SL s{ !"#$%&'()*+,./012345 789:;<=>?@ABID-FGHEJKMNOPRSUVWQXYZ[\]6_`abcCefdghi^klmnopqr vtuy z|Tx}j~wn     > P^BLTT T3T8TJTMTZT]T_TbRe^BLTT TTTAT_TbRe^BLTT TTTAT_TbRe^BLT T TTTAT_TbRe^BLTT T3T8TJTLTZT]T^TbRe^BLTT TTTAT_TbRe ^BLT TTTT$Re^BLTT TTTAT_TbTeRi^BLTT TTTTTTT!T$T2T5T;TDTHTLRe^BLTT"T3T;TJTMT]T_TbRe^BLTT TTTTTTT!T$T2T5T;TDTHTLRe^BLT TTTT$T%T+T-Re^BLTT TTTTTTT!T$T2T5T;TDTHTLRe^BLTT TTTTTTTT!T$T2T5T;TDTHTLRe^BLTT TTTAT_TbRe^BLTT TTTTTTT!T$T&T)T2T5T;TDTHTLRe^BLT TTTT$T1T6THNZ fr   %.|2 %. ; 'Some commonly known threats are:'w  [a)widentity interception:w the identity of one or more of the users involved in a %!8E  1communRIBUTE-SYNTAX CertificateList @%N .AuthorityRevocationList::=ATTRIBUTE@@@ I 1WITH ATTRIBUTE-SYNTAX CertificateList @%U 5CertificateList::=SIGNED SEQUENCE{@ @@B *signature AlgorithmIdentifier, @0 issuer Name, @ 7 lastUpdate UTCTime, @7 revokedCertificates @E -SIGNED SEQUENCE OF SEQUENCE{@L 4signature AlgorithmIdentifier,@[ Cissuer Name, CertificateSerialNumber subject,@-E -revocationDate UTCTime}@B *OPTIONAL} @  p TwNote 1w - The checking of the entire list of certificates AuthenticationConfidentialityIntegrity Repudiatione B .Identity Interception* (if req'd). P]DL<Data interception*< 7 #Masquerade*# t `Replay* (identity)* (data)*`h H algorithmAlgorithmIdentifier@ @ @` @ subjectPublicKeyBIT STRING}@ @@ E )AlgorithmIdentifier::= SEQUENCE{@@ gG algorithmOBJECT IDENTIFIER,@ @ @u W parametersANY DEFINED BY algorithm OPTIONAL}@@ @" J forward [0]Certificate OPTIONAL,@ @ @i I reverse [1]Certificate OPTIONAL@ @ @wO -- wat least one of the pair must be presentw --}@ @%@(!@ 7 --wattribute typesw@%@!O /UserCertificate::=ATTRIBUTE@ @@ iberSerialNumber,@ @ e IsignatureAlgorithmIdentifier,@ @Z : issuerName,@@@^ > validityValidity,@@@ Z : subjectName,@@@j J subjectPublicKeyInfo SubjectPublicKeyInfo}@@@J*Version::=INTEGER {^1988(0)}@@@? SerialNumber::=INTEGER@ @@A!Validity::=SEQUENCE{@@@ \ < notBeforeUTCTime@@ @] = notAfterUTCTime}@@@E )SubjectPublicKeyInfo::= SEQUENCE{@@  issuerName,@5@ @wIY userCertificateSerialNumber,@5@@ r T revocationDateUTCTime}@ 1@@f N OPTIONAL}D@ C  OPTIONAL}@ =^SEQUENCE{@@ nciphering scheme.  T DL8F.2wData confidentiality by asymmetric enciphermentw%/!(  x dIn this case Data Confidentiality is performed by means of an originator enciphering the data dx dto be sent using the intended recipient's public key: the recipient will then decipher it using its d  secret key.     p \The security mechanisms outlined here perform the security services described in A.2.\]DL the ,  p \The security mechanisms outlined here perform the security services described in A.2.\Bt  Xa)wauthentication exchange:w there are two grades of authenticatiat increases the non-invertibility property of the hash function considerably. Each ac  Oblock generated in step 1 is spread to the length of the modulus n.Ov  b3)Each block resulting from step 2 is added to the previous block modulo 2, squared, and bS  ?reduced modulo n, until all m^blocks are processed.?J2The result is thus the value Hm, where)*H0  D.14 Requirements for hash functions NH~t N :Hash functions:  \HThis Annex does not form an integral part of this Recommendation.H> &D.1wRequirements for hash functions%\F 0xDLdTo use a hash functi I  WITH ATTRIBUTE-SYNTAXCertificate@@@ O /CACertificate::=ATTRIBUTE@ @@ c I WITH ATTRIBUTE-SYNTAXCertificate@@ OP /CrossCertificatePair::=ATTRIBUTE@@@ i M WITH ATTRIBUTE-SYNTAXCertificatePair@@$O /CertificatjC.7Public exponent   ent  u aThe Public Exponent (e) could be common to the whole environment, in order to minimize the ar ^length of that part of the public key that actually has to be distributed, in order to reduce ^Y Etransmission capacity and complexity of transformation (see Note 1).E vPbExponent e should be l` Ldecision to keep p and q is considered to be a local matter [Reference^3)].L}eIt must be ensured that e > log2(n) in order to prevent attack by taking the e'th root mod n to%?,disclose the plaintext.  It must be ensured that e > log2(n) in order to prevent attack by taking the e'th root mod n to%?,disclose the plaintext.Ce> "Y = Xemod n with^0 < X < n  > "X = Ydmod n ^^^^^0 < Y < n  Tith^0 X < n : "X = Ydmod n ^^^^^0 Y < n <(which may be satisfied, for example, by(0ed mod lcm(p-1,q-1=1,. ed mod (p-1)(q-1)=1y eTo effect this process, a data block must be interpreted as an integer. T 3S?(to Recommendation X.509)?G33e MReference Definition of algorithm object identifiers@4G 33f T @This Annex is not an integral part of the Recom!   \ HThis Annex does not form an integral part of this Recommendation.H x dIn conventional cryptographic systems, the key used to encipher information by the originator dv bof a secret message is the same as that used to decipher the message by the legitimate recipient.b x dIn public key cryptosystems (PKCS), howevSecurity requirements'@ \ HThis Annex does not form an integral part of this Recommendation.Hxd[Additional material relevant to this topic can be found in OSI^7498 - Information Processing dT @Systems - OSI Reference Model - Part 2, Security Architecture.]@q ]Many OSI applications, CCITT-defined services and non-CCITT-defined services will have ]q ]requirements for security. Such requirements derive from the need to protect the transfer of ]C /information from a range of potential threats./  , DLA.1wThreatsw%! DL Some commonly known threats are:'w  [a)widentity interception:w the identity of one or more of the users involved in a %!8E  1comm9ication is observed for misuse;1~  bb) wmasquerade:w the pretense by a user to be a different user in order to gain access to % !JP  <information or to acquire additional privileges;<|  `c)wreplay:w the recording and subsequent replay of a communication at some later date; %!Lv Zd)wdata interception:w the observation of user data during a communication by an %!;2  unauthorized user;  ee)wmanipulation:w the replacement, insertion, deletion or misordering of user data during a % !K}F  2communication by an unauthorized user;2v  Zf)wrepudiation:w the denial by a user of having participated in part or all of a % !A.  communication;Ag)wdenial of service:w the prevention or interruption of a cy  ]wNotew - This security threat is a more general one and depends on the individual %!Ls _application or on the intention of the unauthorized disruption and is therefore not _\  Hexplicitly within the scope of the authentication framework.H   DLdh)wmis-routing:w the mis-routing of a communication path intended for one user to another; % !K~   cwNotew - Mis-routing will naturally occur in OSI layers 1 - 3. Therefore mis-routing is %!Ry  eoutside of the scope of the authentication framework. However, it may be possible to avoidey ethe consequences of mis-routing by using appropriate security services as provided within e=  )the authentication framework.) ~  bi)wtraffic analysis:w the observation of information about a communication between users %!Dl  X(e.g.^absence/presence, frequency, direction, sequence, type, amount, etc.).X   cwNotew - Traffic analysis threats are naturally not restricted to a certain OSI layer. %!Ry  eTherefore traffic analysis is generally outside the scope of the authentication framework.eu  aHowever, traffic analysis can be partially protected against by generating additional aj Vunintelligible traffic (traffic padding), using enciphered or random data.V    aHowever, traffic analysis can be partially protected against by generating additional aj Vunintelligible traffic (traffic padding), using enciphered or random data.V   ea)wpeer entity authentication:w this service provides corroboration that a user in a certain %!=}v  binstance of communication is the one claimed. Two different peer entity authentication b:  &services may be requested:& F 0 &services may be requested:&DLd-wsingle entity authenticationw (either wdata originw entity authentication or wdata %! % !%rK 3recipientw entity authentication);!yw authentication);! } a-wmutual authenticationw, where both users communicating authenticate each other.%!: w cWhen requesting a peer entity authentication service, the two users agree whether their cD  0identities will be protected or not.0 x  dThe peer entity authentication service is supported by the authentication framework. It dw  ccan be used to protect against masquerade and replay, concerning the user's identities;c}  ab)waccess control:w this service can be used to protect against the unauthorized use of %!Ey eresources. The access control service is provided by the Directory or another application e_  Kand is therefore not a concern of the authentication framework;K  cc)wdata confidentiality:w this service can be used to provide for protection of data from %!Am  Yunauthorized disclosure. The data confidentiality service is supported by the Yn  Zauthentication framework. It can be used to protect against data interception;Z  ed)wdata integrity:w this service provides proof of the integrity of data in a communication. %!I}y  eThe data integrity service is supported by the authentication framework. It can be used toeH  4detect and protect against manipulation;4  ee)wnon-repudiation:w this service provides proof of the integrity and origin of data - both %!H}v  bin an unforgeable relationship - which can be verified by any third party at any time.b(  8 A.3wSecurity mechanismsw%! nisms p \The security mechanisms outlined here perform the security services described in A.2.