Understanding ITU-T X.500 Series and X.509 in a Changing World

the itu t x 500 series and x 509 in a changing n.w
1 / 27
Embed
Share

Explore the evolution of ITU-T X.500 Series and X.509, the role of PKI, LDAP directories, and key management in ensuring trust, authenticity, privacy, and security in a digital landscape. Discover the significance of the eighth edition of ITU-T X.509 in providing clear specifications and clean separation, driving the global adoption of public-key infrastructure.

  • ITU-T X.500
  • X.509
  • PKI
  • LDAP directories
  • security
rayaanacharya
osrd159 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. The ITU-T X.500 series and X.509 in a changing world ITU-T Study Group 17 meeting 29 August 7 September 2016

  2. The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of information

  3. Directory Document Structure ISO/IEC 9594-1 | X.500 Services Overview of Concepts, Models, and ISO/IEC 9594-2 | X.501 Models ISO/IEC 9594-3 | X.511 Abstract Service Definition ISO/IEC 9594-4 | X.518 Procedures for Distributed Operation ISO/IEC 9594-5 | X.519 Protocol Specifications ISO/IEC 9594-6 | X.520 Selected Attribute Types ISO/IEC 9594-7 | X.521 Selected Object Classes ISO/IEC 9594-8 | X.509 frameworks Public-key and attribute certificate ISO/IEC 9594-9 | X.525 Replication

  4. Rec. ITU-T X.509 until now The base specification for public-key infrastructure (PKI) The base specification for privilege management infrastructure (PMI) First edition in 1988 Eighth edition in 2016 PKI is widely deployed in the world Banking E-government Health Etc. 4

  5. Rec. ITU-T X.509 until now The basis for other major security specifications: IPsec Transport layer security (TLS) Cryptographic message syntax (CMS) Smart grid security standards (IEC 62351 series) Other specifications requiring scaleable key management 5

  6. What is PKI about? PKI is about: Trust (trust anchor concept) Validation of authenticity of information But also: Privacy and confidentiality Non-repudiation Tools and procedures for above 6

  7. Eighth edition of Rec. ITU-T X.509 Significant revision: Removal of ambiguities Consistent and current terminology Consistent style Clean PKI and PMI specifications (directory aspects moved to other parts of the X.500 series) Clean separation between public-key certificates and attribute certificates New features Autorization and validation lists (whitelists) Trust broker (secure validation) 7

  8. A changing world New countries are entering the PKI world Cloud computing Mobile technology Machine-to machine (M2M) communications In particular: IoT and smart grid with millions of entities 8

  9. A changing environment Constraint environments: Memory constraints Processing capacity Bandwidth constraint Time constraints Economic constraints Mobile applications Huge networks 9

  10. Possible items for next edition of X.509 Re-think the whole validation process to simplify it where possible for specific environments Further work on efficient validation including the concept of authorization and validation lists (AVLs) and trust broker To adopt new and more advanced cryptographic algorithms to meet the challenge of Quantum Computers. 10

  11. Possible items for next edition of X.509 (cont.) Improve attribute certificate specifications. Alignment with the work done in IETF Evaluation of other ASN.1 encoding rules than BER/DER Check what the mobile (3GPP-LTE) industry is doing Machine readable certificate policies 11

  12. ASN.1 and OIDs Geneva, Switzerland, 15-16 September 2014 12

  13. What is ASN.1 ASN.1 is a data description language used to describe protocols. ASN.1 is abstract and independent of hardware operating systems. The bits on the wire are defined by Encoding rules. Multiple encoding rules are defined. Geneva, Switzerland, 15-16 September 2014 13

  14. Data described in ASN.1 Two categories of data : Basic data : Boolean, Integer, Bit string, Octet String, Time types. Complex types : structured types like Sequence, Choice. Geneva, Switzerland, 15-16 September 2014 14

  15. ASN.1 has no limitation on data No limitation on number values (useful for big numbers used in cryptography). No limitation on string size. No limitation on level of complexity on structured types. Geneva, Switzerland, 15-16 September 2014 15

  16. Extensibility in ASN.1 ASN.1 mechanism interworking of successive versions on a given protocol. All standardized support this mechanism. has an which extensibility permits encoding rules Geneva, Switzerland, 15-16 September 2014 16

  17. Constraints in ASN.1 types Data can be limited : Range value on number data types. Character set and size on string data types. Constraints can be checked during encoding/decoding operations. Constraints can be used by encoding rules to optimize the encoding. Geneva, Switzerland, 15-16 September 2014 17

