S {*m e_ P !q"%r&' #sb)yE3+t-./1:u(75,8;~<$=>vAwBCDxFGHIJKLzMONQRSTjUVWXY?[a\]^`2ckd@fghi9l|no4p}6Z0&    >3^BLTT TTTAT_TbRe^BLTT TTTAT_TbRe^BLTT TTTT$Re^BLTT TTTAT_TbRe^BLTT TTTAT_TbRe^BLTT TTTAT_TbRe^BLTT TTTTAT_TbRe^BLTT TTTAT_TbRe^BLTT TTTAT_TbTeRi^BLTT TTTAT_TbRe^BLTT TTTTAact a public key. It is an infix operator, whose left operand is[o[ the public key of a certification authority, and whose right operand[o[ is a certificate issued by that certification authority. The outcome[o[ is the public key of the user whose certificate is the right [o[ operand. For example: } ai)wprivate key (secret key - deprecated):w (in a public key cryptosystem) that key of a %&!. Q  =user's key pair which is known only by that user;= y  ]j)wsimple authentication:w authentication by means of simple password arrangements; %!:   ek)wsecurity policy:w the set of rules laid down by the security authority gove3 = )-from different manufacturers;) nterconnection of information processing systems:3 E= )-from different manufacturers;)E< (-under different managements;( F2-of different levels of complexity; and2 T_TbRe^BLTT TTT!TAT_TbRe^BLTT TTTAT_TbRe^BLTT TTTAT_TbRe^BLTT TTT!T#TAT_TbRe^BLTT T T TTTTT!TAT_TbRe^BLTT T T TTTTT!T$TAT_TbRe^BLTT TTTT#TAT_TbRe^BLTT TTT T!T%T(T_TbRe^BLTT TTTT#TAT_TbRe^BLTT TTTAT_TbRe ^BLTT TTTAR\^BLT T TTTAT_TbTeRi+Recommendation X.509@  k ITHE DIRECTORY - AUTHENTICATION FRAMEWORK )@(@!`,RK )"@@!`U!`@ 1: - AUTHENTICATION FRAMEWORK )@@!` X <w(Melbourne, 1988)w(%!G 3!  THE DIRECTORY@ dN@u@m@A'#Fascicle VIII.8 - Rec.^X.509 @ fFascicle VIII.8 - Rec.^X.509#@@|  #@@$r\Fascicle VIII.8 - Rec.^X.509@@G bically used to facilitate communication between, with or an Zabout objects such as OSI application-entities, people, terminals and distribution lists.Zye0.2The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, es _with a minimum of technical agreement outside of the interconnection standards themselves, the _G 3interconnection of information processing systems:rt 2e< (of the OSI Reference Model on Security:(N *a)wasymmetric w(encipherment)w;w % !%!B &b)wauthentication exchange;w %!E )c)wauthentication information;w %!: d)wconfidentiality;w %!6 e)wcredentials;w % !7 f)wcryptography;w % !E )g)wdataA. Virtually all et `security services are dependent upon the identities of the communicating parties being reliably `0 known, i.e. authentication.vb0.4This Recommendation defines a framework for the provision of authentication services by the bx dDirectory to its users. These users include the Directory itself, as well as other applications and dyeser2 -of different ages. \F -of different ages. mY0.3Many applications have requirements for security to protect against threats to the Yw ccommunication of information. Some commonly known threats, together with the security services and cy emechanisms that can be used to protect against them, are briefly described in Annex^ms may be used. However, two users wishing to authenticate must support the same cx dcryptographic algorithm for authentication to be performed correctly. Thus, within the context of a dy eset of related applications, the choice of a single algorithm will serve to maximize the community ofes _users able to authenticate and communicate securely. One example of a public key cryptographic _7 #algorithm can be found in Annex^C.# Z)Recommendations X.509 and ISO 9594-8, Information Processing Systems - Open Systems Vn ZInterconnection - The Directory - Authentication Framework, were developed in close ZE 1collaboration dwNotew - In the table, the symbols X, X1, X2 etc. occur in place of the names of users, while %!!2vK 7the symbol I occurs in place of arbitrary  bB verifies the protected identifying information offered by A by generating (using the bx  dtimestamp, distinguished name and, optionally, # FIGURE 6/X.509G33T <Digital signatures)@ s_8.3This authentication framework does not ms of the Directory in the same manner as other Directory information. The user certificates are dp\assumed to be formed by "off-line" means, and placed in the Directory by their creator. The \s _generation of user certificates is performed by some off-line Certification Authority which is _y ecompletely separate from the DSAs in the Directory. In particular, no special requirements are placedek Wupon Directory providers to stord by a standard.H   w c1.4It is a matter for standards defining applications which use the authentication framework to cw cspecify the protocol exchanges which need to be performed in order to achieve authentication based cyeupon the authentication information obtained from the Directory. The protocol used by applications toeo [obtain credentials from the Directory is the establish this as a general framework for authentication, but eh Tit can be of general use for applications which consider these techniques adequate.T t `1.3Authentication (and other security services) can only be provided within the context of a `u adefined security policy. It is a matter for users of an application to define their own security a\ Hpolicy which may be constrained by the services providecommendation describes two levels of authentication: simple authentication, using a au apassword as a verification of claimed identity; and strong authentication, involving credentials avbformed using cryptographic techniques. While simple authentication offers some limited protection bv]DLbagainst unauthorized access, only strong authentication should be used as the basis for providing byesecure services. It is not intended to  Table^1 below.L m ONote - In the table, the symbols X, X1, X2 etc. occur in place of the names of !%KG 3symbol I occurs in place of arbitrary information.3 rmation.D W C4.2The following abbreviations are used in this Recommendation:Cq L 44.2ThC u a0.1This document, to / 1.1This Recommendation:f Q - 1.1This Recommendation   g S-specifies the form of authentication information held by the Directory;S l  X-describes how authentication information may be obtained from the Directory;X y  e-stion taking place. Obtaining the authentication information of a `w cpotential communication partner from the Directory is, with this approach, similar to obtaining an cwcaddress. Owing to the wide reach of the Directory for communications purposes, it is expected that cb Nthis authentication framework will be widely used by a range of applications.N? %1Scope and field of application@@ates the assumptions made about how this authentication information is formed and placede1  in the Directory; s  _-defines three ways in which applications may use this authentication information to _t  `perform authentication and describes how other security services may be supported by `/  authentication. ua1.2This Re y e1.7Similarly, two users wishing to authenticate must support the same hash function (see ^3.3^f))eye(used in forming credentials and authentication tokens). Again, in principle, a number of alternativeeyehash functions could be used, at the cost of narrowing the communities of users able to authenticate.es _A brief introduction to hash functions together with one example hash function can be found in simple authentication. V  h 33 N P :FIGURE 3/X.509:9G 33a IThe protected simple authentication procedure@-G 3 origin authentication;w %!7 h)wdecipherment;w % !7 i)wencipherment;w % !.j)wkey;w %!3 k)wpassword;w % !E )l)wpeer-entity authentication;w %!C'm)wsymmetricw (encipherment). % !8 in close o [3.2The following terms us$SECTION 1 - wSimple authenticationw %! @&5Simple authentication procedure@@  v b5.1Simple authentication is intended to provide local authorization based upon a Distinguished by eName of a user, bilaterally agreed (optional) password and a bilateral understanding of the means of eu ausing and handling this o[Ĵ[o[ A B A certification path from A to B, formed of a chain of certificates,[s[ starting with CA(A)<> and ending with CA(B)<>. ,.o[[w!@}W CAn(X) (where n>1): CA(CA(...n times...