\t  X 2 A.3wSecurity mechanisms%on framework: %!3  c-wsimple authentication:w relies on the originator supplying its name and password, %!;H 4which are checked by the recipient;4 e-wstrong authentication:w relies on the use of cryptographic techniques to protect the%!=}p\exchange of validating information. In the authentication framework, strong \W Cauthentication is based upon an asymmetric scheme.C w cThe authentication exchange mechanism is used to support the peer entity authentication c(  service; ~  bb)wencipherment:w the authentication framework envisages the encipherment of data during % !Hx  dtransfer. Either asymmetric or symmetric schemes may be used. The necessary key exchange dy efor either case is performed either within a preceding authentication exchange or off-lineew  cany time before the intended communication. The latter case is outside the scope of the cv  bauthentication framework. The encipherment mechanism supports the data confidentiality b(  service;  ]DLdc)wdata integrity:w this mechanism involves the encipherment of a compressed string of the %!H~t y  erelevant data to be transferred. Together with the plain data, this message is sent to theey  erecipient. The recipient repeats the compressing and subsequent encipherment of the plain eu  adata and compares the results with that created by the originator to prove integrity.as widely known as "RSA".:C 'C.1wScope and field of applicationw%!u aIt is beyond the scope of this paper to discuss RSA fully. However, a brief description is a\ Hgiven on the method, which relies on the use of modular exponentiation.H  / C.2wReferencesw% !8 $For further information, see:$'vares the results with that created by the originator to prove V   y.y  eThe data integrity mechanism can be provided by encipherment of the compressed plain data eq  ]by either an asymmetric scheme or a symmetric scheme. (With the symmetric scheme, ]y  ecompression and encipherment of data might be processed simultaneously.) The mechanism is ey  enot explicitely provided by the authentication framework. However it is fully provided as eq ]a part of the digital signature mechanism (see below) using an asymmetric scheme.]s  _The data integrity mechanism supports the data integrity service. It also partially _s  _supports the non-repudiation service (that service also needs the digital signature _O  ;mechanism for its requirement to be fully met);;]DLd)wdigital signature:w this mechanism involves the encipherment, by the originator's secret %!F}y  ekey, of a compressed string of the relevant data to be transferred. The digital signatureex  dtogether with the plain data is sent to the recipient. Similarly to the case of the data dw  cintegrity mechanism, thiamessage is processed by the recipient to prove integrity. The cr  ^digital signature mechanism also proves the authenticity of the originator and the ^r  ^unambiguous relationship between the originator and the data that was transferred.^ y ]DLeThe authentication framework supports the digital signature mechanism using an asymmetric e'  scheme. y  eThe digital signature mechanism supports the data integrity service and also supports the e8  $non-repudiation service.$   W ;A.4wThreats protected against by the security servicesw%2!  b Lotected against by the security servicesw%2! x dThe table at the end of this Annex indicates the security threats which each security service ds _can protect against. The presence of an asterisk (*) indicates that a certain security service _A -affords protection against a certain threat.-T 8A.5wNegotiation of security services and mechanismsw%/!    y eThe provision of security features during an instance of communication requires the negotiationer ^of the context in which security services are required. This entails agreement on the type of ^w csecurity mechanisms and security parameters that are necessary to provide such security services. cvbThe procedures required for negotiating mechanisms and parameters can either be carried out as an by eintegral part of the normal connection establishment procedure or as a separate process. The precise ea Mdetails of these procedures for negotiation are not specified in this Annex.M K 7SERVICES7 vbTHREATSEntityDataDataNon-by e uch that, with e=  %modulus n, 16^l < log2 n. length (in octets) is the largestG      n, 16^l < log2 n. yy e2)For non-invertibility reasons each octet of the block is split in half. Each of the halvesey  eis headed ("padded") by binary ones. By this zoning, stiffness or redundancy is introducedeu  ath*a MReplay* (identity)*M P `  t`Manipulation**`   t `Repudiation *`   P J 6ANNEX B6G33S ?