
ISO/IEC 10745:2004 identifies a core set of security services that can be provided by the upper layers. These services align with those defined in ISO/IEC 7498-2 but are elaborated specifically for layers 5 through 7. The standard describes which services are naturally provided at each layer, as summarized in the table below.
| Security Service | Primary Layer Provision | Typical Mechanisms |
|---|---|---|
| Authentication | Session / Application | Exchange authentication, digital signatures, certificates |
| Access Control | Application | Access control lists, security labels, capabilities |
| Data Confidentiality | Presentation / Application | Encryption algorithms (symmetric, asymmetric) |
| Data Integrity | Session / Presentation | Message authentication codes (MACs), hash functions |
| Non-repudiation | Application | Digital signatures, notarization, audit trails |
The standard also covers the concept of Security Context — the collection of security information and attributes that governs an association between two or more entities. Management of security contexts, including establishment, maintenance, and termination, is explicitly modeled.
Security Mechanisms and Layering
ISO/IEC 10745:2004 defines a variety of security mechanisms that can be applied at the upper layers. These include encipherment, digital signature mechanisms, access control mechanisms, data integrity mechanisms, authentication exchanges, traffic padding, routing control, and notarization. The standard explains how each mechanism maps to the security services and outlines the interactions between mechanisms when multiple services are required.
Tip: When implementing ISO/IEC 10745:2004, consider leveraging modern protocol implementations such as TLS and Kerberos, which embody many of the abstract services and mechanisms described in the standard. This can accelerate development and improve interoperability.
Caution: The standard provides an abstract model. Implementers must carefully map abstract security services to concrete protocol elements to avoid omissions that could introduce vulnerabilities.
Implementation Highlights
Integrating the Security Model with Upper Layer Protocols
Implementation of ISO/IEC 10745:2004 typically occurs within the framework of an Upper Layers Security Protocol, such as ISO/IEC 11577 (Transport Layer Security Protocol) or through security extensions in OSI application protocols (e.g., ISO/IEC 9594-8 for directory authentication). The standard defines three key architectural concepts:
- Security Exchange — the sequence of data units exchanged to establish security context or to provide a security service.
- Security Context — the set of security attributes applicable to a specific communication association.
- Security Association — a relationship between two or more entities that share security context.
The implementation must manage these concepts at the appropriate layers. For example, session layer security exchanges may occur during connection establishment, while application layer security may be required continuously during data transfer.
Benefit: Adherence to ISO/IEC 10745:2004 promotes interoperability between different vendors’ upper layer security implementations by providing a consistent reference model and clearly defined service interfaces.
Relationship with Lower Layer Security
ISO/IEC 10745:2004 assumes that security provisions may also exist at layers below the Session Layer (especially the Network Layer, as defined in ISO/IEC 7498-2). The standard explicitly considers how upper layer security services interact with lower layer services. For example, confidentiality provided at the network layer may reduce the need for presentation layer encryption, but does not replace application-layer non-repudiation.
Warning: Relying solely on the OSI upper layers security model without addressing lower layer protections (e.g., network-layer access control or encryption) can leave systems vulnerable to attacks that bypass the upper layers, such as packet sniffing or session hijacking at the transport level.
Compliance and Conformance
Conformance Requirements
ISO/IEC 10745:2004 is a normative model; conformance is typically claimed in conjunction with specific protocol standards that implement the model (e.g., conformance to an Upper Layers Security Protocol that itself conforms to this model). The standard does not define compliance tests on its own, but it specifies the information that must be included in a Protocol Implementation Conformance Statement (PICS) for any security-related protocol that claims alignment with the model.
Testing and Evaluation Considerations
Evaluating conformance to ISO/IEC 10745:2004 involves checking that the implementation correctly realizes the security services and mechanisms as described. Test plans should address:
- Correct establishment and management of security contexts.
- Proper selection and combination of security mechanisms for each service.
- Interoperability with other implementations that claim conformance.
- Consistency with the security architecture defined in ISO/IEC 7498-2.
Frequently Asked Questions
Q: What is the primary purpose of ISO/IEC 10745:2004?
A: The standard provides an abstract security model for the upper layers (Session, Presentation, Application) of the OSI reference model. It defines common terminology, security services, mechanisms, and a method for describing how security is provided in communication systems that use those layers.
A: The standard provides an abstract security model for the upper layers (Session, Presentation, Application) of the OSI reference model. It defines common terminology, security services, mechanisms, and a method for describing how security is provided in communication systems that use those layers.
Q: How does ISO/IEC 10745:2004 relate to other OSI security standards?
A: It builds directly upon the security services and categories defined in ISO/IEC 7498-2 (OSI Security Architecture). It also complements protocol-specific standards such as ISO/IEC 11577 (Upper Layers Security Protocol) and provides a foundation for security in application layer standards like ISO/IEC 9594-8.
A: It builds directly upon the security services and categories defined in ISO/IEC 7498-2 (OSI Security Architecture). It also complements protocol-specific standards such as ISO/IEC 11577 (Upper Layers Security Protocol) and provides a foundation for security in application layer standards like ISO/IEC 9594-8.
Q: Is ISO/IEC 10745:2004 still relevant given modern protocols like TLS?
A: Yes. Although TLS and similar protocols have become dominant, the abstract model of security services and layering in ISO/IEC 10745:2004 remains valuable for understanding how security functions can be organized and provided across different layers. It aids in analyzing security requirements for new protocols and ensuring consistent coverage.
A: Yes. Although TLS and similar protocols have become dominant, the abstract model of security services and layering in ISO/IEC 10745:2004 remains valuable for understanding how security functions can be organized and provided across different layers. It aids in analyzing security requirements for new protocols and ensuring consistent coverage.
Q: What are the main challenges when implementing this standard today?
A: The main challenges include mapping the abstract model to concrete, modern protocol stacks; ensuring alignment with existing security infrastructure (e.g., PKI); and addressing environments that do not strictly follow the OSI layered architecture (e.g., TCP/IP). Despite these challenges, the standard’s conceptual framework remains a useful tool for security architects.
A: The main challenges include mapping the abstract model to concrete, modern protocol stacks; ensuring alignment with existing security infrastructure (e.g., PKI); and addressing environments that do not strictly follow the OSI layered architecture (e.g., TCP/IP). Despite these challenges, the standard’s conceptual framework remains a useful tool for security architects.
© 2026 – Technical Overview of ISO/IEC 10745:2004. This article is for informational purposes and does not substitute the official standard text.