(X))) Rko[Ĵ[[ X1<> The certificate of user X2 issued by certification authority X1. &$o[Ĵ[Ĵ[o[ X {I} The signing of I by user X. It consists of I with an enciphered [o[ summary appended. [o[Ĵ[o[ CA(X) A certification authority of user X. and used in this Recommendation:P   `a)wauthentication token (wtoken):w information conveyed during a strong authentication %%!5~W  Cexchange, which can be used to authenticate its sender;C}  ab)wuser certificate (certificate):w the public keys of a user, together with some other %!5y  einformation, rendered unforgeable by encipherment with the secret key of the certificatione:  &authority which issued it;& ec)wcertification authority:w an authority trusted by one or more users to create and assign %!@}p \certificates. Optionally the certification authority may create the user's keys;\~  bd)wcertification path:w an ordered sequence of certificates of objects in the DIT which, %!By e 2/'0>HNZ fr   %|2 %.  A w   Cccitt\ap-ix\doc\47e04.txsccittevasc/o Cuevas together with the public key of the initial object in the path, can be processed to obtaineE  1that of the final object in the path;1 ee)wcryptographic system, cryptosystem:w a collection of transformations from plain text into %#!5}x  dciphertext and vice versa, the particular transformation(s) to be used being selected by dk  Wkeys. The transformations are normally defineg)wone-way function:w a (mathematical) function f which is easy to compute, but which for a %!G}v bgeneral value y in the range, it is computationally difficult to find a value x in the bq  ]domain such that f(x) = y. There may be a few values y for which finding x is not ] :  &computationally difficult;&{  _h)wpublic key:w (in a pub9TABLE 1/X.5099G 33O 7Notation.@= )PKCSPublic key cryptosystem.)M9TABLE 1/X.5099G 3 Notation@rPassword ::= ATTRIBUTE@h ATTRIBUTE@ Q binding to another DSA, B.: ye5.5A User Password attribute type contains the password of an object. An attribute value for the eG 3user password is a string specified by the object.. UserPassword ::= @  ATTRIBUTE@ @ (WITH ATTRIBUTE-SYNTAX@* ATTRIBUTE-SYNTAX@rning the use %!H}R  >and provision of security services and facilities;> u  Yl)wstrong authentication:w authentication by means of cryptographically derived %!6,  credentials; 4 credentials; DLcm)wtrust:w generally, an entity can be said to "trust" a second entity when it (the first %!Pu aauthenticating entity and a certification authority; an authenticating entity must be aw  ccertain that it can trust the certification authority to create only valid and reliable c-  certificates; }  an)wcertificate serial number:w an integer value, unique within the issuing CA, which is %!:^  Junambiguously associated with a certificate issued by that CA.J]DL]DL; !4Notation and abbreviations@@  f R4.1The notation used in this Recommendation is defined in Table^1/X.509 below.R  dwNotew - In the table, the symbols X, X1, X2 etc. occur in place of the names of users, while %!!2vK 7the symbol I occurs in place of arbitra9sword of A \ DqA = random numbers, optionally with a counter included< N:FIGURE 2/X.509:G33Z BProtected simple authentication"@  j V5.4.1Figure 3/X.509 illustrates the procedure for protectedo[Ĵ[o[ Xp[I] Encipherment of some information, I, using the public key of X. [o[Ĵ[o[ Xs[I] Encipherment of I using the secret key of X. [o[Z:B- AUTHENTICATION FRAMEWORK )"@@!` X <w(Melbourne, 1988)w(%!G 33G33K 7CONTENTS7G 33DL) DLseveral means:=w  ca)the transfer of the user's distinguished name and (optional) password in the clear (non-cear (non-dK 7protectex  da)the transfer of the user's distinguished name and (optional) password in the clear (non-dNK  7protected) to the recipient for evaluation;7u  ab)the transfer of the user's disv  bB verifies the protected identifying information offered by A by generating (using the bx  dtimestamp, distinguished name and, optionally, additional timestamp and/or random number dx dprovided by A, together with a local copy of A's password) a local protected copy of A's dy epassword (of the form of Protected1). B compares (for equality) the purported identifying e[  !L ewNote^2w^-^The signalling of procedures for protecting passwords may be a matter for extension %!W} dwNote^2w^-^The signalling of procedures for protecting passwords may be a matter for extension%!V{% to the Document. u a5.2Where passwords are not protected, a minimal degree of security is provided for preventing axdunauthorized access. It should not be considered a basis for secure services. Protecting the user's dxddistinguished name and password provides greater degrees of security. The algorithms to be used for du athe protection mechanism are typically non-enciphering one-way functions that are very simple to a  implement. p\5.3The general procedure for achieving simple authentication is shown in Figure^1/X.509.\  N :FIGURE 1/X.509:3cted simple authentication procedure@/protected simple aut# FIGURE 1/X.509rG 33bJThe unprotected simple authentication procedure@/< (5.3.1The following st certificates that may run out at the same expiration date.\ xd10.2.5.2Expired certificates will normally be removed from the Directory. It is a matter for the dxdsecurity policy and responsibility of the CA to keep old certificates for a period of time if a non d= )repudiation of data service is provided.)  10.2.6w cCertificates may be revoked prior eps are involved:(v b1)an originating user A sends its distinguished name and password to a recipient user B;bv  b2)B sends the purported distinguished name and password of A to the Directory, where the b}  epassword is checked against that held as the User Password attribute within the directory 8@ [  Gentry for A (using the Compare operation of the Directory);Gxd7.8(Example). Figure 4/X.509 illustrates a hypothetical example of a DIT fragment, where the CAs dy eform a hierarchy. Besides the information shown at the CAs, we assume that each user knows the publice\ Hkey of its certification authority, and its own public and secret keys.Hx d7.8.1If the CAs of the users are arranged in a hierarchy, A can acquire the following certificates dO DL;f [/ tF.Ap.A<>B<> ++ o[ [o[ denotes the operation of using the public key of A to obtain B's [ xd8.1Information (info) is signed by appending to it an enciphered summary of the information. The dx dsummary is produced by means of a one-way hash function, while the enciphering is carried out using dL 8the secret key of the signer (see Figure 6/X.509). Thus8 6"X{Info} = Info,Xs[h (Info)]" cwNotew - The encipherment using the secret key ensurnd to conceal e-  the password.N :The protection of A's password is of the form::T 4Protected1 = f1 (t1A, q1A, passwA). M 9The information conveyed to B is of the form:9V :Authenticator1 = t1A, q1A, A, Protected1.#d1.QB .The information conveyed to B is of the form:.y]wNote 1w - The encryption procedure requires agreement on the algorithm to be applied, %!Ov bincluding any parameters of the algorithm, such as any necessary keys, initialization values, and bxdpadding instructions. It is the responsibility of the encryption procedures to specify the means by dx dwhich synchronization of the sender and receiver of data is achieved, which may include information d3 3 Z BThe following steps are involved (initially using f1 only):9y  e1)An originating user, User A, sends its protected identifying information (Authenticator1) e}  eto User B. Protection is achieved by applying the one-way function (f1) of Figure 2/X.509,Py  ewhere the timestamp and/or random number (when used) is to minimize replay aGinformation (Protected1) with the locally generated value).G ( y of A's password) a local protected copy of A's dy epassword (of the form of Protected^1). B compares (for equality) the purported identifyinge\  Hinformation (Protected^1) with the locally generated value).Hv  b2)B confirms (or denies) to A the verification of the protected identifying informy e7.8.3In the more general case the Certification Authorities do not relate in a hierarchical manner. ey eReferring to the hypothetical example in Figure^5/X.509, suppose a user D, certified