ISO/IEC 9594-12:2025

International
Standard
ISO/IEC 9594-12
First edition
Information technology — Open
2025-05
systems interconnection —
Part 12:
The Directory: Key management
and public-key infrastructure
establishment and maintenance
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members
of ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
document should be noted.
ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of
(a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent database
available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for
identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by ITU-T as ITU-T X.508 (10/2024) and drafted in accordance with its editorial
rules, in collaboration with Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 6, Telecommunications and information exchange between systems.
A list of all parts in the ISO/IEC 9594 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
committees.
© ISO/IEC 2025 – All rights reserved
iii
INTERNATIONAL STANDARD ISO/IEC 9594-12
RECOMMENDATION ITU-T X.508
Information technology – Open Systems Interconnection – The Directory: Key management
and public-key infrastructure establishment and maintenance

Summary
Recommendation ITU-T X.508 | ISO/IEC 9594-12 is intended to fill the gap between Recommendation ITU-T X.509 |
ISO/IEC 9594-8 and Recommendation ITU-T X.510 | ISO/IEC 9594-11 by giving a description of selected cryptographic
algorithms with references to more detailed specifications. To establish the theory behind the cryptographic algorithm, an
informative annex gives in introduction to the supporting mathematics. Also, some considerations on migration to post
quantum algorithm are included.
Section 3 provides a best practice guideline for establishing and maintaining a public-key infrastructure (PKI) with
emphasis on environments outside the traditional PKI environments, such as guidance for establishing a PKI for networks
of Internet of things (IoT) and smart grid.

*
History
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.508 2024-10-29 17 11.1002/1000/16196

Keywords
Authenticated encryption, authentication, block cipher, confidentiality, cryptography, encryption, information security,
mode of operation.
____________________
*
To access the Recommendation, type the URL https://handle.itu.int/ in the address field of your web browser, followed by the
Recommendation's unique ID.
Rec. ITU-T X.508 (10/2024)
© ISO/IEC 2025 – All rights reserved
iv
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, and information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.

NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.

INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had not received notice of intellectual property,
protected by patents/software copyrights, which may be required to implement this Recommendation.
However, implementers are cautioned that this may not represent the latest information and are therefore
strongly urged to consult the appropriate ITU-T databases available via the ITU-T website at
https://www.itu.int/ITU-T/ipr/.

 ITU 2025
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
Rec. ITU-T X.508 (10/2024)
© ISO/IEC 2025 – All rights reserved
v
CONTENTS
Page
1 Scope . 1
2 Normative references . 1
2.1 Identical Recommendations | International Standards . 1
2.2 Paired Recommendations | International Standards equivalent in technical content . 1
2.3 Recommendations . 2
2.4 International Standards . 2
2.4 Additional references . 2
3 Definitions . 2
3.1 Terms defined elsewhere . 2
3.2 Terms defined in this Recommendation | International Standard . 3
4 Abbreviations . 4
5 Conventions . 6
6 Cybersecurity considerations for communication networks . 6
6.1 The challenge of large information and communication technology (ICT) networks . 6
6.2 Connection-mode communication . 7
6.2.1 General . 7
6.2.2 Association establishment phase . 8
6.2.3 Data transfer phase . 8
6.2.4 Association termination phase . 8
6.3 Security services . 8
7 Overview of cryptographic algorithms . 10
7.1 Introduction . 10
7.2 Formal specification of cryptographic algorithms . 10
7.3 Security properties of crypto graphic algorithms . 11
7.4 Security strength . 11
7.5 One-way functions . 12
7.6 Random number generation and entropy . 12
8 Symmetric-key algorithms . 13
8.1 General . 13
8.2 Symmetric key encryption . 13
8.3 Authenticated encryption with associated data (AEAD) . 13
8.4 Symmetric key requirements . 14
9 Hash algorithms . 14
10 Public key and asymmetric cipher . 15
10.1 Public-key cryptography . 15
10.2 Asymmetric cipher . 15
11 Public key and digital signature algorithms . 16
11.1 General . 16
12 Key establishment algorithms . 17
13 Integrity check value (ICV) algorithms . 17
14 Post-quantum cryptography considerations . 17
14.1 General considerations. 17
14.2 Crypto agility . 18
14.3 Quantum computers and cryptographic algorithm migration . 18
14.4 Possible attacks by use of quantum computers . 18
14.4.1 Symmetric cryptographic algorithms .
...