Information technology — Open systems interconnection directory — Part 11: Protocol specifications for secure operations

The scope of this Recommendation | International Standard is threefold. This Recommendation | International Standard provides guidance on how to prepare new and old protocols for cryptographic algorithm migration, and defines auxiliary cryptographic algorithms to be used for migration purposes. This Recommendation | International Standard specifies a general wrapper protocol that provides authentication, integrity and confidentiality (encryption) protection for other protocols. This wrapper protocol includes a migration path for cryptographic algorithms allowing for smooth migration to stronger cryptographic algorithms as such requirements evolve. This will allow migration to quantum-safe cryptographic algorithms. Protected protocols can then be developed without taking security and cryptographic algorithms into consideration. This Recommendation | International Standard also includes some protocols to be protected by the wrapper protocol primarily for support of public-key infrastructure (PKI). Other specifications, e.g., Recommendations or International Standards, may also develop protocols designed to be protected by the wrapper protocol.

Technologies de l'information — Interconnexion de systèmes ouverts (OSI) — Partie 11: Titre manque

General Information

Status
Published
Publication Date
21-Dec-2020
Current Stage
6060 - International Standard published
Start Date
22-Dec-2020
Completion Date
22-Dec-2020
Ref Project

Buy Standard

Standard
ISO/IEC 9594-11:2020 - Information technology -- Open systems interconnection directory
English language
84 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 9594-11
First edition
2020-12
Information technology — Open
systems interconnection directory —
Part 11:
Protocol specifications for secure
operations
Reference number
ISO/IEC 9594-11:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 9594-11:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 9594-11:2020(E)
INTERNATIONAL STANDARD ISO/IEC 9594-11
RECOMMENDATION ITU-T X.510
Information technology – Open Systems Interconnection –
The Directory: Protocol specifications for secure operations
Summary

Recommendation ITU-T X.510 | ISO/IEC 9594-11 specifies a general protocol, called the wrapper protocol, that provides

cybersecurity for protocols designed for its protection. The wrapper protocol provides authentication, integrity and

optionally confidentiality (encryption). The wrapper protocol allows cybersecurity to be provided independently of the

protected protocols, which means that security may be enhanced without affecting protected protocol specifications.

The wrapper protocol is specified without specifying specific cryptographic algorithms, but is designed for plucking-in

cryptographic algorithms as required.

The wrapper protocol is designed for easy migration of cryptographic algorithms, as stronger cryptographic algorithms

become necessary.

Recommendation ITU-T X.510 | ISO/IEC 9594-11 contains recommendations for how other Recommendations and

International Standards may include features for migration of cryptographic algorithms, and it includes ASN.1

specifications to be applied for that purpose.

Recommendation ITU-T X.510 | ISO/IEC 9594-11 also specifies three protocols that make use of the wrapper protocol

protection. This includes a protocol for maintenance of authorization and validation lists (AVLs), a protocol for subscribing

of public-key certificate status and a protocol for accessing a trust broker.
History
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.510 2020-08-22 17 11.1002/1000/14320
Keywords

Certification authority, cryptography, cryptographic algorithm, digital signature, public-key certificate, PKI, quantum-safe,

trust anchor, validation.

To access the Recommendation, type the URL http://handle.itu.int/ in the address field of your web browser, followed by the

Recommendation's unique ID. For example, http://handle.itu.int/11.1002/1000/11830-en.

© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.510 (08/2020) i
---------------------- Page: 3 ----------------------
ISO/IEC 9594-11:2020(E)
FOREWORD

The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of

telecommunications, information and communication technologies (ICTs). The ITU Telecommunication

Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,

operating and tariff questions and issuing Recommendations on them with a view to standardizing

telecommunications on a worldwide basis.

The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes

the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.

The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.

In some areas of information technology which fall within ITU-T's purview, the necessary standards are

prepared on a collaborative basis with ISO and IEC.
NOTE

In this Recommendation, the expression "Administration" is used for conciseness to indicate both a

telecommunication administration and a recognized operating agency.

Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain

mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the

Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other

obligatory language such as "must" and the negative equivalents are used to express requirements. The use of

such words does not suggest that compliance with the Recommendation is required of any party.

INTELLECTUAL PROPERTY RIGHTS

ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve

the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or

applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of

the Recommendation development process.

