SECURITY  IN  TELECOMMUNICATIONS  AND  INFORMATION  TECHNOLOGY


            6       The  role  of  the  Directory  and  the  importance  of  the  ITU-T  X.500  series  of
                    Recommendations

            The ITU-T X.500 series of Recommendations provides specifications for establishment of a directory (referred
            to below as an ITU-T X.500 directory).

            A  directory  is  a  term  for  an  organized  collection  of  information  that  can  be  queried  to  obtain  specific
            information. Within the ITU-T and within the context of security and telecommunications standardization, the
            term  X.500  directory  refers  to  a  repository  of  information  based  on  the  ITU-T  X.500  series  of
            Recommendations that were developed jointly with ISO/IEC. The directory specification is introduced in
            Recommendation ITU-T X.500 and elaborated in Recommendation ITU-T X.501, Recommendation ITU-T
            X.511 specifies the service provided by an X.500 directory.  Recommendation ITU-T X.518 specifies the
            procedure for a distributed directory. Recommendation ITU-T X.519 provides directory protocols to facilitate
            communication and information exchange between entities.  Recommendation ITU-T X.525 specifies how
            directory  information  may  be  replicated.  The  Recommendations  ITU-T  X.520  and  ITU-T  X.521  provide
            metadata for directory information.

            Recommendation ITU-T X.509 is part of the ITU-T X.500 series of Recommendation, but is widely used
            outside a directory context. It provides a framework for both public-key infrastructure (PKI) and for privilege
            management infrastructure (PMI). An X.500 directory may store PKI-related and PMI-related information
            objects to support those infrastructures, and an X.500 directory may use PKI and PMI capabilities to protect
            directory information.


            This section begins with a review of the cryptographic concepts relevant to Recommendation ITU-T X.509.
            This is followed by a discussion of Recommendation ITU-T X.509 and its support of PKI and PMI. The
            security of an ITU-T X.500 directory itself and the need to protect directory information is discussed later.

            6.1     Cryptographic concepts relevant to Recommendation ITU-T X.509


            Cryptography is a key component of both PKI and PMI. Three aspects of cryptography are considered here:

            –       algorithms using both symmetric and asymmetric keys;


            –       hash functions; and

            –       digital signature generation and verification.

            These three areas are described briefly below.


            6.1.1   Symmetric and asymmetric key cryptographic algorithms

            Symmetric (or secret key) cryptography refers to a cryptographic system in which the same key is used for both
            encryption and decryption, as illustrated in Figure 10 (a). In a symmetric cryptosystem, communicating entities
            share a unique secret key. The key must be distributed to the entities by secure means.


            An asymmetric (or public key) cryptography system involves a pair of keys – a public key and a private key.
            The public key can be widely distributed but the private key must always be kept secret by the owning entity.
            The  private  key  is  usually  held  on  a  smart  card  or  on  a  token.  The  public  key  and  the  private  key  are
            mathematically related, but there is no feasible way to derive the private key from the public key.


            There are different types of asymmetric key pairs. Some technologies (such as RSA) allow encryption and
            decryption of data, while other technologies allow only generation and validation of digital signatures.


                                                                             The importance of the Directory  41