by U, wishes to exdauthenticate to user E, certified by W. The directory entry of user D will hold the certificate dU AU<> and the entry of user E will hold the certificate W<>.A t `Lg S3)the Directory confirms (or denies) to B that the credentials are valid;S`L4)the success (or failure) of authentication may be conveyed to A.Ly e5.3.2The most basic form of simple authentication involves only step 1) and after B has checked the eJ 6distinguished name and password, may include step 4).6vb5.4Figure 2/X.509 illustrates two approaches by which protected identifying infation.b { _5.4.2The procedure of  5.4.1 can be modified to afford greater protection (using f1 and f2).T ? +The main differences are as follows:+ t  `1)A sends its (additionally) protected identifying information (Authenticator2) to B. `t \Additional protection is achieved by applying a further one-way function, f2, as V and B. As applied to the%!Y}s _Directory (specified in Recommendation X.511 and X.518), A could be a DUA binding to a DSA, B; _N :alternatively A could be a DSA binding to another DSA, B.: ye5.5A User Password attribute type contains the password of an object. An attribute value for the eG 3user password is a string specified by the object.3 ; #Use WITH @' ATTRIBUTE-SYNTAX@G An attribute value for the eG 3user password is a string specified by the object.3 = !UserPassword::=ATTRIBUTE@ @ % , WITH @' ATTRIBUTE-SYNTAX@^[ C OCTET STRING (SIZE (0..ub-user-password))@)F . MATCHES FOR EQUALITY@ x d5.6The following ASN.1 macro may be used to define the data type arising from applying a one-way d9 %function to a given other data type.%  l data type arising from applying a one-way d9 %function to a given other data type.%|D $PROTECTED MACRO^::=^SIGNATURE@@@ V1 CertificatePair::=@. SEQUENCE{ @ K 3forward [o] Certificate OPTIONAL@ K 3reverse [1] Certificate OPTIONAL@ X  8-- wat least one must be presentw --}@%@!@v Certificate OPTIONAL V  6-- wat least one must be presentw --} A simply has to directly acquire the c`  Lcertificate of C. Unwrapping the certification path reduces to:L4 Cp = Xp . X<>X Dand unwrapping the return certification Path reduces to:D5  Ap = Xp . X<>2  Ap = Xp  X<>k = Xp  X<>T)assu   % Ap = Xp  X<>he properties ey eof a family of cryptographic systems, known as public-key cryptosystems (PKCS). These cryptosystems, ey ealso described as asymmetric, involve a pair of keys, one secret and one public, rather than a singleen Zkey as in conventional cryptographic systems. Annex^B gives a brief introduction to these Zy ecryptosystems and the properties which make them useful in authentication. For a PKCS to be usable inexHe  of user X.  Xp   eXp . Xs = Xs  Xp where Xp/Xs are encipherment/decipherment functions using the public/secret keys ofHH$ user X.v ZwNotew - Alternative types of PKCS, i.e., ones which do not require the property of %!Nu apermutability and that can be supported without great modification to this Recommendation, are a awork will be applicable to any suitable public key cryptosystem, and will thuseu asupport changes to the methods used as a result of future advances in cryptography, mathematical ay etechniques or computational capabilities. However, two users wishing to authenticate must support theex dsame cryptographic algorithm for authentication to be performed correctly. Thus, within the context dr ^of a set of related applications, the choice of a single algorithm will serve to maximize the ^u acommunity of users able to authenticate and communicate securely. One example of a cryptographic a7 #algorithm can be found in Annex^C.# wc6.3Authentication relies on each user possessing a unique distinguished name. The allocation of cxddistinguished names is the responsibility of the Naming Authorities. Each user must therefore trust dW [o[ [s[ Ap.A<>B<> 1)B. .A)Ap.AnV Ap.A<>B<> 1$aining confidential to the user./ t ^ion depends on the aC /secret key remaining confidential to the user./y e6.5For a user to determine that a communication partner is in possession of another user's secret ew ckey, it must itself be in possession of that user's public key. Whilst obtaining the value of this cwcpublic key from the user's entry in the Directory is straightforward, verifying its correctness is cuamore problematic. There are many possible ways for doing this: ^7 describes a process whereby a au auser's public key can be checked by reference to the Directory. This process can only operate if aq ]there is an unbroken chain of trusted points in the Directory between the users requiring to ]obes a process _j Vuser's public key can be checked by reference to the Directory. This prv bauthenticate. Such a chain can be constructed by identifying a common point of trust. This common bg Spoint of trust must be linked to each user by an unbroken chain of trusted points.S  > $7Obtaining a user's public key@@ u a7.1In order for a user to trust the authentication procedure, it must obtain the other user's ax dpublic key from a source that it trusts. Such a source, called a certification authority (CA), uses d dthe public key algorithm to certify the public key, producing a wcertificatew. The certificate, the @% !~V Bform of which is specified in ^7.2 has the following properties:B u a-any user with access to the public key of the certification authority can recover the a?  +public key which was certified;+ w  c-no party other than the certification authority can modify the certificate without this cN  DL:being detected (certificates are unforgeable).: xdBecause certificates are unforgeable, they can be published by being placed in the Directory, d] Iwithout the need for the latter to make special efforts to protect them.I  cwNotew - Although the CAs are unambiguously defined by a distinguished name in the DIT, this %!Ws _does not imply that there is any relationship between the organization of the CAs and the DIT._ y e7.2A certification authority produces the certificate of a user by signing (see ^8) a collection eo [of information, including the user's distinguished name and public key. Specifically, the [y ecertificate of a user with distinguished name A, produced by the certification authority CA, has the e$ following form: C +CA<> = CA {SN, AI, CA, A, Ap, TA}(s fro y ewhere SN is the serial number of the certificate, AI is the identifier of the algorithm used to sign ey athe certificate, and TA indicates the period of validity of certificates.W I )Certificate^::=SIGNED SEQUENCE{@ @@U 9version [0]Version DEFAULT^1988, @ @N .serialNumber SerialNumber, @ @@ P 4signatureAlgorithmidentifier @ @E %issuer Name @@ @F]DL*validityValidity, @SubjectPublicKeyInfo::=@@.SEQUENCE{ @ P 4algorithmAlgorithmIdentifier@ @H ,subjectKeyBIT STRING}@ @  <  AlgorithmIdentifier::=@@. SEQUENCE{ @ N 2algorithmOBJECT IDENTIFIER@ @V  @ LE )notBeforeUTCTime,@ @E )notAfterUTCTime}@@( @ @@3 Validity Q. notBeforeUTCTime,@ @# AforeUTCTime,@ @% rUTCTime}@@< _  Annex^D.   +2 References@@  o [2.1ISO 7498-2: Information Processing Systems - Open Systems Interconnection - Security [" Architecture., 3Definitions@@   y e3.1This Recommendation makes use of the following general security-related terms defined in Pa :parametersANY DEFINED BY algorithm @ @E-OPTIONAL}#@ algorithmOBJECT IDENTIFIER@ @V :parametersANY DEFINED BY ap   OPTIONAL}@ ! OPTIONAL}@.' w c7.3The directory entry of each user, A, who is participating in strong authentication, contains cx dthe certificate(s) of A. Such a certificate is generated by a Certification Authority of A which is dx dan entity in the DIT. A Certification Authority of A, which may not be unique, is denoted CA(A), or du asimply CA if A is understood. The public key of A can thus be discovered by any user knowing the aQ =public key of CA. Discovering public keys is thus recursive.