Technologies de l'information -- Interconnexion de systèmes ouverts (OSI)

General Information

Status
Published
Publication Date
21-Dec-2020
Current Stage
6000 - International Standard under publication
Start Date
22-Dec-2020
Ref Project

Buy Standard

Draft
ISO/IEC DIS 9594-11 - Information technology -- Open systems interconnection directory
English language
77 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 9594-11
ISO/IEC JTC 1/SC 6 Secretariat: KATS
Voting begins on: Voting terminates on:
2019-11-21 2020-02-13
Information technology — Open systems interconnection
— The directory —
Part 11:
Protocol specifications for secure operations
ICS: 35.100.70
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 9594-11:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019
---------------------- Page: 1 ----------------------
ISO/IEC DIS 9594-11:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................vi

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

2.1 Identical Recommendations | International Standards ....................................................................................... 1

2.2 Other references .................................................................................................................................................................................... 2

3 Terms and definitions ..................................................................................................................................................................................... 2

3.1 OSI Reference Model definitions ............................................................................................................................................. 2

3.2 Directory model definitions ......................................................................................................................................................... 2

3.3 Public-key and attribute certificate definitions .......................................................................................................... 2

3.4 Terms specified by this Recommendation | International Standard ........................................................ 3

4 Abbreviations........................................................................................................................................................................................................... 4

5 Conventions ............................................................................................................................................................................................................... 4

6 Common data types and special cryptographic algorithms .................................................................................... 5

6.1 Introduction .............................................................................................................................................................................................. 5

6.2 Multiple cryptographic algorithm specifications ...................................................................................................... 5

6.2.1 General...................................................................................................................................................................................... 5

6.2.2 Multiple signatures algorithm .............................................................................................................................. 5

6.2.3 Multiple symmetric key algorithm ................................................................................................................... 5

6.2.4 Multiple public-key algorithms ........................................................................................................................... 6

6.2.5 Multiple hash algorithm ............................................................................................................................................ 6

6.2.6 Multiple authenticated encryption algorithm ........................................................................................ 6

6.2.7 Multiple integrity check value algorithm.................................................................................................... 6

6.3 Key establishment algorithms ................................................................................................................................................... 7

6.3.1 General...................................................................................................................................................................................... 7

6.3.2 Diffie-Hellman group 14 algorithm with HKDF-256 ........................................................................ 7

6.3.3 Diffie-Hellman group 23 algorithm with HKDF-256 ........................................................................ 7

6.3.4 Diffie-Hellman group 28 algorithm with HKDF-256 ........................................................................ 8

6.3.5 Key derivation .................................................................................................................................................................... 8

6.4 Multiple cryptographic algorithm-value pairs ............................................................................................................ 9

6.4.1 Multiple digital signatures attached to data ............................................................................................ 9

6.4.2 Duplicate integrity check values attached to data .............................................................................. 9

6.4.3 Formal specification of encryption .................................................................................................................. 9

6.4.4 Formal specification of authenticated encryption .............................................................................. 9

7 General concept for securing protocols.....................................................................................................................................10

7.1 Introduction ...........................................................................................................................................................................................10

7.2 Protected protocol plug-in concept ....................................................................................................................................10

7.3 Communications structure ........................................................................................................................................................10

7.4 Structure of application protocol data unit .................................................................................................................11

7.5 Another view of the relationship between the wrapper protocol and the protected

protocol ......................................................................................................................................................................................................11

7.6 Information and control ...............................................................................................................................................................12

7.7 Exception conditions ......................................................................................................................................................................12

8 Wrapper protocol general concepts ..............................................................................................................................................14

8.1 Introduction ...........................................................................................................................................................................................14

8.2 UTC time specification ...................................................................................................................................................................14

8.3 Use of the SIGNED parameterized data type ..............................................................................................................14

8.4 Use of alternative cryptographic algorithms .............................................................................................................15

8.5 General on establishing shared keys .................................................................................................................................15

8.6 Sequence numbers ...........................................................................................................................................................................15

8.7 Use of invocation identification in the wrapper protocol ...............................................................................15

© ISO/IEC 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 9594-11:2019(E)

8.8 Mapping to underlying services ............................................................................................................................................16

8.9 Definition of protected protocols .........................................................................................................................................16