(to Recommendation X.509)?G 33`HAn introduction to public key cryptography@*  er, keys come in pairs, one key of which is used for dy]DLeenciphering and the other for deciphering. Each key pair is associated with a particular user X. One ey eof the keys, known as the public key (Xp) is publicly known, and can be used by any user to encipher er^data. Only X, who possesses the complementary secret key (Xs) may decipher the data. (This is ^y erepresented notationally by D = Xs[Xp[D]].) It is computationally infeasible to derive the secret keyex dfrom knowledge of the public key. Any user can thus communicate a piece of information which only X dy ecan find out, by enciphering it under Xp. By extension, two users can communicate in secret, by usinge`Leach other's public key to encipher the data, as shown in Figure^B-1/X.509.Lv the data, as shown in Figure^B.1/X.509JG 3.3   pO ;FIGURE B-1/X.509;G33a IUse of a PKCS to exchange secret information@, w cUser A has public key Ap and secret key As, and user B has another set of keys, Bp and Bs. A cy eand B both know the public keys of each other, but are unaware of the secret key of the other party. eq ]A and B may therefore exchange secret information with one another using the following steps ]7 #(illustrated in Figure^B-1/X.509):#r  ^1)A wishes to send some secret information x to B. A therefore enciphers x under B's ^t  `enciphering key and sends the enciphered information e to B. This is represented by:`* e = Bp[x].v  b2)B may now decipher this encipherment e to obtain the information x by using the secret bv  bdecipherment key Bs. Note that B is the only possessor of Bs, and because this key may by  enever be disclosed or sent, it is impossible for any other party to obtain the informationes  _x. The possession of Bs determines the identity of B. The decipherment operation is _/  represented by:<(x = Bs[e], or x = Bs[Bp[x]].( d3)B may now similarly send some secret information, xw'w, to A, under A's enciphering key, > !#~#  Ap:B ew'w = Ap[xw'w].  ! !S /4)A obtains xw'w by deciphering ew'w: ! !h 4xw'w = As[ew'w], or xw'w = As[Ap[xw'w]]. ! ! ! ! dBy this means, A and B have exchanged secret information x and xw'w. This information may not F !~q ]be obtained by anyone other than A and B, providing that their secret keys are not revealed.]y eSuch an exchange can, as well as transferring secret information between the parties, serve to et `verify their identities. Specifically, A and B are identified by their possession of the secret `r ^deciphering keys, As and Bs respectively. A may determine if B is in possession of the secret ^edeciphering key, Bs, by having returned part of his information x in B's message xw'w. This indicatesR !} . This indicates lTdeciphering key, Bs, by having returned part of his information x in B's message xw'R k% . This indicates B ^deciphering keys, As and Bs respectively. A may determine if B is in possession of the secret ^xddeciphering key, Bs, by having returned part of his information x in B's message x'. This indicates dx dto A that communication is taking place with the possessor of Bs. B may similarly test the identity d of A.y eIt is a property of some PKCS that the steps of decipherment and encipherment can be reversed, ex das in D = Xp[Xs[D]]. This allows a piece of information which could only have been originated by X, dx dto be readable by any user (who has possession of Xp). This can therefore be used in the certifying du aof the source of information, and is the basis for digital signatures. Only PKCS which have this ay e(permutability) property are suitable for use in this authentication framework. One such algorithm ise into producing an invalid certificatew - the fact that CAs are off-line affords %3!*}w csome protection. The onus is on the CA to check that purported strong credentials are valid before cy ecreating a certificate. The consequences of the compromise are limited to subversion of communicationep \involving the user for whom the certificate was created, and anyone impacted by the invalid \!  certificate.  ecommendation X.509)?G 33Z BThe RSA public key cryptosystem"@ \ HThis Annex does not form an integral part of this Recommendation.Hy ]wNotew - The cryptosystem specified in this Annex, which was invented by R.^L.^Rivest, %!QN :A.^Shamir and L.^Adleman, iPublicKey defined as BIT STRING (see Annex^G), %!@ @ yZ  Fshould be interpreted in the case of RSA as being of type:F? 'SEQUENCE {INTEGER,INTEGER} @y  ewhere the first integer is the Arithmetic Modulus and the second is the Public Exponent. eg  SThe sequence is represented by means of the ASN.1 Basic Encoding Rules.S  eb)wsecret key:w the pai1)Generalr  ^RIVEST, R.