=w c7.4If user A, trying to obtain the public key of user B, has already obtained the public key of cu aCA(B), then the process is complete. In order to enable A to obtain the public key of CA(B), the aq ]directory entry of each Certification Authority, X, contains a number of certificates. These ]p \certificates are of two types. First there are forward certificates of X generated by other \y eCertification Authorities. Second there are reverse certificates generated by X itself which are the eyecertified public keys of other certification authorities. The existence of these certificates enableseV Busers to construct certification paths from one point to another.B x d7.5A list of certificates needed to allow a particular user to obtain the public key of another, d|`is known as a wcertification pathw. Each item in the list is a certificatE /h further certificates Xi<>;0?  +-ends with the certificate of B.+t `A certification path logically forms an unbroken chain of trusted points in the Directory `w cInformation Tree between two users wishing to authenticate. The precise method employed by users A cu aand B to obtain certification paths A -> B and B -> A may vary. One way to facilitate this is to axdarrange a hierarchy of CAs, which may or may not coincide with all or part of the DIT hierarchy. dxDLdThe benefit of this is that users who have CAs in the hierarchy may establish a certification dxdpath between them using the Directory without any prior information. In order to allow for this du aeach CA may store one certificate and one reverse certificate designated as corresponding to its a!  superior CA.  . 1.1This Recommendation g S-specifies the form of authentication information held by the Directory;Sl tPDL\7.6Certificates are held within directory entries as attributes of type UserCertificate, K@z `CACertificate and CrossCertificatePair. These attribute types are known to the Directory. These @ @:y eattributes can be operated on using the same protocol operations as other attributes. The definition evbof these types may be found in ^3.3 of this Recommendation, the specification of these attribute b) types is as follows: J *UserCertificate::=ATTRIBUTE@@@ G /WITH ATTRIBUTE-SYNTAX Certificate  @"J *CACertificate::=ATTRIBUTE@ @@ F .WITH ATTRIBUTE-SYNTAX Certificate @! J *CrossCertificatePair::=ATTRIBUTE@@@ J 2WITH ATTRIBUTE-SYNTAX CertificatePair @%; CertificatePair::=@@z:@=@n@A +J+ CertificatePair@:@:@=@ `9.1.1The basic approach to authentication has been outlined above, namely the corroboration of `r ^identity by demonstrating possession of a secret key. However, many authentication procedures ^u aemploying this approach are possible. In general it is the business of a specific application to au adetermine the appropriate procedures, so as to meet the security policy of the application. This ay eclause describes three pav bA user may obtain one or more certificates from one or more Certification Authorities. Each b_ Kcertificate bears the name of the Certification Authority which issued it.K7.7In the general case, before users can mutually authenticate, the Directory must supply the ao[complete certification and return certification paths. However, in practice, the amount of [v binformation which must be obtained from the Dictory can be reduced for a particular instance of b' authentication by:y DLea)if the two users that want to authenticate are served by the same certification authority,en  Zthen the certification path becomes trivial, and the users unwrap each other's Z6  "certificates directly;"x  db)if the CAs of the users are arranged in a hierarchy, a user could store the public keys, dw  ccertificates and reverse certificates of all certification authorities between the user cy  eand the root of the DIT. Typically, this would involve the user in knowing the public keysey eand certificates of only three or four certification authorities. The user would then onlyeng the v band certificates of only three or four certification authorities. The user would then b}i  Urequire to obtain the certification paths from the common point of trust;Uy  ec)if a user frequently communicates with users certified by a particular other CA, that userey  ecould learn the certification path to that CA and the return certification path from that ex dCA, making it necessary only to obtain the certificate of the other user itself from the d*  Directory Access Protocol (DAP), specified in [* Recommendation^X.519. u a1.5The strong authentication method specified in this Recommendation is based upon public-key ayecryptosystems. It is a major advantage of such systems that user certificates may be held within the ex dDirectory as attributes, and may be freely communicated within the Directory System and obtained by dx duserh other's certificates from the certification path, the users cJ 6must check the validity of the received certificates.6 V(Example). Figure 4/X.509 illustrates a hypothetical example of a DIT fragment, where the CAs dy eform a hierarchy. Besides the information shown at the CAs, we assume that each user knows the publice\ Hkey of its certification authority, and its own public and secret keys.Hx d7  e the eyp \A user may obtain one or more certificates from one or more Certific H Hua7.7In the general case, before users can mutually authenticate, the Directory must supply the ao[complete certification and return certification paths. However, in practice, the amount of [v binformation which must be obtained from the Dire [o[Ĵ[o[ Xp Public key of a user X. [o[Ĵ[o[ Xs Secret key of X. [rom the directory to establish a certification path to B:;A -X<>, W<>, V<>, Y<>, Z<>-vbWhen A has obtained these certificates, it can unwrap the certification path in sequence to bN :yield the contents of the certificate of B, including Bp::M 3Bp = Xp . X<> W<> V<> Y<> Z<> @$w cIn general, A also has to acquire the following certificates from the  ""N :FIGURE 4/X.509:G 33] ECA hierarchy - a hypothetical example@%  ? +7.8.2Applying the optimizations of ^7.7:+w ca)taking A and C, for example: both know Xp, so thatvices. The Directory can usefully be involved in meeting their needs for authentication and other ep]DL\security services because it is a natural place from which communicating parties can obtain \r ^authentication information of each other: knowledge which is the basis of authentication. The ^xdDirectory is a natural place because it holds other information which is required for communication dt `and obtained prior to communicat[e a, Up, etc., reduces the information whic[ Gu ab)assuming that A would thus know W<>, Wp, V<>, Vp, U<>, Up, etc., reduces the aw  cinformation which A has to obtain from the directory to form the certification path to:c6 "V<>, Y<>, Z<>"o  [and the information which A has to obtain from the directory to form the return [6  "certification path to:". Z<>, Y<>s _c)assuming that A frequently communicates with users certified by Z, it can learn (in _w  caddition to the public keys learned in b) above) V<>, Y<>, Y<>, and Z<>. To cl  Xcommunicate with B, it need therefore only obtain Z<> from the directory;Xy  ed)assuming that users certified by X and Z frequently communicate, then X<> would be heldey  ein the directory entry for X, and vice versa (this is shown in Figure 4/X.509). If A wantseI  5to authenticate to B, A need only obtain:5. X<>, Z<>C/to form the certification path, and/& Z<>F DL2to form the return certification path;2n  Ze)assuming users A and C have communicated before and have learned one another's Za  Mcertificates, they may use each other's public key directly, i.e.M4 Cp = Xp . X<>#and5 Ap = Xp . X<>. Cp = Xp  X<>#and1 Ap = Xp  X<>. ve of the certification %!>o [authority of the next item in the list. A certification path from A to B (denoted A -> B):[ {  _-starts with a certificate produced by CA(A), namely CA(A)<> for some entity X1;G W  ;-continues with further certificates Xi<>;0J(A), namely CA(A)<> for some entity X1;GUW  >> Y<> V<> W<> X<>$   !L ewNote 2w - The signalling of procedures for protecting passwords may be a matter for extension %!W}% to the Document.  