The distributed nature of the MHS makes it vulnerable to various types of security threats. This section describes the nature of these threats, and concludes with a table that correlates each threat with the MHS security service that counters it.
The principal threats to the MHS can be divided into two categories, inter-message threats and intra-message threats. Inter-message threats arise from parties external to the message communication, and include: masquerade, message modification, message sequencing threats, and leakage of information.
Masquerade occurs when an entity successfully pretends to be a different entity. The following examples illustrate two types of masquerade to which the MHS is vulnerable. First, an unauthorized UA may impersonate an authorized UA to gain access to an MTA. Once access is gained, the unauthorized UA can falsely originate messages, falsely acknowledge receipt of messages, or simply discard messages. Second, an unauthorized MTA can impersonate an authorized MTA to misroute messages, or discard messages submitted for delivery.
Message modification occurs when a message is changed by an unauthorized party. Unauthorized changes apply to the message content, addressing information, security labels, and other message attributes. This threat also includes the destruction of an entire message.
Message sequencing threats jeopardize the ordering of messages. They include the reordering and replaying of messages.
Leakage of information occurs when an unauthorized party gains information by monitoring transmissions. The unauthorized party can learn of the content of messages, or of the parties involved in the message transfers. An unauthorized party can also gain information by analyzing the message traffic between two users.
The second category of threats is intra-message threats. Intra-message threats are those performed by the parties involved in the message communication. Intra-message threats include repudiation and security level violations.
Repudiation occurs when an MTA or MTS user (i.e., a User Agent, Message Store, or Access Unit) denies performing a specific action. Repudiation threats include an MTS user denying the origination or delivery of a message, and an MTA denying the submission of a message.
Security level violations are threats relating to security labels. Security labels are data structures which permit the classification of a message, or a communicating party within the MHS, in terms of a security level (e.g., ``Secret''). An example of a security level violation is an originator submitting a message with a security label that it is not authorized to generate.
The threats described above are reproduced below in table 11.1. Associated with each threat is the MHS security service or services that counter it. These services are described in detail in section 11.6.
Table 11.1: MHS Threats and Their Countermeasures