8.10 Overview of wrapper protocol data units ......... ............................................................................................................16

9 Association management .........................................................................................................................................................................17

9.1 Introduction to association management .....................................................................................................................17

9.2 Association handshake request .............................................................................................................................................17

9.2.1 Association handshake request syntax .....................................................................................................17

9.3 Association accept .............................................................................................................................................................................19

9.3.1 Association handshake accept syntax ........................................................................................................19

9.4 Association reject due to security issues .......................................................................................................................20

9.5 Association reject by the protected protocol .............................................................................................................21

9.6 Handshake security abort ..........................................................................................................................................................22

9.7 Handshake abort by protected protocol ........................................................................................................................23

9.8 Data transfer security abort .....................................................................................................................................................23

9.9 Abort by protected protocol .....................................................................................................................................................24

9.10 Release request WrPDU ...............................................................................................................................................................24

9.11 Release response WrPDU............................................................................................................................................................25

10 Data transfer phase ........................................................................................................................................................................................25

10.1 Symmetric keys renewal ..............................................................................................................................................................25

10.2 Data transfer by the requestor ...............................................................................................................................................25

10.3 Data transfer by the acceptor ..................................................................................................................................................27

11 Wrapper error handling ............................................................................................................................................................................28

11.1 General ........................................................................................................................................................................................................28

11.2 Checking of a wrapper handshake request .................................................................................................................28

11.2.1 General...................................................................................................................................................................................28

11.2.2 Digital signature checking ....................................................................................................................................28

11.2.3 Checking of the to-be-signed part ..................................................................................................................29

11.3 Checking of a wrapper handshake accept ....................................................................................................................30

11.3.1 General...................................................................................................................................................................................30

11.3.2 Digital signature checking ....................................................................................................................................30

11.3.3 Checking of the to-be-signed part ..................................................................................................................30

11.4 Checking of data transfer WrPDUs .....................................................................................................................................31

11.4.1 General...................................................................................................................................................................................31

11.4.2 Mode checking ................................................................................................................................................................31

11.4.3 Integrity checking ........................................................................................................................................................32

11.4.4 Checking of common components for AadReq and AadAcc data values ......................32

11.4.5 AadReq data value specific checking ...........................................................................................................32

11.4.6 AadAcc data value specific checking ............................................................................................................32

11.5 Wrapper error codes.......................................................................................................................................................................32

12 Authorization and validation list management ................................................................................................................34

12.1 General on authorization validation management ...............................................................................................34

12.1.1 Introduction ......................................................................................................................................................................34

12.1.2 Invocation identification ........................................................................................................................................34

12.2 Defined protected protocol data unit (PrPDU) types .........................................................................................34

12.3 Authorization and validation management protocol initialization request ...................................34

12.4 Authorization and validation management protocol initialization accept ......................................35

12.5 Authorization and validation management protocol initialization reject ........................................35

12.6 Authorization and validation management protocol initialization abort .........................................35

12.7 Add authorization and validation list ...............................................................................................................................36

12.8 Replace authorization and validation list .....................................................................................................................37

12.9 Delete authorization and validation list .........................................................................................................................38

12.10 Authorization and validation list reject ..........................................................................................................................39

12.11 Authorization and validation list error codes ...........................................................................................................39

13 C ertification authority subscription protocol.....................................................................................................................41

13.1 Certification authority subscription intr oduction .................................................................................................41

13.2 Overview of protocol data units ............................................................................................................................................41

iv © ISO/IEC 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 9594-11:2019(E)

13.3 Certification authority subscription pr otocol initialization request .....................................................41

13.4 Certification authority subscription pr otocol initialization accept ........................................................42

13.5 Certification authority subscription pr otocol initialization reject ..........................................................42

13.6 Certification authority subscription pr otocol initialization abort ..........................................................42

13.7 Public-key certificate subscription .....................................................................................................................................42

13.8 Public-key certificate un-subscription ............................................................................................................................44

13.9 Public-key certificate replacements ..................................................................................................................................46

13.10 End-entity public-key certificate updates ....................................................................................................................47

13.11 Certification authority subscription r eject ..................................................................................................................49

13.12 Certification authority subscription err or codes ...................................................................................................49

14 Trust broker protocol ...................................................................................................................................................................................50

14.1 Introduction ...........................................................................................................................................................................................50