u a5.2Where passwords are not protected, a minimal degree of security is provided for preventing axdunauthorized acceHZet V be a CA with whom CAs U and W have at some previous time exchanged public keys in a `u atrusted way. As a result, certificates U<>, V<>, W<> and V<> have been generated and axdstored in the Directory. Assume U<> and W<> are stored in the entry of V, V<> is stored in dB .U's entry, and V<> is stored in W's entry.. y eUser D must find a certification path to E. Various stra[AwAnnex Hw - Reference definition of algorithm object identifiers%!8    Gw - Authentication framework in ASN.1%!%[AwAnnex Hw - Reference definition of algorithm object identifiers%!8  - 0Introduction@@ ( a0.1This document, h N :FIGURE 5/X.509:p3 c KNon-hierarchical certification path - an example@0 2  3 8Digital signatures@@ # FIGURE 5/X.509G 33c KNon-hierarchical certification path - an example@0 3 8Digital signatures@@ w cThis section is not intended to specify a standard for digital signatures in general, but to cW Cspecify the means by which the tokens are signed in the Directory.C es that the signature cannot be forged. %!Wx dThe one-way nature of the hash function ensures that false information, generated so as to have the dR >same hash result (and thus signature), cannot be substituted.>YE8.2The recipient of signed information verifies the signature by:E V B-applying the one-way hash function to the information;By  ed by a mathematical algorithm.W  df)whash function:w a (mathematical) function which maps values from a large (possibly very %!I~v blarge) domain into a smaller range. A "good" hash function is such that the results of by eapplying the function to a (large) set of values in the domain will be evenly distributed eJ  6(and apparently at random) over the range;6  e* DLm)wtrust: %c Ogenerally, an entity can be said to "trust" a second entity when it (the first Oft  `entity) makes the assumption that the second entity will behave exactly as the first `u aentity expects. This trust may apply only for some specific function. The key role of ap  \trust in the authentication framework is to describe the relationship between an \ 13C3 9Notation.@G .. ` w o[Ŀ[o[ NOTATION MEANING tinguished name, password, and a random number and/or a ae  Qtimestamp, all of which are protected by applying a one-way function;Qw cc)the transfer of the protected information described in b) together with a random number ck  DLWand/or timestamp, all of which is protected by applying a one-way function.Wv ZwNote 1w - There is no requirement that the one-way functions applied be different.%ormation may be b~bgenerated. f1 and f2 are one-way functions (either identical or different) and the timestamps and NU Arandom numbers are optional and subject to bilateral agreements.A]DL  h ?  +A = user's distinguished name+ 4 tA= timestamps 7 passwA = pasH2@@$  SIGNATURE@   $   @ $SECTION 2 - wStrong authenticationw %! ? %6Basis of strong authentication@@y e6.1The approach to strong authentication taken in this Recommendation makes use of tdthis authentication framework, at the present time, it must have the property that both keys in the dw ckey pair can be used for encipherment with the secret key being used to decipher if the public key cy ewas used, and the public key being used to decipher if the secret key was used. In other words e eXp . Xs = Xs . Xp where Xp/Xs are encipherment/decipherment functions using the public/secret keys ofHH Cthe Naming Authorities not to issue duplicate distinguished names.C yDLe6.4Each user is identified by its possession of its secret key. A second user is able to determineex dif a communication partner is in possession of the secret key, and can use this to corroborate that du athe communication partner is in fact the user. The validity of this corroboration depends on the aC /secret key rem[ X1<>X2<> A chain of certificates (can be of arbitrary length), where each Ko[ item is the certificate for the certification authority which [o[ produced the next. It is functionally equivalent to the following [w[ certificate X1<>. For example, possession of A<>B<> "2othe certificate, and consists of two Jz bdates, the first and last on which the certificate is valid. Since TA is assumed to be changed in Dy eperiods not less than 24 hours, it is expected that systems would use Coordinated Universal Time as aew creference time base. The signature in the certificate can be checked for validity by any user with ck Wknowledge of CAP. The following ASN.1 data type can be used to represent `^BLT TTRPpages 64-86LLOPWREADY! LZYOPXTO SAVE ------ R@E@T@U@R@N@. TO DISPLAY A DIFFERENT FILE ---- T@Y@P@E@ N@A@M@E@ & R@E@tegies could be used. One such strategyex dwould be to regard the users and CAs as nodes, and the certificates as arcs in a directed graph, in ds _these terms, D has to perform a search in the graph to find a path from U to E, one such being _x dU<>, V<>, W<>. When this path has been discovered, the reverse path W<>, V<>, U<> d- can also be constructed. -comparing the result with that obtained by deciphering the signature using the public key e.  of the signer.   FIGURE 6/X.509:3T <Digital signatures)@/ N :FIGURE 6/X.509:e  Qillustrated in Figure^2/X.509. The further protection is of the form:Q X 8Protected2 = f2 (t2A, q2A, Protected1). M 9The information conveyed to B is of the form:9h DAuthenticator2 = t1A, t2A, q1A, q2A, A, Protected2.# t  `For compandate a single one-way hash function for use in _y esigning. It is intended that the framework will be applicable to any suitable hash function, and willey ethus support changes to the methods used as a result of future advances in cryptography, mathematicaley etechniques or computational capabilities. However, two users wishing to authenticate must support theey]DLesame hash function for authentication to be performed correctly. Thus, within the context of a set ofex drelated applications, the choice of a single function will serve to maximize the community of users du aable to authenticate and communicate securely. An example hash function is specified in Annex^D.a DLq ]The signed information includes indicators that identify the hashing algorithm and the ]P <encryption algorithm used to compute the digital signature.<p \8.4The encipherment of some data items may be described using the following ASN.1 MACRO:\> "ENCRYPTED MACRO::=@ @The encipherment of some data item(F 2may be described using the following ASN.1 MACRO:2L<  ENCRYPTED MACRO::=N$  BEGIN@X 8TYPE NOTATION::=type (ToBeEnciphered)@ @@[ ;VALUE NOTATION::=value (VALUE BIT STRING)@ @@"  END@ yeThe value of the bit string is generated by taking the octets which form the complete encoding ew_(using the ASN.1 Basic Encoding Rules) of the value of the ToBeEnciphered type and applying an ;@< DL(encipherment procedure to those octets.(in the bits to be transmitted.}awNote 2w - The encryption procedure is required to take as input a string of octets and to %!SD 0generate a single string of bits as its result.0cwNote 3w - Mechanisms for secure agreement on the encryption algorithm and its parameters by %!Ub Nthe sender and receiver of data are outside the scope of this Recommendation.Ny e8.5In the case where a signature must be appended to a data type, the following ASN.1 macro may beem Yused to define the data type resulting from applying a signature to the given data type.Y]ASIGNED MACRO::=@ @!$  BEGIN@ T 4TYPE NOTATION::=type (ToBeSigned)@ @@ed name of the user it describes.e Thus:w ca)a certification authority must be satisfied of the identity of a user before creating a c3  certificate for it;w  cb)a certification authority must not issue certificates for two users with the same name.cDL 10.2.2vbThe production of a certificate occurs off-line and must not be pTET STRING@Z<-- wwhere the octet string is the resultw@%@$!T 6-- wof the hashing of the value ofw@%@!> &-- 'ToBeSigned' --}@ -@-@}@7 !-- 'ToBeSigned'@ -@-@}@ED OCTET STRING@Z<-- wwhere the octet string is the resultw@%@$!T l    N :FIGURE 8/X.509:G 33V >Two-way authentication'@ H - H1)as for ^9.2.- 2)as for ^9.2.-6-- wof the hashing of the value ofw@%@!= %-- 'ToBeSigned'--}@v ' --}@@ $END -- of SIGNED.)