^L., SHAMIR, A. and ADLEMAN, L. (February 1978) - A Method for Obtaining ^  dDigital Signatures and Public-key Cryptosystems, wCommunications of the ACMw, 21, 2, <%! ~(  120-126.8  $2)Key Generation Reference$l ]DLPGORDON, J. - Strong RSA Keys, wElectronics Lettersw, 20, 5, 514-516.)%!6 "3)Decipherment Reference"w  cQUISQUATER, J.^J. and COUVREUR, C. (October 14, 1982) - Fast Decipherment Algorithm for cm  QRSA Public-key Cryptosystems, wElectronics Lettersw, 18, 21, 905-907.)%! 21, 905-907.   QUISQUATER, J.H_  CRSA Public-key Cryptosystems, wElectronics Lettersw, 18,)%!V!  21, 905-907. 1  0 C.3wDefinitionsw% !   nsisting of the Public Exponent and the Arithmetic % !M}(  Modulus;  a; ea)wpublic key:w the pair of parameters consisting of the Public Exponent and the Arithmetic % !M}(  Modulus;  awNotew - The ASN.1 data element subject* described in Annex^C.8 $For further information, see:$} eDIFFIE, W. and HELLMAN, M.^E. (November 1976) - New Directions in Cryptography, wIEEE Transactions onP%; #Information Theoryw, IT-22, No.^6.!JDL6ANNEX C6G 33S ?(to Rr of parameters consisting of the Secret Exponent and the Arithmetic % !M}( Modulus.  > "C.4wSymbols and abbreviationsw%!Z  FX,Ydata blocks which are arithmetically less than the modulusF6 "nthe Arithmetic Modulus"3 ethe Public Exponent3dthe Secret Exponenta  Mp,qthe prime numbers whose product forms the Arithmetic Modulus^(n).M ewNotew - While the prime numbers are preferably two in number, the use of a Modulus with three-%!Y}< (or more prime factors is not precluded.(5 !mod n arithmetic modulo n.!0 C.5wDescriptionw% !y eThis asymmetric algorithm uses the power function for transformation of data blocks such that:pditeur doit le signer. La mthode dpend de la ^N :conservation du secret de la cl secrte de l'expditeur.:ut~ bG  fFascicle VIII.8 - Rec. X.509#@@| A '#Fascicle VIII.8 - Rec. X.509 @his is accomplished byex dconsidering the entire data block to be an ordered sequence of bits (of length l, say). The integer d} eis then formed as the sum of the bits after giving a weight of 2l-1 to the first bit and dividing the@"Z Fweight by 2 for each subsequent bit (the last bit has a weight of 1).Fv bThe data block length should be the largest number of octets containing fewer bits than the bwcmodulus. Incomplete blocks should be padded in any way desired. Any number of blocks of additional c* padding may be added. : C.6wSecurity requirementsw%!0 C.6.1wKey lengthsw% !xdIt is recognized that the acceptable key length is likely to change with time, subject to the dx dcost and availability of hardware, the time taken, advances in techniques and the level of security dw crequired. It is recommended that a value for the length of n of 512 bits be adopted initially, but c8 subject to wfurther studyw. % !3 C.6.2wKey generationw%!w cThe security of RSA relies on the difficulty of factorizing n. There are many algorithms for ct `performing this operation, and in order to thwart the use of any currently known technique, the `v bvalues p and q must be chosen carefully, according to the following rules [e.g. see Reference 2), b" Section^C.2]:? +a)they should be chosen randomly;+5 !b)they should be large;!5 !c)they should be prime;!6"d)|p-q| should be large;"H 4e)(p+1) must possess a large prime factor;4H eryone else's secret exponent.\  cwNote 2w - The fixed exponent should be large and prime but it should also provide efficient %!U@ld also provide efficient %!UUq Yprocessing. Fermat Number F4 meets these requirements, e.g. authentication takes only 17 =] Imultiplications and is on the average 30 times faster than decipherment.I 0 4f)(q+1) must possess a large prime factor;4O ;g)(p-1) must possess a large prime factor, say r;;O ;h)(q-1) must possess a large prime factor, say s;;H 4i)(r-1) must possess a large prime factor;4H4j)(s-1) must possess a large prime factor.4x dAfter generating the public and secret keys, e.g. "Xp" and "Xs" as defined in ^3.3 and ^4.1 dxdof this Recommendation which consist of d, e and n, the values p and q together with all other data dy eproduced such as the product (p-1) (q-1) and the large prime factors should preferably be destroyed. et `However, keeping p and q locally can improve throughput in decryption by two to four times. The `(p-1) (q-1)o [produced such as the product (p-1) (q-1) and the large prime factors should preferably^be^ [mVALUE NOTATION::=value(VALUE OBJECT IDENTIFIER)@ @@1 END -- of ALGORITHM@@ $ENCRYPTED MACRO::=@ @#  BEGIN@[ ;TYPE NOTATION::= type (ToBeEnciphered)@ @@] =VALUENOTATION::=value (VALUE BIT STRING@ @@Z :--w the value of the bit string is generated byw   4 C.7wPublic exponentw%! bce) could be common to the whole environment, in order to minimize the ar ^length of that part of the public key that actually has to be distributed, in order to reduce ^Y Etransmission capacity and complexity of transform.C.7wPublic exponent%  uarge enough but such that exponentiation can be performed efficiently bx dwith regard to processing time and storage capacity. If a fixed public exponent e is desired, there d] Eare notable merits for the use of the Fermat Number F4 (see Note^2).5*  4/ F4 = 22 + 1 / = 65537 decimal, and : &= 1 0000 0000 0000 0001 binary.