Rec. ITU-T X.510 (08/2020) Information technology – Open Systems Interconnection – The Directory: Protocol specifications for secure operations
Summary
History
FOREWORD
CONTENTS
1 Scope
2 Normative references
     2.1 Identical Recommendations | International Standards
     2.2 Paired Recommendations | International Standards equivalent in technical content
     2.3 Other references
3 Definitions
     3.1 OSI Reference Model definitions
     3.2 Directory model definitions
     3.3 Public-key and attribute certificate definitions
     3.4 Terms defined in this Recommendation | International Standard
4 Abbreviations
5 Conventions
6 Common data types and special cryptographic algorithms
     6.1 Introduction
     6.2 ASN.1 information object class specification tool
          6.2.1 General information object class concept
          6.2.2 The ALGORITHM information object class
     6.3 Multiple-cryptographic algorithm specifications
          6.3.1 General
          6.3.2 Multiple signatures algorithm
          6.3.3 Multiple symmetric key algorithm
          6.3.4 Multiple public-key algorithms
          6.3.5 Multiple hash algorithm
          6.3.6 Multiple authenticated encryption with associated data algorithm
          6.3.7 Multiple integrity check value algorithm
     6.4 Key establishment algorithms
          6.4.1 General
          6.4.2 Diffie-Hellman group 14 algorithm with HKDF-256
          6.4.3 Diffie-Hellman group 23 algorithm with HKDF-256
          6.4.4 Diffie-Hellman group 28 algorithm with HKDF-256
          6.4.5 Key derivation
               6.4.5.1 General
               6.4.5.2 HMAC-based extract-and-expand key derivation function
          6.4.6 Special conditions
     6.5 Multiple-cryptographic algorithm-value pairs
          6.5.1 Multiple digital signatures attached to data
          6.5.2 Double digital signature attached to data
          6.5.3 Duplicate integrity check values attached to data
     6.6 Formal specification of encipherment
          6.6.1 Formal specification of encryption
          6.6.2 Formal specification of authenticated encryption with associated data
7 General concepts for securing protocols
     7.1 Introduction
     7.2 Protected protocol plug-in concept
     7.3 Communications structure
     7.4 Another view of the relationship between the wrapper protocol and the protected protocol
     7.5 Structure of application protocol data unit
     7.6 Exception conditions
8 Wrapper protocol general concepts
     8.1 Introduction
     8.2 UTC time specification
     8.3 Use of alternative cryptographic algorithms
     8.4 Establishment of shared keys
     8.5 Sequence numbers
     8.6 Use of invocation identification in the wrapper protocol
     8.7 Mapping to underlying services
     8.8 Definition of protected protocols
     8.9 Overview of wrapper protocol data units
9 Association management
     9.1 Introduction to association management
     9.2 Association handshake request
     9.3 Association accept
     9.4 Association reject due to security issues
     9.5 Association reject by the protected protocol
     9.6 Handshake security abort
     9.7 Handshake abort by protected protocol
     9.8 Data transfer security abort
     9.9 Abort by protected protocol
     9.10 Release request WrPDU
     9.11 Release response WrPDU
     9.12 Release collision
10 Data transfer phase
     10.1 Symmetric keys renewal
     10.2 Data transfer by the client
          10.2.1 General
          10.2.2 Client using authenticated encryption with associated data
          10.2.3 Client not using authenticated encryption with associated data
          10.2.4 Client non-encrypted data
     10.3 Data transfer by the server
          10.3.1 General
          10.3.2 Server using authenticated encryption with associated data
          10.3.3 Server not using authenticated encryption with associated data
          10.3.4 Server non-encrypted data
11 Information flow
     11.1 Purpose and general model
     11.2 Protected protocol SAOC
     11.3 Wrapper SAOC
          11.3.1 General
          11.3.2 Handshake request subclass
          11.3.3 Handshake accept subclass
          11.3.4 Handshake security reject subclass
          11.3.5 Handshake reject by protected protocol subclass
          11.3.6 Handshake security abort subclass
          11.3.7 Handshake abort by protected protocol subclass
          11.3.8 Data transfer security abort subclass
          11.3.9 Data transfer application abort subclass
          11.3.10 Release request subclass
          11.3.11 Release response subclass
          11.3.12 Client data transfer with authenticated encryption with associated data subclass
          11.3.13 Client data transfer with integrity check value protection subclass
          11.3.14 Server data transfer with authenticated encryption with associated data subclass
          11.3.15 Client data transfer with integrity check value protection subclass
12 Wrapper error handling
     12.1 General
     12.2 Checking of a wrapper handshake request
          12.2.1 General
          12.2.2 Digital signature checking
          12.2.3 Checking of the to-be-signed part
     12.3 Checking of a wrapper handshake accept
          12.3.1 General
          12.3.2 Digital signature checking
          12.3.3 Checking of the to-be-signed part
     12.4 Checking of data transfer WrPDUs
          12.4.1 General
          12.4.2 Common checking for data transfer
               12.4.2.1 Common checking for use of authenticate encryption with associated data
               12.4.2.2 Common checking for non-use of authenticate encryption with associated data
               12.4.2.3 Common checking for AadClient and AadServer data types
          12.4.5 AadClient data value specific checking
          12.4.6 AadServer data value specific checking
     12.5 Wrapper diagnostic codes
13 Authorization and validation list management
     13.1 General on authorization and validation management
          13.1.1 Introduction
          13.1.2 Invocation identification
          13.1.3 Exception conditions
     13.2 Defined protected protocol data unit types
     13.3 Authorization and validation management protocol initialization request
     13.4 Authorization and validation management protocol initialization accept
     13.5 Authorization and validation management protocol initialization reject
     13.6 Authorization and validation management protocol initialization abort
     13.7 Add authorization and validation list request
     13.8 Add authorization and validation list response
     13.9 Replace authorization and validation list request
     13.10 Replace authorization and validation list response
     13.11 Delete authorization and validation list request
     13.12 Delete authorization and validation list response
     13.13 Authorization and validation list abort
     13.14 Authorization and validation list error codes
14 Certification authority subscription protocol
     14.1 Certification authority subscription introduction
     14.2 Defined protected protocol data unit types
     14.3 Certification authority subscription protocol initialization request
     14.4 Certification authority subscription protocol initialization accept
     14.5 Certification authority subscription protocol initialization reject
     14.6 Certification authority subscription protocol initialization abort
     14.7 Public-key certificate subscription request
     14.8 Public-key certificate subscription response
     14.9 Public-key certificate un-subscription request
     14.10 Public-key certificate un-subscription response
     14.11 Public-key certificate replacements request
     14.12 Public-key certificate replacement response
     14.13 End-entity public-key certificate updates request
     14.14 End-entity public-key certificate updates response
     14.15 Certification authority subscription abort
     14.16 Certification authority subscription error codes
15 Trust broker protocol
     15.1 Introduction
     15.2 Defined protected protocol data unit types
     15.3 Trust broker protocol initialization request
     15.4 Trust broker protocol initialization accept
     15.5 Trust broker protocol initialization reject
     15.6 Trust broker protocol initialization abort
     15.7 Trust broker request syntax
     15.8 Trust broker response syntax
     15.9 Trust broker error information
     H.1 Introduction
     H.2 Negotiation of cryptographic algorithms
          H.2.1 Cryptographic negotiation for new protocols
          H.2.2 Cryptographic negotiation for existing protocols
     H.3 Non-negotiable digital signature algorithms
          H.3.1 General
          H.3.2 Duplicate signatures for new protocols
          H.3.3 Duplicate signatures for existing protocols