iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
ISO

ISO/IEC DIS 9594-11

(Main)
Information technology -- Open systems interconnection directory

Technologies de l'information -- Interconnexion de systèmes ouverts (OSI)

General Information

Status
Published
ICS
35.100.70 - Application layer
Technical Committee
ISO/IEC JTC 1/SC 6 - Telecommunications and information exchange between systems
Drafting Committee
ISO/IEC JTC 1/SC 6 - Telecommunications and information exchange between systems
Current Stage
4099 - Full report circulated: DIS approved for registration as FDIS
Start Date
30-Aug-2020
Ref Project

Buy Standard

First pageSecond page
PreviousNext
Standard
ISO/IEC DIS 9594-11 - Information technology -- Open systems interconnection directory
English language
77 pages
world standards week 25% off
Preview
world standards week 25% off
Preview

Standards Content (sample)

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 9594-11
ISO/IEC JTC 1/SC 6 Secretariat: KATS
Voting begins on: Voting terminates on:
2019-11-21 2020-02-13
Information technology — Open systems interconnection
— The directory —
Part 11:
Protocol specifications for secure operations
ICS: 35.100.70
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 9594-11:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019
---------------------- Page: 1 ----------------------
ISO/IEC DIS 9594-11:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................vi

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

2.1 Identical Recommendations | International Standards ....................................................................................... 1

2.2 Other references .................................................................................................................................................................................... 2

3 Terms and definitions ..................................................................................................................................................................................... 2

3.1 OSI Reference Model definitions ............................................................................................................................................. 2

3.2 Directory model definitions ......................................................................................................................................................... 2

3.3 Public-key and attribute certificate definitions .......................................................................................................... 2

3.4 Terms specified by this Recommendation | International Standard ........................................................ 3

4 Abbreviations........................................................................................................................................................................................................... 4

5 Conventions ............................................................................................................................................................................................................... 4

6 Common data types and special cryptographic algorithms .................................................................................... 5

6.1 Introduction .............................................................................................................................................................................................. 5

6.2 Multiple cryptographic algorithm specifications ...................................................................................................... 5

6.2.1 General...................................................................................................................................................................................... 5

6.2.2 Multiple signatures algorithm .............................................................................................................................. 5

6.2.3 Multiple symmetric key algorithm ................................................................................................................... 5

6.2.4 Multiple public-key algorithms ........................................................................................................................... 6

6.2.5 Multiple hash algorithm ............................................................................................................................................ 6

6.2.6 Multiple authenticated encryption algorithm ........................................................................................ 6

6.2.7 Multiple integrity check value algorithm.................................................................................................... 6

6.3 Key establishment algorithms ................................................................................................................................................... 7

6.3.1 General...................................................................................................................................................................................... 7

6.3.2 Diffie-Hellman group 14 algorithm with HKDF-256 ........................................................................ 7

6.3.3 Diffie-Hellman group 23 algorithm with HKDF-256 ........................................................................ 7

6.3.4 Diffie-Hellman group 28 algorithm with HKDF-256 ........................................................................ 8

6.3.5 Key derivation .................................................................................................................................................................... 8

6.4 Multiple cryptographic algorithm-value pairs ............................................................................................................ 9

6.4.1 Multiple digital signatures attached to data ............................................................................................ 9

6.4.2 Duplicate integrity check values attached to data .............................................................................. 9

6.4.3 Formal specification of encryption .................................................................................................................. 9

6.4.4 Formal specification of authenticated encryption .............................................................................. 9

7 General concept for securing protocols.....................................................................................................................................10

7.1 Introduction ...........................................................................................................................................................................................10

7.2 Protected protocol plug-in concept ....................................................................................................................................10

7.3 Communications structure ........................................................................................................................................................10

7.4 Structure of application protocol data unit .................................................................................................................11

7.5 Another view of the relationship between the wrapper protocol and the protected

protocol ......................................................................................................................................................................................................11

7.6 Information and control ...............................................................................................................................................................12

7.7 Exception conditions ......................................................................................................................................................................12

8 Wrapper protocol general concepts ..............................................................................................................................................14

8.1 Introduction ...........................................................................................................................................................................................14

8.2 UTC time specification ...................................................................................................................................................................14

8.3 Use of the SIGNED parameterized data type ..............................................................................................................14

8.4 Use of alternative cryptographic algorithms .............................................................................................................15

8.5 General on establishing shared keys .................................................................................................................................15

8.6 Sequence numbers ...........................................................................................................................................................................15

8.7 Use of invocation identification in the wrapper protocol ...............................................................................15