&~ bwNote 1w - Although both Modulus n and Exponent e are public, the Modulus should not be the %!Tw cpart which is common to a group of users. Knowledge of Modulus "n", Public Exponent "e" and Secret cs _Exponent "d" is sufficient to determine the factorization of "n". Therefore if the modulus was _p \common, everyone could deduce its factors, thereby finding evq Yprocessing. Fermat Number F4 meets these requirements, e.g. authentication takes only 17 =] Imultiplications and is on the average 30 times faster than decipherment.I 0 C.8wConformancew% !t `Whilst this Annex specifies an algorithm for the public and secret functions, it does not `y edefine the method whereby the calculations are carried out; therefore there may be different productseN :which comply with this Annex and are mutually compatible.: X B:which comply with this Annex and are mutually compatible.:  J 6ANNEX D6G 33S?(to Recommendation X.509)?G 33R :Hash functions+@  \HThis Annex does not form an integral part of this Recommendation.H  D (D.1wRequirements for hash functionsw%!$tions To use a hash funcon as a secure one-way function, it must not be possible to obtain easily d[ Gthe same hash result from different combinations of the input message.G W CA strong hash function will meet the following requirements:C q  ]a)the hash function must be one-way, i.e. given any possible hash result it must be ]u acomputationally infeasible to construct an input message which hashes to this result;aw  cb)the hash function must be collision-free, i.e. it must be computationally infeasible to cd  Pconstruct two distinct input messages which hash to the same result.P C 'D.2wDescription of a hash functionw%!yeThe following hash function ("square-mod n") performs the compression of the data on a block bye!  block basis.  @,Hashing is done in three major steps:, x  d1)The string of data to be hashed is divided into blocks B of equal length. This length is dw  cdetermined by the characteristics of the asymmetric cryptosystem used for signing. With cy  ethe RSA cryptosystem, this length (in octets) is the largest integer, l, soutside the scope of this document.` .  necessary keys for encipherment ew chave been exchanged. This might be provided by a preceding authentication exchange as described in ct `^9 or by some other key exchange process, the latter being outside the scope of this document.`w cData confidentiality can be provided either by the application of an asymmetric or symmetric c( e= 0 ^2Hi = (Hi-1 + Bi)2 mod n, for 1 < i < m   yeIf the last block of the data to be hashed is incomplete, it is padded with "l"s. e  ) 3S ?&lXIf the last block of the data to be hashed is incomplete, it is padded with "l"s.X; J 6ANNEX E6G 33S ?(to Recommendation X.509)?G33i QThreats protected against by the strong authentication method@= \ HThis Annex does not form an integral part of this Recommendation.H y eThe strong authentication method described in this Recommendation offers protection against theeO ;threats as described in Annex^A for strong authentication.; mYIn addition, there is a range of potential threats that are specific to the strong Y= )authentication method itself. These are:)  ewCompromise of the user's secret keyw - one of the basic principles of strong authentication is%#!:}y]DLethat the user's secret key remain secure. A number of practical methods are available for the user toex dhold his secret key in a manner that provides adequate security. The consequences of the compromise dT @are limited to subversion of communication involving that user.@  ewCompromise of the CA's secret keyw - that the secret key of a CA remain secure is also a basic%!!<}p \principle of strong authentication. Physical security and "need to know" methods apply. The \q]consequences of the compromise are limited to subversion of communication involving any user ]* certified by that CA. ewMisleading CA6  key secure.  