As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected

by patents, which may be required to implement this Recommendation. However, implementers are cautioned

that this may not represent the latest information and are therefore strongly urged to consult the TSB patent

database at http://www.itu.int/ITU-T/ipr/.
 ITU 2020

All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior

written permission of ITU.
© ISO/IEC 2020 – All rights reserved
ii Rec. ITU-T X.510 (08/2020)
---------------------- Page: 4 ----------------------
ISO/IEC 9594-11:2020(E)
CONTENTS
Page

SECTION 1 – GENERAL ......................................................................................................................................... 1

1 Scope .............................................................................................................................................................. 1

2 Normative references ..................................................................................................................................... 1

2.1 Identical Recommendations | International Standards ........................................................................ 1

2.2 Other references .................................................................................................................................. 1

3 Definitions ...................................................................................................................................................... 2

3.1 OSI Reference Model definitions ........................................................................................................ 2

3.2 Directory model definitions ................................................................................................................ 2

3.3 Public-key and attribute certificate definitions .................................................................................... 2

3.4 Terms specified by this Recommendation | International Standard .................................................... 2

4 Abbreviations ................................................................................................................................................. 3

5 Conventions .................................................................................................................................................... 4

6 Common data types and special cryptographic algorithms ............................................................................ 4

6.1 Introduction ......................................................................................................................................... 4

6.2 ASN.1 information object class specification tool .............................................................................. 4

6.3 Multiple-cryptographic algorithm specifications ................................................................................ 6

6.4 Key establishment algorithms ............................................................................................................. 7

6.5 Multiple-cryptographic algorithm-value pairs .................................................................................... 9

6.6 Formal specification of encipherment ................................................................................................. 11

7 General concepts for securing protocols......................................................................................................... 11

7.1 Introduction ......................................................................................................................................... 11

7.2 Protected protocol plug-in concept...................................................................................................... 12

7.3 Communications structure................................................................................................................... 12

7.4 Another view of the relationship between the wrapper protocol and the protected protocol .............. 12

7.5 Structure of application protocol data unit .......................................................................................... 13

7.6 Exception conditions ........................................................................................................................... 13

SECTION 2 – THE WRAPPER PROTOCOL .......................................................................................................... 14

8 Wrapper protocol general concepts ................................................................................................................ 14

8.1 Introduction ......................................................................................................................................... 14

8.2 UTC time specification ....................................................................................................................... 14

8.3 Use of alternative cryptographic algorithms ....................................................................................... 14

8.4 General on establishing shared keys ................................................................................................... 14

8.5 Sequence numbers ............................................................................................................................... 15

8.6 Use of invocation identification in the wrapper protocol .................................................................... 15

8.7 Mapping to underlying services .......................................................................................................... 15

8.8 Definition of protected protocols ........................................................................................................ 15

8.9 Overview of wrapper protocol data units ............................................................................................ 15

9 Association management ................................................................................................................................ 16

9.1 Introduction to association management ............................................................................................. 16

9.2 Association handshake request ............................................................................................................ 16

9.3 Association accept ............................................................................................................................... 18

9.4 Association reject due to security issues ............................................................................................. 19

9.5 Association reject by the protected protocol ....................................................................................... 20

9.6 Handshake security abort .................................................................................................................... 21

9.7 Handshake abort by protected protocol ............................................................................................... 21

9.8 Data transfer security abort ................................................................................................................. 22

9.9 Abort by protected protocol ................................................................................................................ 22

9.10 Release request WrPDU ...................................................................................................................... 23

9.11 Release response WrPDU ................................................................................................................... 23

9.12 Release collision.................................................................................................................................. 24

© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.510 (08/2020) iii
---------------------- Page: 5 ----------------------
ISO/IEC 9594-11:2020(E)
Page

10 Data transfer phase ......................................................................................................................................... 24

10.1 Symmetric keys renewal ..................................................................................................................... 24

10.2 Data transfer by the client ................................................................................................................... 24

10.3 Data transfer by the server .................................................................................................................. 26

11 Information flow ............................................................................................................................................. 28

11.1 Purpose and general model ................................................................................................................. 28

11.2 Protected protocol SAOC .................................................................................................................... 29

11.3 Wrapper SAOC ................................................................................................................................... 29

12 Wrapper error handling .................................................................................................................................. 32

12.1 General ................................................................................................................................................ 32