@ @)@)@ ua8.6In the case where only the signature is required, the following ASN.1 macro may be used to ag Sdefine the data type resulting from applying a signature to the given data type. S ? #SIGNATURE MACRO::=@@$  BEGIN@ U 5TYPE NOTATION::=type (OfSignature)@ @@O /VALUE NOTATION::=value (VALUE@ @@  D.ION::=value (VALUE@ @@ .SEQUENCE{ @ ? 'AlgorithmIdentifier,@V8-- wof the algorithm used to computew@%@ !D &-- wthe signaturew @%@ !A )ENCRYPTED OCTET STRING@bD-- wwhere the octet string is a function (e.g. aw@%@,!Z <-- wcompressed or hashed version) of thew@%@$!GNATURE.)@@)@&@ DLe8.7In order to enable the validation of SIGNED and SIGNATURE types in a distributed environment, a+@@ &}} adistinguished encoding is required. A distinguished encoding of a SIGNED or SIGNATURE data value B@@ t`shall be obtained by applying the Basic Encoding Rules defined in Recommendation^X.209 with the `, following restrictions:t `a)the definite form of length encoding shall be used, encoded in the minimum number of `'  octets;e  Qb)for string types, the constructed form of encoding shall not be used;Q`  Lc)if the value of a type is its default value, it shall be absent;Lt  `d)the components of a Set type shall be encoded in ascending order of their tag value;`h@-- wvaluew 'OfSignature', wwhich may includew@%@!@%@!] ?-- wthe identifier of the algorithm used tow@%@'!Q 1-- wcompute the signature --w}@%@!@-@-@w!}@1. .E +-- wcompute the signature@%@~ -@-@w!}@` @$END -- of SIy  ee)the components of a Set-of type shall be encoded in ascending order of their octet value;ey ef)if the value of a Boolean type is true, the encoding shall have its contents octet set to e,  'FF'16^;yits contents octet set to e'  'FF'16 ; v bg)each unused bits in the final octet of the encoding of a BitString value, if there are b:  &any, shall be set to zero;&x dh)the encoding of a Real type shall be such that bases 8, 10 and 16 shall not be used, and dH ]DL4the binary scaling factor shall be zero.4A '9Strong authentication procedures@@  - 9.1wOvervieww%!  trticular authentication procedures, which may be found useful across a rangee% of applications.T>tion procedures, =%of applications.z ^wNotew - This Recommendation does not specify the procedures to the detail required for %!Ru aimplementation. However, additional standards could be envisaged which would do so, either in an aF 2application-specific or in a general-purpose way.2DLDLch would do so, either in an aF 2application-specific or in a general-purpose way.2DLgye9.1.2The three procedures involve different numbers of exchanges of authentication information, and el Xconsequently provide different types of assurance to their participants. Specifically,X y ea)one way authentication, described in ^9.2, involves a single transfer of information fromee  Qone user (A) intended for another (B), and establishes the following:Q v b-the identity of A, and that the authentication token actually was generated by A;b DLyDLe-the identity of B, and that the authentication token actually was intended to be sente* to B;DLvDLb-the integrity and "originality" (the property of not having been sent two or more bZ Ftimes) of the authentication token being transferred.Fx  dThe latter properties can also be established for arbitrary additional data accompanying d-  the transfer;x  db) two-way authentication, described in ^9.3, involves, in addition, a reply from B to A. d K  DL7It establishes, in addition, the following:7 y e-that the authentication token generated in the reply actually was generated by B and eB .was intended to be sent to A;. R  DL7It establishes, in addition, the following:7yq ]-the integrity and originality of the authentication token sent in the reply;]]DL[ G-(optionally) the mutual secrecy of part of the tokens;G ]DLqin the reply;]a[ G-(optionally) the mutual secrecy of part of the tokens;Gww cc)three-way authentication, described in ^9.4, involves, in addition, a further transfer cy  efrom A to B. It establishes the same properties as the two-way authentication, but does soe U  Awithout the need for association time stamp checking.A  he tokensx  dfrom A to B. It establishes, the same properties as the two-way authentication, but does dU  Awithout the need for association time stamp checking.A x dIn each case where Strong Authentication is to take place, A must obtain the public key of B, dyeand the return certification path from B to A, prior to any exchange of information. This may involveev]DLbaccess to the Directory, as described in ^7 above. Any such access is not mentioned again in the b9 %description of the procedures below.% u aThe checking of timestamps as metes in the certification path.K ;9.2wOne-way authenticationw%![ GThe following steps are involved, as depicted in Figure 7/X.509.G & re 7/X.509.G PP 8 "P  N :FIGURE 7/X.509:G 33V>One-way authentication'@  D . authentication'@ y  a1)A generates rA, a non-repeating number, which is used to detect replay attacks and to H0  prevent forgery.C]DL/2)A sends the following message to B:/<  B A, A{tA, rA, B}  ewhere tA is a timestamp. tA consists of one or two dates: the generation time of the token?}x  d(which is optional) and the expire date. Alternatively, if data origin authentication of dU  A"sgnData" is to be provided by the digital signature:AE )B A, A{tA, rA, B, sgnData}x dIn cases where information is to be conveyed which will subsequently be used as a secret dS  ?key (this information is referred to as "encData"):?S 7B A, A{tA, rA, B, sgnData, Bp[encData]}.y eThe use of "encData" as a secret key implies that it must be chosen carefully, e.g. to be ey ea strong key for whatever cryptosystem is used as io[ public key, Bp, from its certificate, followed by using Bp to [o[ unwrap C's certificate. The outcome of the operation is the public [ ^xr^ unwrap C's certificate. The outcome of the operation is the public ^|o [ key of C, Cp. [ unwr0strong key for whatever cryptosystem is used as 0stem is used as HOC /indicated in the 'sgnData' field of the token./8@P:D 03)B carries out the following actions:0:Oa)obtains Ap from B -> A, checking that A's certificate has O6I  13)B carries out the following action)22: ? #4wNotation and abbreviationsw%! @ $SECTION 1 - wSimple authenticationw %! D (5wSimple authentication procedurew%! @ $SECTION 2 - wStrong authenticationw %! C '6wBasis of strong authenticationw%! B &7wObtaining a use]DLT @c)checks that B itself is the intended recipient;@ L]DL8d)checks that the timestamp is "current";8 v ^e)optionally, checks that rA has not been replayed. This could, for example, be )4s[achieved by having rA include a sequential part that is checked by a local $6M 9implementation for its value uniqueness.9brA is valid until the expire date indicated by tA, rA is always accompanied by a sequential .'|z bpart, which indicates that A will not repeat the token during the timerange tA and therefore that ML4checking of the value of rA itself is not required.x dIn any case it is reasonable for party B to store the sequential part together with timestamp dpTtA in the clear and together with the hashed part of the token during timerange tA.O;9.3wTwo-way authenticationw%![ GThe following steps are involved, as depicted in Figure 8/X.509.G  8 J 43 G 333)as for ^9.2.r V4)B generates rB, a non-repeating number, used for similar purpose(s) to rA.:P <5)B sends the following authentication token to A:<= B {tB, rB, A, rA}^Bwhere tB is a timestamp defined in the same way as tA.,y eAlternatively, if data origin authentication of "sgnData" is to be provided by the digitale*  signature:F &B {tB, rB, A, rA, sgnData} x dIn cases where information is to be conveyed which will subsequently be used as a secret dS  ?key (this information is referred to as "encData"):?=ion is referred to as "en6 data"):T4B {tB, rB, A, rA, sgnData, Ap[encData]}.y  eThe use of "encData" as a secret key implies that it must be chosen carefully, e.g. to be ey  ea strong key for whatever cryptosystem is used as indicated in the "sgnData" field of the e&  token.D 06)A carries out the following actions:0n Za)verifies the signature, and thus the integrity of the signed information;ZM9b)checks that A is the intended recipient;9S;c)checks that the timestamp tB is "current";+q Yd)optionally, checks that rB has not been replayed [see ^9.2 step 3) e)].)