Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ITU-T X.500 series and X.509 in a changing world

Published byAnnice O’Connor’ Modified over 6 years ago

Similar presentations

Presentation on theme: "The ITU-T X.500 series and X.509 in a changing world"— Presentation transcript:

1 The ITU-T X.500 series and X.509 in a changing world
ITU-T Study Group 17 meeting 29 August – 7 September 2016

2 The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of information

3 Directory Document Structure
ISO/IEC | X.500 Overview of Concepts, Models, and Services ISO/IEC | X.501 Models ISO/IEC | X.511 Abstract Service Definition ISO/IEC | X.518 Procedures for Distributed Operation ISO/IEC | X.519 Protocol Specifications ISO/IEC | X.520 Selected Attribute Types ISO/IEC | X.521 Selected Object Classes ISO/IEC | X.509 Public-key and attribute certificate frameworks ISO/IEC | X.525 Replication

4 Rec. ITU-T X.509 until now The base specification for public-key infrastructure (PKI) The base specification for privilege management infrastructure (PMI) First edition in 1988 Eighth edition in 2016 PKI is widely deployed in the world Banking E-government Health Etc.

5 The basis for other major security specifications:
Rec. ITU-T X.509 until now The basis for other major security specifications: IPsec Transport layer security (TLS) Cryptographic message syntax (CMS) Smart grid security standards (IEC series) Other specifications requiring scaleable key management

6 Trust (trust anchor concept) Validation of authenticity of information
What is PKI about? PKI is about: Trust (trust anchor concept) Validation of authenticity of information But also: Privacy and confidentiality Non-repudiation Tools and procedures for above

7 Eighth edition of Rec. ITU-T X.509
Significant revision: Removal of ambiguities Consistent and current terminology Consistent style Clean PKI and PMI specifications (directory aspects moved to other parts of the X.500 series) Clean separation between public-key certificates and attribute certificates New features Autorization and validation lists (whitelists) Trust broker (secure validation)

8 A changing world New countries are entering the PKI world Cloud computing Mobile technology Machine-to machine (M2M) communications In particular: IoT and smart grid with millions of entities

9 A changing environment
Constraint environments: Memory constraints Processing capacity Bandwidth constraint Time constraints Economic constraints Mobile applications Huge networks

10 Possible items for next edition of X.509
Re-think the whole validation process to simplify it where possible for specific environments Further work on efficient validation including the concept of authorization and validation lists (AVLs) and trust broker To adopt new and more advanced cryptographic algorithms to meet the challenge of Quantum Computers.

11 Possible items for next edition of X.509 (cont.)
Improve attribute certificate specifications. Alignment with the work done in IETF Evaluation of other ASN.1 encoding rules than BER/DER Check what the mobile (3GPP-LTE) industry is doing Machine readable certificate policies

12 ASN.1 and OIDs Geneva, Switzerland, September 2014

13 ASN.1 is a data description language used to describe protocols.
What is ASN.1 ASN.1 is a data description language used to describe protocols. ASN.1 is abstract and independent of hardware operating systems. The bits on the wire are defined by Encoding rules. Multiple encoding rules are defined. Geneva, Switzerland, September 2014

14 Two categories of data :
Data described in ASN.1 Two categories of data : Basic data : Boolean, Integer, Bit string, Octet String, Time types. Complex types : structured types like Sequence, Choice. Geneva, Switzerland, September 2014

15 ASN.1 has no limitation on data
No limitation on number values (useful for big numbers used in cryptography). No limitation on string size. No limitation on level of complexity on structured types. Geneva, Switzerland, September 2014

16 All standardized encoding rules support this mechanism.
Extensibility in ASN.1 ASN.1 has an extensibility mechanism which permits interworking of successive versions on a given protocol. All standardized encoding rules support this mechanism. Geneva, Switzerland, September 2014

17 Constraints in ASN.1 types
Data can be limited : Range value on number data types. Character set and size on string data types. Constraints can be checked during encoding/decoding operations. Constraints can be used by encoding rules to optimize the encoding. Geneva, Switzerland, September 2014

18 Encoding rules for ASN.1 The first encoding rules were BER (Basic Encoding Rules) in which a type is encoded with three parts : A tag identifying the data type. A length : number of octets of the encoding. A content : 0 or more octets. Geneva, Switzerland, September 2014