ewForging of a tokenw - the strong authentication method protects against the forging of a token%!K}w cby having the sender sign it. The method depends on maintaining the secrecy of the sender's secret c key.  ewReplay of a tokenw - the one- and two-way authentication methods protect against the replay of%!L}w ewCollusion between a rogue CA and userw - such a collusive attack will defeat the method. This %%!8}yewould constitute a betrayal of the trust placed in the CA. The consequences of a rogue CA are limitede\ Hto subversion of communication involving any user certified by that CA.H ewForging of a certificatew - the strong authentication method protects against the forging of a%!E}t `certificate by having the CA sign it. The method depends on maintaining the secrecy of the CA's `   secret key.  ire.    key secure.  ewForging of a tokenw - the strong authentication method protects against the forging of a token%!K}w cby having the sender sign it. The method d. certificate by having the n secret z ca token by the inclusion of a timestamp in the token. The three-way method does so by checking the c$ random numbers. ewAttack on the cryptographic systemw - the likelihood of effective cryptanalysis of the system,%"!;}y ebased on advances in computational number theory and leading to the need for a greater key length aree, reasonably predictable.J 6ANNEX F6G33S ?(to Recommendation X.509)?G 33U =Data confidentiality(@  DL*   \ HThis Annex does not form an integral part of this Recommendation.H 1 F.1wIntroductionw% !(  y eThe process of data confidentiality can be initiated after the necessary keys for encipherment ew chave been exchanged. This might be provided by a preceding authentication exchange as described in ct `^9 or by some other key exchange process, the latter being -- wwhere the octet string is the resultw @%@$!K --- wof the hashing of the value ofw @%@!5 -- "ToBeSigned" --} @5  )@ )@ )@@$SIGNATURE MACRO::=@ @#  BEGIN@X 8TYPE NO-  )@S 7F.3wData confidentiality by symmetric enciphermentw%.!z  N 8 confidentiality by symmetric enciphermentw%.!y eIn this case Data Confidentiality is achieved by the use of a symmetric enciphering algorithm. eU AIts choice is outside the scope of the authentication framework.At `Where an authentication exchange according to ^9 has been carried out by the two parties `u ainvolved, then a key for the usage of a symmetric algorithm can be derived. Choosing secret keys aw cdepends on the transformation to be used. The parties must be sure that they are strong keys. This ct`Recommendation does not specify how this choice is made, although clearly this would need to be `U be used. The parties must be sure that they are strong keys. Both c8yV Bagreed by the parties concerned, or specified in other standards.B   ]DL J 6ANNEX G6G 33S?(to Recommendation X.509)?G 33[ CAuthentication framework in ASN.1!@!]DL  D 0This Annex is part of the Recommendation.0s _This Annex includes all of the ASN.1 type, macro and value definitions contained in this _c KRecommendation in the form of the ASN.1 module, "AuthenticationFramework".1@W ?AuthenticationFramework {joint-iso-ccitt ds(5) modules(1)@9Q 9authenticationFramework(7)}@3DEFINITIONS::=@ @#  BEGIN@y ]EXPORTSAlgorithmIdentifier, AuthorityRevocationList, CACertificate, Certificate,@@I{NITIONS::=@ @#  BEGIN@i OEXPORTSAlgorithmIdentifithorityRevocationList, CACertificate,@@<#]DL Certificate,@ nCertificates, CertificationPath, CertificateRevocationList, UserCertificate,]DL6x `Certificates, CertificationPath, CertificateRevocationList, UserCertificate,@LZ BCrossCertificatePair, UserPassword, ALGORITHM,@.V < ENCRYPTED, PROTECTED, SIGNATURE, SIGNED;@ @(%   IMPORTS@[ CinformationFramework, selectedAttributeTypes, upperBounds @9]  EFROM UsefulDefinitions {joint-iso-ccitt ds(5)modules(1) @7S  ; usefulDefinitions(0)} @-B *Name, ATTRIBUTE,ATTRIBUTE-SYNTAX @ T <FROM InformationFramework informationFramework @.P]DL4ub-user-passwordFROM Upper Bounds upperBounds;@@0 -- wtypesw@%@!@p@e@s@w!(Certificate::=SIGNED SEQUENCE{@ @@j --@| w%t@y@p@e@s@w!XH (Certificate::=SIGNED SEQUENCE{@ @@jNversion[0]^Version DEFAULT 1988,@@^ BserialNum-(revoked or expired) and the timestamped ^X Drevocation lists are archived and certified by a current authority.Do 33$   ~  qnever be disclosed or sent, it is impossible for any other party to obtain the informat  G] AForwardCertificationPath ::=SEQUENCE OF CrossCertificates@@H (CertificationPath::=^SEQUENCE{@@@ ] AuserCertificateCertificate, @@ l PtheCACertificatesSEQUENCE OF CertificatePair @@k Q OPTIONAL}@0@ K /CrossCertificates::= SET OF Certificate@@  NCE OF CertificatePair @@k Q OPTIONAL}@0@ K /CrossCertificates::= SET OF Certificate@@e@@I -CertificateList::= SIGNED SEQUENCE{@@i I signatureA !Certificates::=SEQUENCE{@ @@ ] A certificateCertificate,@ @ s W certificationPathForwardCertificationPath OPTIONAL}@ @"ath OPTIONAL}@ @"algorithmOBJECT IDENTIFIER,@@ @u W 3 ++ ?I 3G33S?