/=!9.4wThree-way authenticationw%![ GThe following steps are involved, as depicted in Figure 9/X.509.G  8 NX:T@U@R@N@BrZ)Recommendations X.509 and ISO 9594-8, Information Processing Systems - Open Systems Vn ZInterconnection - The Directory - Authentication Framework, were developed in close ZE 1collaboration and are technically aligned.1r^ Recommendations X.501 and ISO 9594-2, The Directory-Models, were developed in close ^? +collaboration and are technically aligned.+FIGURE 9/X.509:G 33W?Three-way authentication&@- 1)as for ^9.3.way authentication&@  (L4Three-way authentication]DLJ@ J 2WITH ATTRIBUTE-SYNTAX CertificateList @%U 5CertificateList::=SIGNED SEQUENCE{@ @@)EQUENCE{@st::= SIGNED  C +signature AlgorithmIdentifier, @1issuer Name, @ = #CertificateList::=@ @'SIGNED SEQUENCE{@C +sig*  K 32)as for  9.3. Timestamp tA may be zero.$ \ H3)as for ^9.3, except that the timestamp need not be checked.H- 4)as for ^9.3. K 35)as for  9.3. Timestamp tB may be zero.$ \ H6)as for  9.3, except that the timestamp need not be checked.H l P7)A checks that the received rA is identical to the rA which was sent.' P <8)A sends the following authentication token to B:<*A{rB}. he following actions:0k Wa)checks the signature and thus the integrity of the signed information;WtXb)chec5 that the received rB is identical to the rB which was sent by B.*(  D *10Management of keys and certificates@@#(  >  10.1wGeneration of key pairsw%@ !  10.1.1w cThe overall security management policy of an implementation will define the lifecycle of key cw cpairs, and is thus outstide the sc. F,wAnnex Cw - The RSA public key cryptosystem%!#5wAnnex Dw - Hash functions%!dJwAnnex Ew - Threats protected against by the strong authentication method%!A;!wAnnex Fw - Data confidentiality%!H.wAnnex Gw - Authentication framework in ASN.1%!%ntioned in the following sections only applies when either at `synchronized clocks are used in a local environment, or if clocks are logically synchronized by `r ^bilateral agreements. In any case, it is recommended that Coordinated Universal Time be used.^yeFor each of the three authentication procedures described below, it is assumed that party A hase_ Kchecked the validity of all of the certifica kWa)obtains Ap from B A, checking that A's certificate has not expired;W n Zb)verifies the signature, and thus the integrity of the signed information;Z cOa)obtains Ap from B -> A, checking that A's certificate has O) red;" _ K [o[Ĵ[s[ CAn(X) (where n > 1): CA(CA(...n times...(X))). V=1): CA(CA(...n times...(X))) =o[7 CAn(X) (where n >NQ=1): CA(CA(...n times...(X))) =arison, B generates a local value of A's additionally protected password and `y  ecompares it (for equality) with that of Protected2. (Similar in principle to step 1) of e)  ^5.4.1.) v  b2)B confirms (or denies) to A the verification of the protected identifying information.b ewNotew - The procedures defined in this  are specified in terms of A directory;t  `d)certification authorities can cross-certify one another by bilateral agreement. The `L  8result is to shorten the certification path;8w ce)if two users have communicated before and have learned one another's certificates, they c_  Kare able to authenticate without any recourse to the Directory.Kw cIn any case, having learned eacdirectory to establish c? +the return certification path from B to A:+B .Z<>, Y<>, V<>, W<>, X<>..tP `When B receives these certificates from A, it can unwrap the return certification path in `Z Fsequence to yield the contents of the certificate of A, including Ap:FM 5Ap = Zp . Z<> Y<> V<> W<> X<>.&1ng Ap:FK 3Ap = Zp .   w !E )b)wDirectory Information Base;w %!E)c)wDirectory Information Tree;w %!= !d)wdistinguished name;w %!0e)wentry;w %!1f)wobject;w %!/ g)wroot.w %![Ed P3.3The following specific terms are defined ndicated in the "sgnData" field of the eba Xof 'encData' as a secret key implies that it must be chosen carea & token.nData, Bp[encData]}. aMThe use of 'endData' as a secret key implies that it must be chosen M3 token.>Twhatever cryptosystem is used as indicated in the 'sgnData' field of the token._ Ded in this Recommendation are defined in Recommendation^X.501:[4 a)wattribute;w % !E )b)wDirectory Information Base;w %!E)c)wDirectory Information Tree;w %!= !d)wdistinguished name;w %!0e)wentry;w %!1f)wobject;w %!/ g)wroot.w %!ope of the authentication framework. However, it is vital to the cm Yoverall security that all secret keys remain known only to the user to whom they belong.Yol e]DLQsecurity that all secret keys remain known only to the user to whom they belong.Qv bKey data is not easy for a human user to remember, so a suitable method for storing it in a bv bconvenient transportable manner must be employed. One possible mechanism would be to use a "Smart bxdCard". This would hold the secret and (optionally) public keys of the user, the user's certificate, dv band a copy of the certification authority's public key. The use of this card must additionally be bw csecured by e.g. at least use of a PIN (Personal Identification Number), increasing the security of cy ethe system by requiring the user to possess the card and to know how to access it. The exact method eg Schosen for storing such data, however, is beyond the scope of this Recommendation.S  10.1.2y eThere are three ways in which a user's key pair may be produced, as described in ^10.1.2.1 to e w c10.1.2.1The use s _There are three ways in which a user's key pair may be produced, as described in ^10.1.2.1 to _* .1.2.1 d  DL ^10.1.2.3.  w c10.1.2.1The user generates its own key pair. This method has the advantage that a user's secret cwckey is never released to another entity, but requires a certain level of competence by the user as c* described in Annex^C. y e10.1.2.2The key pair is generated by a third party. The third party must release the secret key toeto ensure that r ^the user in a physically secure manner, then actively destroy all information relating to the ^s_creation of the key pair plus the keys themselves. Suitable physical security measures must be _m Yemployed to ensure that the third party and the data operations are free from tampering.Ys _10.1.2.3The key pair is generated by the CA. This is a special case of ^10.1.2.2, and the _ity measures. This method has the advantage eW Cof not requiring secure data transfer to the CA for certification.C ua10.1.2.4The cryptosystem in use imposes particular (technical) constraints on key generation.a ? #10.2wManagement of certificatesw%!   10.2.1yDLeA certificate associates the public key and unique distinguisherformed with an automatic bx dquery/response mechanism. The advantage of this certification is that because the secret key of the dy ecertification authority, CAs, is never known except in the isolated and physically secure CA, the CA en Zsecret key may then only be learnt by an attack on CA itself, making compromise unlikely.Z  10.2.3q ]It is important that the transfer of information to the certification authority is not ]h Tcompromised, and suitable physical security measures must be taken. In this regard:T\ the isolated and physically secure CA, the CA en Zsecret key may then only be learnt by an attack on CA itself, making compromise unlikely.Z  10.2.3k WIt is important that the transfer of information to th!  compromised, rity is not ]h Gand suitable physical security measures must be taken. In this regard:G ard:Ty DLea)it would be a serious breach of security if the CA issued a certificate for a user with a eG  3public key that had been tampered with;3 x  db)if the means of generation of key pairs of ^10.1.2.3 is employed, no secure transfer is d' needed; 3 needed;w  cc)if the means of generation of key pairs of ^10.1.2.1 or of ^10.1.2.2 is employed, the cy  euser may use different methods (on-line or off-line) to communicate its public key to the ey eCA in a secure manner. On-line methods may provide some additional flexibility for remote eQ  =operations performed between the user and the CA.