© ISO/IEC 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 9594-11:2019(E)

8.8 Mapping to underlying services ............................................................................................................................................16

8.9 Definition of protected protocols .........................................................................................................................................16

8.10 Overview of wrapper protocol data units ......... ............................................................................................................16

9 Association management .........................................................................................................................................................................17

9.1 Introduction to association management .....................................................................................................................17

9.2 Association handshake request .............................................................................................................................................17

9.2.1 Association handshake request syntax .....................................................................................................17

9.3 Association accept .............................................................................................................................................................................19

9.3.1 Association handshake accept syntax ........................................................................................................19

9.4 Association reject due to security issues .......................................................................................................................20

9.5 Association reject by the protected protocol .............................................................................................................21

9.6 Handshake security abort ..........................................................................................................................................................22

9.7 Handshake abort by protected protocol ........................................................................................................................23

9.8 Data transfer security abort .....................................................................................................................................................23

9.9 Abort by protected protocol .....................................................................................................................................................24

9.10 Release request WrPDU ...............................................................................................................................................................24

9.11 Release response WrPDU............................................................................................................................................................25

10 Data transfer phase ........................................................................................................................................................................................25

10.1 Symmetric keys renewal ..............................................................................................................................................................25

10.2 Data transfer by the requestor ...............................................................................................................................................25

10.3 Data transfer by the acceptor ..................................................................................................................................................27

11 Wrapper error handling ............................................................................................................................................................................28

11.1 General ........................................................................................................................................................................................................28

11.2 Checking of a wrapper handshake request .................................................................................................................28

11.2.1 General...................................................................................................................................................................................28

11.2.2 Digital signature checking ....................................................................................................................................28

11.2.3 Checking of the to-be-signed part ..................................................................................................................29

11.3 Checking of a wrapper handshake accept ....................................................................................................................30

11.3.1 General...................................................................................................................................................................................30

11.3.2 Digital signature checking ....................................................................................................................................30

11.3.3 Checking of the to-be-signed part ..................................................................................................................30

11.4 Checking of data transfer WrPDUs .....................................................................................................................................31

11.4.1 General...................................................................................................................................................................................31

11.4.2 Mode checking ................................................................................................................................................................31

11.4.3 Integrity checking ........................................................................................................................................................32

11.4.4 Checking of common components for AadReq and AadAcc data values ......................32

11.4.5 AadReq data value specific checking ...........................................................................................................32

11.4.6 AadAcc data value specific checking ............................................................................................................32

11.5 Wrapper error codes.......................................................................................................................................................................32

12 Authorization and validation list management ................................................................................................................34

12.1 General on authorization validation management ...............................................................................................34

12.1.1 Introduction ......................................................................................................................................................................34

12.1.2 Invocation identification ........................................................................................................................................34

12.2 Defined protected protocol data unit (PrPDU) types .........................................................................................34

12.3 Authorization and validation management protocol initialization request ...................................34

12.4 Authorization and validation management protocol initialization accept ......................................35

12.5 Authorization and validation management protocol initialization reject ........................................35

12.6 Authorization and validation management protocol initialization abort .........................................35

12.7 Add authorization and validation list ...............................................................................................................................36

12.8 Replace authorization and validation list .....................................................................................................................37

12.9 Delete authorization and validation list .........................................................................................................................38

12.10 Authorization and validation list reject ..........................................................................................................................39

12.11 Authorization and validation list error codes ...........................................................................................................39

13 C ertification authority subscription protocol.....................................................................................................................41

13.1 Certification authority subscription intr oduction .................................................................................................41

13.2 Overview of protocol data units ............................................................................................................................................41

iv © ISO/IEC 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 9594-11:2019(E)

13.3 Certification authority subscription pr otocol initialization request .....................................................41

13.4 Certification authority subscription pr otocol initialization accept ........................................................42

13.5 Certification authority subscription pr otocol initialization reject ..........................................................42

13.6 Certification authority subscription pr otocol initialization abort ..........................................................42

13.7 Public-key certificate subscription .....................................................................................................................................42

13.8 Public-key certificate un-subscription ............................................................................................................................44

13.9 Public-key certificate replacements ..................................................................................................................................46

13.10 End-entity public-key certificate updates ....................................................................................................................47

13.11 Certification authority subscription r eject ..................................................................................................................49

13.12 Certification authority subscription err or codes ...................................................................................................49

14 Trust broker protocol ...................................................................................................................................................................................50

14.1 Introduction ...........................................................................................................................................................................................50

14.2 Defined protocol data unit (PDU) types .........................................................................................................................50