(to Recommendation X.509)?G 33G33e MReference Definition of algorithm object identifiers@4G 33 @%@+!V8-- wtaking the octets which form the completew @%@)!\ >-- wencoding (using the ASN.1 Basic Encoding Rules)w @%@/!f <-- wof the value of thew ToBeEncipheredw type andw @%@!@%@!e andw@!-- wapplying an encipherment procedure to those octetsS 1-- wof the value of thew ToBeEncipheredw @%@!@%["  type andw@!5AlgorithmIdentifier,@ @ @Z : issuerName,@ @@]]DL= lastUpdateUTCTime,@ @ @w W revokedCertificates^^^SIGNEDSEQUENCE OF SEQUENCE{ @ @@~ ` signatureAlgorithmIdentifier,@5@ @oOQ eRevocationList::=ATTRIBUTE@@@ i M  WITH ATTRIBUTE-SYNTAXCertificateList@@$O /AuthorityRevocationList::=ATTRIBUTE@@@ i M WITH ATTRIBUTE-SYNTAXCertificateList@@$ODL/UserPassword::=ATTRIBUTE@ @@ Z >  WITH ATTRIBUTE-SYNTA;  3G033J 6ANNEX A6G 33S ?(to Recommendation X.509)?G33U =X@@l P  OCTETSTRING(SIZE(0...ub-user-password))@@'U O= MATCHES FOR EQUALITY(@1 -- wmacrosw@%@!@ $ALGORITHM MACRO::=@ @#  BEGIN@@V 6TYPE NOTATION::="PARAMETER" type@ @@d D#  BEGIN@W 7TYPE NOTATION::=type (ToBeSigned)@ @@Q 1VALUE NOTATION::=value(VALUE@ @@ ' SEQUENCE{@ - ToBeSigned, @ sOSAlgorithmIdentifier, -- wof the algorithm used to generate the signaturew @%@/!8I ENCRYPTED OCTET STRING @Q3 r::=value(VALUE@ @@  ::=value(VALUE@@ 2:=type (OfSignature)@v. END -- of SIGNED@@$SIGNATURE MACRO::=@ @#  BEGIN@X 8TYPE NOTATION ::=type (OfSignature)@ @@Q 1VALUE NOTATION::=value(VALUE@ @@ + SEQUENCE{ @ :"AlgorithmIdentifier, @_ A-- wof the algorithm used to compute the signaturew @%@.!< $ENCRYPTED OCTET STRING @ ]-- wwhere the octet string is a function (e.g. a compressed or hashed version)w @%@A@! X-- wof the valuew "OfSignature", wwhich may include the identifier of thew @%@ !@%@'!~` >-- walgorithm used to compute the signaturew --} @%@'!@Q 9)7@)@ -- of SIGNATURE@KDL/PROTECTED MACRONH 44H )@01 END -- of SIGNATURE@KDL/PROTECTED MACRO::= SIGNATURE@ @is a local matter.%!F ~ bwNote^2w^-^If a non-repudiation of data service is dependent on keys provided by the CA the %!Te 2w - If a non-repudiation of data service is dependent on keys provided ~ bwNote 2w - If a non-repudiation of data service is dependent on keys provided by the CA the %!T2r ^service must ensure that all relevant keys of the CA (revoked or expired) and the timestamped ^, described in Annex^C.8 $For further information, see:$} eDIFFIE, W. and HELLMAN, M.^E. (November 1976) - New Directions in Cryptography, wIEEE Transactions onP%; #Information Theoryw, IT-22, No.^6.!Jc C-- wapplying an encipherment procedure to those octetsw-- @%@2!@!  END@@ $SIGNED MACRO::=@ @mendation.@ y eThis Annex defines object identifiers assigned to authentication and encryption algorithms, in er ^the absence of a formal register. It is intended to make use of such a register as it becomes ^rZavailable. The definitions take the form of the ASN.1 module, AlgorithmObjectIdentifiers.>@   b FAlgorithmObjectIdentifiers{joint-iso-ccitt ds(5) modules(1) @@![ CalgorithmObjectIdentifiers(8)}$@1 DEFINITIONS ::= @' BEGIN @ ) EXPORTS @_ GencryptionAlgorithm, hashAlgorithm, signatureAlgorithm,@7G /rsa,squareMod-n,sqMod-nWithRSA;@)DLIMPORTS @I 1algorithm,authenticationFramework@!i MFROM UsefulDefinitions{joint-iso-ccitt ds(5)modules(1)@@ Z BusefulDefinitions(0)},@R use , usefulDefinitions(0)}@ oSALGORITHMFROM AuthenticationFramework authenticationFramework;@ @5L .-- wcategories of object identifierw @%@! i IencryptionAlgorithm OBJECT IDENTIFIER::={algorithm 1} @%@@ i IhashAlgorithm OBJECT IDENTIFIER::={algorithm 2} @ @@  i IsignatureAlgorithm OBJECT IDENTIFIER::={algorithm 3} @$@@  7 -- walgorithmsw @%@ !5 rsa ALGORITHM @@ 9!PARAMETER KeySize@ D ,::= {encryptionAlgorithm^1}@ H 2R @ ^ALGORITHM 6 KeySize ::= INTEGER @ 3 sqMod-n ALGORITHM @; #PARAMETER BlockSize@= %::= {hashAlgorithm^1}@8  BlockSize ::= INTEGER @:DL"sqMod-nWithRSA ALGORITHM @A )PARAMETER KeyAndBlockSize@B *::= {signatureAlgorithm 1}@B = %KeyAndBlockSize ::= INTEGER @  [=END -- wof Algorithm Object Identifier Definitionsw @%@*!#        @%@*p ZkU@T ^BLTT TTTTTTT!T$T2T5T8T;T=TDTHTLRe L ':/8)@TJU`k wj    .44OtexPV4TO SAVE ------ R@@T@U@R@N@. TO DISPLAY A DIFFERNT FILE ---- T@Y@P@E@ N@A@M@E@ & R@E@T@U@@N@. L:45OP5 TO DISPLAY A DIRECTORY LIST ---- T@Y@P@E@ D@ & R@E@T@U@R@N@. L4O P5 W@A@R@N@I@N@G@:@ DO NOT SWITCH FLOPPY DISKS WITH A FILE OPEN.@L, -6 B: '#Fascicle VIII.8 - Rec. X.509 @  das in D = Xp[Xs[D]]. This allows a piece of information which could only have been originated by X, dx dto be readable by any user (who has possession of Xp). This can therefore be used in the certifying du aof the source of informatioW CCo  OPTIONAL}@ KA %CertificatePair::=^SEQUENCE{@@ j