=  10.2.4x dA certificate is a publicly available piece of information, and no specific security measures dy eneed to be employed with respect to its transportation to the Directory. As it is produced by an off-ex dline certification authority on behalf of a user who will be given a copy of it, the user need only dyestore this information in its directory entry on a subsequent access to the Directory. Alternativelyeu athe CA could lodge the certificate for the user, in which case this agent must be given suitable a# access rights. 10.2.5w cCertificates will have a lifetime associated with them, at the end of which they expire. In cs _order to provide continuity of service, the CA shall ensure timely availability of replacement _x dcertificates to supersede expired/expiring certificates. This has a number of aspects, as described d1 in ^10.2.5.1 and 10.2.5.2. yDLe10.2.5.1Validity of certificates may be designed so that each becomes valid at the time of expiry ex dof its predecessor, or an overlap may be allowed. The latter prevents the CA from having to install dp \and distribute a large number ofto their expiration time, e.g. if the user's secret key is cr ^assumed to be compromised, or the user is no longer to be certified by the CA, or if the CA's ^x dcertificate is assumed to be compromised. This has a number of aspects, as described in d* ^10.2.6.1-10.2.6.4.to bel Xcertificate is assumed to be compromised. This has a number of aspects, as described in XW  ^10.2.6.1- e @ B &subjectName, @@R 6subjectPublicKeyInfoSubjectPublicKeyInfo} @@ K +Version::=INTEGER {^1988(0)}@@@@  SerialNumber::=INTEGER@ @@ 3 Validity::=@@y a SEQUENCE{ y e10.2.6.1The revocation of a user certificate or CA certificate shall be made known by the CA, and ew ca new certificate shall be made available, if appropriate. The CA may then inform the owner of the cQ =certificate about its revocation by some off-line procedure.= 6 "10.2.6.2The CA shall maintain:"3 n:"j  Va)a time-stamped list of the certificates it issued which have been revoked;V x  db)a time-stamped list of revoked certificates of all CAs known to the CA, certified by the d#  CA. K 7Both certified lists shall exist, even if empty.7q ]10.2.6.3The maintenance of Directory entries affected by the CA's revocation lists is the ]v bresponsibility of the Directory and its users, acting in accordance with the security policy. For bw cexample, the user may modify its object entry by replacing the old certificate with a new one. The cX Dlatter will then be used to authenticate the user to the Directory.Ds _10.2.6.4The revocation lists ("black-lists") are held within entries as attributes of types _e"CertificateRevocationList" and "AuthorityRevocationList". These attributes can be operated on using @@-}k Wthe same operations as other attributes. These attribute types are defined as follows:W N.CertificateRevocationList::=ATTRIBUTE@@@ J 2WITH ATTRIBUTE-SYNTAX CertificateList @%N.AuthorityRevocationList::=ATTRIBUTE@@lic key cryptosystem) that key of a user's key pair which is % !G/  publicly known;T ai)wprivate key (secret key - deprecated):w (in a public key cryptosystem) that key of a %&!.Q  =user's key pair which is known only by that user;=y  ]j)wsimple authentication:w authentication by means of simple password arrangements; %!:nature AlgorithmIdentifier, @1issuer Name, @ 8  lastUpdate UTCTime, @8  revokedCertificates @G /SIGNED SEQUENCE OF SEQUENCE{@P 8signature AlgorithmIdentifier,@_ Gissuer Name, CertificateSerialNumber subject,@-I]DL1revocationDate UTCTime}@A ) OPTIONAL}@ p TwNote 1w - The checking of the entire list of certificates is a local matter.%!F~ bwNote^2w^-^If a non-repudiation of data service is dependent on keys provided by the CA the %!TrE.  @   OTPIONAL}@  b p TwNote 1w - The checking of the entire list of certificates is a local matter.%!F@ *matter.%!F~ bwNote 2w - If a non-repudiation of data service is dependent on keys provided by the CA the %!T%  wNote 2% hT - If a non-repudiation of data service is dependent on keys provided by the CA the Thr^service must ensure that all relevant keys of the CA (revoked or expired) and the timestamped ^X Drevocation lists are archived and certified by a current authority.D       tand the timestamped ^X Drevocation lists are archived and certified by a current authority.Dr's public keyw%! 7 8wDigital signaturesw%! E )9wStrong authentication proceduresw% ! H ,10wManagement of keys and certificatesw%#!  <"wAnnex Aw - Security requirements%! Q 7wAnnex Bw - An introduction to public key cryptography%!gether with the others of the series, has been produced to facilitate the ayeinterconnection of information processing systems to provide directory services. The set of all sucheu asystems, together with the directory information which they hold, can be viewed as an integrated a|`whole, called the wDirectoryw. The information held by the Directory, collectively known as the % !Cu aDirectory Information Base (DIB), is typCONTENTS7G 33  3[ 1 0wIntroductionw% !]DLC '1wScope and field of applicationw%! / 2wReferencesw% ! 0 3wDefinitionsw% !password within a single domain. Utilization of Simple Authentication is aw cprimarily intended for local use only, i.e. for peer entity authentication between one DUA and one c2 primarily intended for local b" Name of a userRally agreed (optional) password and a bilateral understanding of the means of d ebon is intended to provide local authorization based upon a Distinguished bx dp\DSA or between one DSA and one DSA. Simple authentication may be achieved by several means:\ e oNsword within a single domain. Utilization is primarily intended for local e3DSA or between one DSA and one ZBcation between one DUA and one DSA or between one DSA and one eQ =DSA. Simple authentication may be achieved by several means:=E / between one DSA and one eQ v[ provides the same capability as A<>, namely the ability to find [o[ out Cp given Ap. [o[Ĵ[}[ X1p.X1<> The operation of unwrapping a certificate (or certificate chain) to Oo[ extr ZwNotew - Alternative types of PKCS, i.e., ones which do not require the property of %!N permutabT that can be supported without great modification to this Recommendation, are a `  re a `/ possible future extension.s _6.2This authentication framework does not mandate a particular cryptosystem for use. It is _y eintended that the framee or communicate user certificates in a secure manner.Win a secure manner.& c]DLOA brief introduction to public-key cryptography can be found in Annex^B.Oo [1.6In general, the authentication framework is not dependent on the use of a particular [yecryptographic algorithm, provided it has the properties described in ^6.1. Potentially a number of ew cdifferent algorithng confidential to the user./ t ^ion depends on the aC /secret key remaining confidential to the user./y e6.5For a user to determi0 considerations there apply.  ewNotew - The certification authority already exhibits trusted functionality with respect to the%!Y}y]DLeuser, and will be subject to the necessary physical secur information.7 W C4.2The following abbreviations are used in this Recommendation:C <]DL(CACertification Authority( ? +DIBDirectory Information Base+ ? +DITDirectory Information Tree+ = )PKCSPublic key cryptosystem.)M O /VALUE NOTATION::=value (VALUE@ @@ . SEQUENCE{ @ 6 ToBeSigned,@ ? 'AlgorithmIdentifier,@V8-- wof the algorithm used to computew@%@ !C]DL%-- wthe signaturew@%@ !A )ENCRYPTED OC~ h8)A sends the following authentication token to B:<*A{rB}.D 09)B carries out the following actions:0 k Wa)checks the signature and thus the integrity of the signed information;W m Wa)checks the signature and thus the integrity of the signed information;W{tXb)checksS {*m e_ P !q"%r&' #sb)yE3+t-./1:u(75,8;~<$=>vAwBCDxFGHIJKLzMONQRSTjUVWXY?[a\]^`2ckd@fghi9l|no4p}6Z0