14.3 Trust broker request syntax .....................................................................................................................................................50

14.4 Trust broker response syntax .................................................................................................................................................50

14.5 Trust broker error information .............................................................................................................................................51

Annex A Crypto Tools in ASN.1 ...............................................................................................................................................................................53

Annex B Wrapper protocol in ASN.1 ................................................................................................................................................................56

Annex C Protected protocol interface to the wrapper protocol ..........................................................................................61

Annex D Authorization and validation list management in ASN.1 ...................................................................................63

Annex E Certification authority subscription in ASN.1 ................................................................................................................66

Annex F Trust broker in ASN.1 ..............................................................................................................................................................................70

Annex G Migration of cryptographic algorithms ................................................................................................................................72

Bibliography .............................................................................................................................................................................................................................77

© ISO/IEC 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Foreword

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 specifies a general protocol, called the wrapper

protocol, that provides cyber security for protocols designed for protection by the wrapper protocol.

The wrapper protocol provides authentication, integrity and optionally confidentiality (encryption).

The wrapper protocol allows cyber security to be provided independently of the protected protocols,

which means that the security may enhanced without affecting protected protocol specifications.

The wrapper protocol is designed for easy migration of cryptographic algorithms, as stronger

algorithms become necessary.

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 contains specifications for how other

Recommendations and International Standards may include features for migration of cryptographic

algorithms, and it includes ASN.1 specifications to be imported for that purpose.

Recommendation ITU-T X.509PROT | ISO/IEC 9594-11 also specifies three protocols that make use of

the protection of the wrapper protocol. This includes a protocols provide for maintaining authorization

and validation lists, a protocol for subscribing of public-key certificate status and a protocol for

accessing a trust broker.
Keywords

Cryptography; cryptographic algorithm; digital signature; public-key certificate; certification

authority: distinguished name; PKI, trust anchor; validation.
vi © ISO/IEC 2019 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DIS 9594-11:2019(E)
Introduction

The Internet Engineering Task Force (IETF) maintains a substantial set of protocols for supporting

public-key infrastructure (PKI). This Specification provides protocols to supplement those protocols

developed by IETF, especially for:

a) supporting new functions specified by Rec. ITU-T X.509 | ISO/IEC 9594-8, for which IETF has not

provided support; and
b) constrained environments, where lean protocols are required.
In addition, it specifies:
c) a wrapper protocol that provides security services for other protocols.
This Recommendation | International Standard consist of three sections:

Section 1 gives general specifications for this Recommendation | International Standard.

Section 2 is the wrapper protocol specification.
Section 3 specifies some protocols to be protected by the wrapper protocol:
a) A protocol for maintaining authorization and validation lists (AVLs).

b) A protocol for subscribing public-key certificate status information from CAs.

c) A protocol for accessing a trust broker.
The following annexes are included:

Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for specifications to be imported by protocols providing a migration path for cryptographic

algorithms.

Annex B, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for the wrapper protocol.

Annex C, which is an integral part of this Recommendation | International Standard, provides

specifications for how a protected protocol is wrapped by the wrapper protocol.

Annex D, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for maintenance of the authorization and validation lists (AVLs) protocol.

Annex E, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for certification authority subscription protocol.

Annex F, which is an integral part of this Recommendation | International Standard, provides the ASN.1

module for the trust broker protocol.

Annex G, which is not an integral part of this Recommendation | International Standard, provides

guidance for cryptographic algorithm migration.
© ISO/IEC 2019 – All rights reserved vii
---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 9594-11:2019(E)
Information technology — Open systems interconnection
— The directory —
Part 11:
Protocol specifications for secure operations
SECTION 1 – GENERAL
1 Scope
The scope of this Recommendation | International Standard is threefold:

It provides guidance for how to prepare new and old protocols for cryptographic algorithm migration.

It defines auxiliary cryptographic algorithms to be used for migration purposes

The scope includes a general wrapper protocol that provides authentication, integrity and

confidentiality (encryption) protection for other protocols. This wrapper protocol includes a migration

path for cryptographic algorithms. Protected protocols can then be developed without taking security

and cryptographic algorithms into consideration.

The scope also includes some protocols to be protected by the wrapper protocol primarily for support

of PKI. Other specifications, e.g., Recommendations or International Standards, may also develop

protocols designed to be protected by the wrapper protocol.
2 Normative references
The following Recommendations and International Standards c
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 9594-5:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-5:2017 specifies the Directory Access Protocol, the Directory System Protocol, the Directory Information Shadowing Protocol, and the Directory Operational Binding Management Protocol which fulfil the abstract services specified in Rec. ITU-T X.511 | ISO/IEC 9594-3, Rec. ITU-T X.518 | ISO/IEC 9594-4, Rec. ITU-T X.525 | ISO/IEC 9594-9, and Rec. ITU-T X.501 | ISO/IEC 9594-2.