14.2 Defined protocol data unit (PDU) types .........................................................................................................................50

14.3 Trust broker request syntax .....................................................................................................................................................50

14.4 Trust broker response syntax .................................................................................................................................................50

14.5 Trust broker error information .............................................................................................................................................51

Annex A Crypto Tools in ASN.1 ...............................................................................................................................................................................53

Annex B Wrapper protocol in ASN.1 ................................................................................................................................................................56

Annex C Protected protocol interface to the wrapper protocol ..........................................................................................61

Annex D Authorization and validation list management in ASN.1 ...................................................................................63

Annex E Certification authority subscription in ASN.1 ................................................................................................................66

Annex F Trust broker in ASN.1 ..............................................................................................................................................................................70

Annex G Migration of cryptographic algorithms ................................................................................................................................72

Bibliography .............................................................................................................................................................................................................................77

© ISO/IEC 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Foreword

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 specifies a general protocol, called the wrapper

protocol, that provides cyber security for protocols designed for protection by the wrapper protocol.

The wrapper protocol provides authentication, integrity and optionally confidentiality (encryption).

The wrapper protocol allows cyber security to be provided independently of the protected protocols,

which means that the security may enhanced without affecting protected protocol specifications.

The wrapper protocol is designed for easy migration of cryptographic algorithms, as stronger

algorithms become necessary.

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 contains specifications for how other

Recommendations and International Standards may include features for migration of cryptographic

algorithms, and it includes ASN.1 specifications to be imported for that purpose.

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 also specifies three protocols that make use of

the protection of the wrapper protocol. This includes a protocols provide for maintaining authorization

and validation lists, a protocol for subscribing of public-key certificate status and a protocol for

accessing a trust broker.
Keywords

Cryptography; cryptographic algorithm; digital signature; public-key certificate; certification

authority: distinguished name; PKI, trust anchor; validation.
vi © ISO/IEC 2019 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Introduction

The Internet Engineering Task Force (IETF) maintains a substantial set of protocols for supporting

public-key infrastructure (PKI). This Specification provides protocols to supplement those protocols

developed by IETF, especially for:

a) supporting new functions specified by Rec. ITU-T X.509 | ISO/IEC 9594-8, for which IETF has not

provided support; and
b) constrained environments, where lean protocols are required.
In addition, it specifies:
c) a wrapper protocol that provides security services for other protocols.
This Recommendation | International Standard consist of three sections:

Section 1 gives general specifications for this Recommendation | International Standard.

Section 2 is the wrapper protocol specification.
Section 3 specifies some protocols to be protected by the wrapper protocol:
a) A protocol for maintaining authorization and validation lists (AVLs).

b) A protocol for subscribing public-key certificate status information from CAs.

c) A protocol for accessing a trust broker.
The following annexes are included:

Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for specifications to be imported by protocols providing a migration path for cryptographic

algorithms.

Annex B, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for the wrapper protocol.

Annex C, which is an integral part of this Recommendation | International Standard, provides

specifications for how a protected protocol is wrapped by the wrapper protocol.

Annex D, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for maintenance of the authorization and validation lists (AVLs) protocol.

Annex E, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for certification authority subscription protocol.

Annex F, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for the trust broker protocol.

Annex G, which is not an integral part of this Recommendation | International Standard, provides

guidance for cryptographic algorithm migration.
© ISO/IEC 2019 – All rights reserved vii
---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 9594-11:2019(E)
Information technology — Open systems interconnection
— The directory —
Part 11:
Protocol specifications for secure operations
SECTION 1 – GENERAL
1 Scope
The scope of this Recommendation | International Standard is threefold:

It provides guidance for how to prepare new and old protocols for cryptographic algorithm migration.

It defines auxiliary cryptographic algorithms to be used for migration purposes

The scope includes a general wrapper protocol that provides authentication, integrity and

confidentiality (encryption) protection for other protocols. This wrapper protocol includes a migration

path for cryptographic algorithms. Protected protocols can then be developed without taking security

and cryptographic algorithms into consideration.

The scope also includes some protocols to be protected by the wrapper protocol primarily for support

of PKI. Other specifications, e.g., Recommendations or International Standards, may also develop

protocols designed to be protected by the wrapper protocol.
2 Normative references
The following Recommendations and International Standards c
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.