12.2 Checking of a wrapper handshake request .......................................................................................... 32

12.3 Checking of a wrapper handshake accept ........................................................................................... 33

12.4 Checking of data transfer WrPDUs ..................................................................................................... 34

12.5 Wrapper diagnostic codes ................................................................................................................... 36

SECTION 3 – PROTECTED PROTOCOLS ............................................................................................................ 37

13 Authorization and validation list management ............................................................................................... 37

13.1 General on authorization and validation management ........................................................................ 37

13.2 Defined protected protocol data unit (PrPDU) types........................................................................... 37

13.3 Authorization and validation management protocol initialization request .......................................... 38

13.4 Authorization and validation management protocol initialization accept9 ......................................... 38

13.5 Authorization and validation management protocol initialization reject ............................................. 38

13.6 Authorization and validation management protocol initialization abort ............................................. 38

13.7 Add authorization and validation list request ...................................................................................... 39

13.8 Add authorization and validation list response ................................................................................... 40

13.9 Replace authorization and validation list request ................................................................................ 40

13.10 Replace authorization and validation list response.............................................................................. 40

13.11 Delete authorization and validation list request .................................................................................. 41

13.12 Delete authorization and validation list response ................................................................................ 41

13.13 Authorization and validation list abort ................................................................................................ 42

13.14 Authorization and validation list error codes ...................................................................................... 42

14 Certification authority subscription protocol .................................................................................................. 43

14.1 Certification authority subscription introduction ................................................................................ 43

14.2 Defined protected protocol data unit (PrPDU) types........................................................................... 43

14.3 Certification authority subscription protocol initialization request ..................................................... 43

14.4 Certification authority subscription protocol initialization accept ...................................................... 44

14.5 Certification authority subscription protocol initialization reject ........................................................ 44

14.6 Certification authority subscription protocol initialization abort ........................................................ 44

14.7 Public-key certificate subscription request .......................................................................................... 44

14.8 Public-key certificate subscription response ....................................................................................... 45

14.9 Public-key certificate un-subscription request .................................................................................... 46

14.10 Public-key certificate un-subscription response .................................................................................. 46

14.11 Public-key certificate replacements request ........................................................................................ 47

14.12 Public-key certificate replacement response ....................................................................................... 48

14.13 End-entity public-key certificate updates request ............................................................................... 49

14.14 End-entity public-key certificate updates response ............................................................................. 49

14.15 Certification authority subscription abort ............................................................................................ 50

14.16 Certification authority subscription error codes .................................................................................. 50

15 Trust broker protocol ...................................................................................................................................... 51

15.1 Introduction ......................................................................................................................................... 51

15.2 Defined protected protocol data unit (PrPDU) types........................................................................... 51

15.3 Trust broker protocol initialization request ......................................................................................... 51

15.4 Trust broker protocol initialization accept .......................................................................................... 52

15.5 Trust broker protocol initialization reject ............................................................................................ 52

© ISO/IEC 2020 – All rights reserved
iv Rec. ITU-T X.510 (08/2020)
---------------------- Page: 6 ----------------------
ISO/IEC 9594-11:2020(E)
Page

15.6 Trust broker protocol initialization abort ............................................................................................ 52

15.7 Trust broker request syntax ................................................................................................................. 52

15.8 Trust broker response syntax ............................................................................................................... 53

15.9 Trust broker error information ............................................................................................................ 53

Annex A − Crypto Tools in ASN.1 ........................................................................................................................... 55

Annex B − Wrapper protocol in ASN.1 .................................................................................................................... 58

Annex C − Protected protocol interface to the wrapper protocol .............................................................................. 63

Annex D − Cryptographic algorithms ....................................................................................................................... 65

Annex E − Authorization and validation list management in ASN.1 ........................................................................ 67

Annex F − Certification authority subscription in ASN.1 ......................................................................................... 70

Annex G −Trust broker in ASN.1 .............................................................................................................................. 74

Annex H − Migration of cryptographic algorithms ................................................................................................... 76

H.1 Introduction ......................................................................................................................................... 76

H.2 Negotiation of cryptographic algorithms ............................................................................................ 76

H.3 Non-negotiable digital signature algorithms ....................................................................................... 77

Annex I − Auxiliary specifications ............................................................................................................................ 80

Bibliography .............................................................................................................................................................. 85

© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.510 (08/2020) v
---------------------- Page: 7 ----------------------
ISO/IEC 9594-11:2020(E)
Introduction

The Internet Engineering Task Force (IETF) maintains a substantial set of protocols for supporting public-key

infrastructure (PKI). Recommendation ITU-T X.510 | ISO/IEC 9594-11 provides protocols to supplement those protocols

developed by IETF, especially for:

a) supporting new functions specified by Rec. ITU-T X.509 | ISO/IEC 9594-8, for which IETF has not

provided support, e.g., support for authorization and validation list (AVL) maintenance;

b) constraint environments, where lean protocols are required.
In addition, it specifies:
c) a wrapper protocol that provides security services for other protocols.

This Recommendation | International Standard consist of three sections as follows.

Section 1 gives general specifications for this Recommendation | International Standard.

Section 2 is the wrapper protocol specification.
Section 3 specifies some protocols to be protected by the wrapper protocol:
a) a protocol for maintaining authorization and validation lists (AVLs);

b) a protocol for subscribing public-key certificate status information from certification authorities (CAs);

and
c) a protocol for accessing a trust broker.
The following annexes are included.

Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for

specifications to be imported by protocols providing a migration path for cryptographic algorithms.

Annex B, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for the

wrapper protocol.

Annex C, which is an integral part of this Recommendation | International Standard, provides specifications for how a

protected protocol is wrapped by the wrapper protocol.

Annex D, which is an integral part of this Recommendation | International Standard, provides cryptographic algorithm

specification.

Annex E, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for

maintenance of the authorization and validation lists (AVLs) protocol.

Annex F, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for

certification authority subscription protocol.

Annex G, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for the

trust broker protocol.

Annex H, which is not an integral part of this Recommendation | International Standard, provides guidance for

cryptographic algorithm migration.

The content of this Rec. ITU-T X.510 | ISO/IEC 9594-11 was moved to here from Rec. ITU-T X.509 (2016) |

ISO/IEC 9594-8:2017 and subsequently updated.
© ISO/IEC 2020 – All rights reserved
vi Rec. ITU-T X.510 (08/2020)
---------------------- Page: 8 ----------------------
ISO/IEC 9594-11:2020(E)
INTERNATIONAL STANDARD ISO/IEC 9594-11
RECOMMENDATION ITU-T X.510
Information technology – Open Systems Interconnection –
The Directory: Protocol specifications for secure operations
SECTION 1 – GENERAL
1 Scope
The scope of this Recommendation | International Standard is threefold.

This Recommendation | International Standard provides guidance on how to prepare new and old protocols for

cryptographic algorithm migration, and defines auxiliary cryptographic algorithms to be used for migration purposes.

This Recommendation | International Standard specifies a general wrapper protocol that provides authentication, integrity

and confidentiality (encryption) protection for other protocols. This wrapper protocol includes a migration path for

cryptographic algorithms allowing for smooth migration to stronger cryptographic algorithms as such requirements

evolve. This will allow migration to quantum-safe cryptographic algorithms. Protected protocols can then be developed

without taking security and cryptographic algorithms into consideration.

This Recommendation | International Standard also includes some protocols to be protected by the wrapper protocol

primarily for support of public-key infrastructure (PKI). Other specifications, e.g., Recommendations or International

Standards, may also develop protocols designed to be protected by the wrapper protocol.

2 Normative references

The following Recommendations and International Standards contain provisions which, through reference in this text,

constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated

were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this

Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition

of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid

International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid

ITU-T Recommendations.
2.1 Identical Recommendations | International Standards

– Recommendation ITU-T X.500 (2019) | ISO/IEC 9594-1:2020, Information technology - Open Systems

Interconnection - The Directory: Overview of concepts, models and services.

– Recommendation. ITU-T X.501 (2019) | ISO/IEC 9594-2:2020, Information technology – Open Systems

Interconnection – The Directory: Models.

– Recommendation ITU-T X.509 (2019) | ISO/IEC 9594-8:2020, Information technology – Open Systems

Interconnection – The Directory: Public-key and attribute certificate frameworks.

– Recommendation ITU-T X.511 (2019) | ISO/IEC 9594-3:2020, Information technology - Open Systems

Interconnection - The Directory: Abstract service definition.
– Recommendation ITU-T X.518 (2019)
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.