    • world standards week 25% off
    • Standard
      83 pages
      English language
ISO
ISO/IEC 9594-3:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-3:2017 defines in an abstract way the externally visible service provided by the Directory. ISO/IEC 9594-3:2017 does not specify individual implementations or products.

    • world standards week 25% off
    • Standard
      120 pages
      English language
ISO
ISO/IEC 9594-9:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-9:2017 specifies a shadow service which Directory system agents (DSAs) may use to replicate Directory information. The service allows Directory information to be replicated among DSAs to improve service to Directory users. The shadowed information is updated, using the defined protocol, thereby improving the service provided to users of the Directory.

    • world standards week 25% off
    • Standard
      37 pages
      English language
ISO
ISO/IEC 9594-1:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-1:2017 provides the directory capabilities required by OSI applications, OSI management processes, other OSI layer entities, and telecommunications services. Among the capabilities which it provides are those of "user-friendly naming", whereby objects can be referred to by names which are suitable for citing by human users (though not all objects need have user-friendly names); and "name-to-address mapping" which allows the binding between objects and their locations to be dynamic. ...view more

    • world standards week 25% off
    • Standard
      23 pages
      English language
ISO
ISO/IEC 9594-7:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-7:2017 defines a number of object classes and name forms which may be found useful across a range of applications of the Directory. The definition of an object class involves listing a number of attribute types which are relevant to objects of that class. The definition of a name form involves naming the object class to which it applies and listing the attributes to be used in forming names for objects of that class. These definitions are used by the administrative authority which i...view more

    • world standards week 25% off
    • Standard
      29 pages
      English language
ISO
ISO/IEC 9594-6:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-6:2017 defines a number of attribute types and matching rules which may be found useful across a range of applications of the Directory. Attribute types and matching rules fall into three categories, as described below. Some attribute types and matching rules are used by a wide variety of applications or are understood and/or used by the Directory itself. NOTE 1 - It is recommended that an attribute type or matching rule defined in this Recommendation | International Standard be use...view more

    • world standards week 25% off
    • Standard
      116 pages
      English language
ISO
ISO/IEC 9594-4:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-4:2017 specifies the behaviour of DSAs taking part in a distributed directory consisting of multiple Directory systems agents (DSAs) and/or LDAP servers with at least one DSA. The allowed behaviour has been designed to ensure a consistent service given a wide distribution of the DIB across a distributed directory. Only the behaviour of DSAs taking part in a distributed directory is specified. The behaviour of LDAP servers are specified in relevant LDAP specifications. There are no s...view more

    • world standards week 25% off
    • Standard
      126 pages
      English language
ISO
ISO/IEC 9594-8:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

ISO/IEC 9594-8:2017 addresses some of the security requirements in the areas of authentication and other security services through the provision of a set of frameworks upon which full services can be based. Specifically, this Recommendation | International Standard defines frameworks for: - public-key certificates; and - attribute certificates. The public-key certificate framework defined in this Recommendation | International Standard specifies the information objects and data types for a publi...view more

    • world standards week 25% off
    • Standard
      242 pages
      English language
ISO
ISO/IEC 9594-2:2017(Main)
Information technology -- Open Systems Interconnection -- The Directory

The models defined in ISO/IEC 9594-2:2017 provide a conceptual and terminological framework for the other ITU-T X.500-series Recommendations | parts of ISO/IEC 9594 which define various aspects of the Directory. The functional and administrative authority models define ways in which the Directory can be distributed, both functionally and administratively. Generic Directory System Agent (DSA) and DSA information models and an Operational Framework are also provided to support Directory distributi...view more

    • world standards week 25% off
    • Standard
      247 pages
      English language
ISO
ISO/IEC 17811-2:2015(Main)
Information technology -- Device control and management

ISO/IEC 17811-2:2015 provides the specification of Device Control and Management Protocol (DCMP), which is an application-layer protocol used to control and manage the various devices. DCMP supports the device and network status information retrieval, device initialization, firmware and software update, file transmission, and so on. This part of ISO/IEC 17811 specifies the protocol operations and message structure of DCMP. The network security is out of scope in this part of ISO/IEC 17811. Howev...view more

    • world standards week 25% off
    • Standard
      130 pages
      English language