19 Canonical encoding rules
In BER, a data can generally be encoded in several manners. For electronic signatures, two sets of encoding rules have been developed : CER (Canonical Encoding Rules) DER (Distinguished Encoding Rules) Geneva, Switzerland, September 2014

20 Packed encoding rules Packed encoding rules (PER) have been developed for narrow bandwidth networks. In PER : Tags are not encoded. Lengths are encoded only when needed. The content is optimized using the constraints. Geneva, Switzerland, September 2014

21 Other encoding rules XML encoding rules (XER) have been developed for interworking between ASN.1 et XML applications. A conversion mechanism from XML Schema to ASN.1 has been developed. OER octet encoding rules has been developed for applications which need fast encoding. JER Javascript object notation encoding rules are under development. For legacy protocols, encoding instructions and Encoding Control Notation (ECN) have been defined. Geneva, Switzerland, September 2014

22 Usages of ASN.1 Many protocols :
Directory : X500 and LDAP Mobile phone Network management Tools available for developing application in high level programing languages. ASN.1 module database. Geneva, Switzerland, September 2014

23 Standardization of ASN.1
Common texts with ISO/IEC/JTC 1/SC 6. ITU-T X.680 series | ISO/IEC 8824 for ASN.1 language. ITU-T X.690 series | ISO/IEC 8825 for encoding rules. Geneva, Switzerland, September 2014

24 Object Identifiers (OIDs)
Initially defined in ASN.1 but now widely used to identify object uniquely. Organized a tree with three first level arcs : itu-t (0) iso (1) joint-iso-itu-t (2) Geneva, Switzerland, September 2014

25 OIDs are used in many protocols :
Usage of OIDs OIDs are used in many protocols : Network management (SNMP) to identify the managed objects. In Directory (X.500 and LDAP) to identify object classes and attributes Geneva, Switzerland, September 2014

26 Standardization of OIDs
Basic texts common with ISO/IEC/JTC 1/SC6 : ITU-T X.660 series | ISO/IEC 9834 ITU-T X.670 series | ISO/IEC 29168 Geneva, Switzerland, September 2014

27 An Object Identifier resolution protocol has be developed.
Assignation of OIDs Each entity responsible of an arc can delegate any subtree to another entity. An Object Identifier resolution protocol has be developed. Many object identifier are registered in a OID database available at: Geneva, Switzerland, September 2014

Download ppt "The ITU-T X.500 series and X.509 in a changing world"

Similar presentations

International Telecommunication Union ASN.1 Today and Tomorrow © 2002 OSS Nokalva.

International Telecommunication Union ASN.1 Today and Tomorrow © 2002 OSS Nokalva.
Summary Introduction The protocols developed by ITU-T E-Health protocol Architecture of e-Health X.th1 X.th2 to X.th6 Common Alerting Protocol Conclusion.

Summary Introduction The protocols developed by ITU-T E-Health protocol Architecture of e-Health X.th1 X.th2 to X.th6 Common Alerting Protocol Conclusion.
Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
1 Pertemuan 05 Model Informasi - SMI Matakuliah: H0372/Manajemen Jaringan Tahun: 2005 Versi: 1/0.

1 Pertemuan 05 Model Informasi - SMI Matakuliah: H0372/Manajemen Jaringan Tahun: 2005 Versi: 1/0.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Jump to first page PKI2001 (TIFR, Mumbai) ASN.1 Abstract Syntax Notation One ASN.1 is a standard way to describe a message(a unit application data) that.

Jump to first page PKI2001 (TIFR, Mumbai) ASN.1 Abstract Syntax Notation One ASN.1 is a standard way to describe a message(a unit application data) that.
Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.

Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
SNMP: Simple Network Management Protocol

SNMP: Simple Network Management Protocol
Introduction to Object Identifiers (OIDs) France Telecom Orange Olivier Dubuisson 15 June 2009.

Introduction to Object Identifiers (OIDs) France Telecom Orange Olivier Dubuisson 15 June 2009.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
ASN.1 CNS 4650 Fall 2004 Rev. 2.

ASN.1 CNS 4650 Fall 2004 Rev. 2.
The Directory A distributed database Distributed maintenance.

The Directory A distributed database Distributed maintenance.
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Similar presentations

Ads by Google