  18. Encoding rules for ASN.1 The first encoding rules were BER (Basic Encoding Rules) in which a type is encoded with three parts : A tag identifying the data type. A length : number of octets of the encoding. A content : 0 or more octets. Geneva, Switzerland, 15-16 September 2014 18

  19. Canonical encoding rules In BER, a data can generally be encoded in several manners. For electronic signatures, two sets of encoding rules have been developed : CER (Canonical Encoding Rules) DER (Distinguished Encoding Rules) Geneva, Switzerland, 15-16 September 2014 19

  20. Packed encoding rules Packed encoding rules (PER) have been developed bandwidth networks. In PER : Tags are not encoded. Lengths are encoded only when needed. The content is optimized using the constraints. for narrow Geneva, Switzerland, 15-16 September 2014 20

  21. Other encoding rules XML encoding rules (XER) have been developed for interworking between applications. A conversion mechanism from XML Schema to ASN.1 has been developed. OER octet encoding rules has been developed for applications which need fast encoding. JER Javascript object notation encoding rules are under development. For legacy protocols, encoding instructions and Encoding Control Notation (ECN) have been defined. ASN.1 et XML Geneva, Switzerland, 15-16 September 2014 21

  22. Usages of ASN.1 Many protocols : Directory : X500 and LDAP Mobile phone Network management Tools available application in high level programing languages. ASN.1 module database. for developing Geneva, Switzerland, 15-16 September 2014 22

  23. Standardization of ASN.1 Common texts with ISO/IEC/JTC 1/SC 6. ITU-T X.680 series | ISO/IEC 8824 for ASN.1 language. ITU-T X.690 series | ISO/IEC 8825 for encoding rules. Geneva, Switzerland, 15-16 September 2014 23

  24. Object Identifiers (OIDs) Initially defined in ASN.1 but now widely used to uniquely. Organized a tree with three first level arcs : itu-t (0) iso (1) joint-iso-itu-t (2) identify object Geneva, Switzerland, 15-16 September 2014 24

  25. Usage of OIDs OIDs are used in many protocols : Network management identify the managed objects. In Directory (X.500 and LDAP) to identify object classes and attributes (SNMP) to Geneva, Switzerland, 15-16 September 2014 25

  26. Standardization of OIDs Basic ISO/IEC/JTC 1/SC6 : ITU-T X.660 series | ISO/IEC 9834 ITU-T X.670 series | ISO/IEC 29168 texts common with Geneva, Switzerland, 15-16 September 2014 26

  27. Assignation of OIDs Each entity responsible of an arc can delegate any subtree to another entity. An Object Identifier protocol has be developed. Many object identifier are registered in a OID database available at: http://www.oid-info.com resolution Geneva, Switzerland, 15-16 September 2014 27

Related


Installations and Commissioned APP Tutorial

Installations and Commissioned APP Tutorial

ivaan
Day 1: Autodesk Inventor Tutorial

Day 1: Autodesk Inventor Tutorial

graciemai
Tutorial for EPDCL Survey App: How to Use Survey Lite App for Data Collection

Tutorial for EPDCL Survey App: How to Use Survey Lite App for Data Collection

satine
Campus Mail Services Package Shipping Tutorial

Campus Mail Services Package Shipping Tutorial

april
AAHS Rutgers Tutorial & Credit by Examination Overview

AAHS Rutgers Tutorial & Credit by Examination Overview

lyra
The Bird Is The Word: A Comprehensive Twitter Tutorial

The Bird Is The Word: A Comprehensive Twitter Tutorial

kaison
New York State Address Confidentiality Program: Application Assistance Provider Tutorial

New York State Address Confidentiality Program: Application Assistance Provider Tutorial

maxim
Audacity Tutorial: Complete Guide on Recording and Editing Audio Tracks

Audacity Tutorial: Complete Guide on Recording and Editing Audio Tracks

leda
Learning Tutorial Observation Methods

Learning Tutorial Observation Methods

frieda
AmeriCorps Member Tutorial on OnCorps Reports 2.0 - Overview and Login Instructions

AmeriCorps Member Tutorial on OnCorps Reports 2.0 - Overview and Login Instructions

nerissa
Excel Tutorial: Evaluating Pay Compression with Compa-Ratios

Excel Tutorial: Evaluating Pay Compression with Compa-Ratios

roselyn
Introduction to Makefile: A Comprehensive Tutorial

Introduction to Makefile: A Comprehensive Tutorial

reva
Introduction to MATLAB and Simulink for ECEN 2060 Tutorial

Introduction to MATLAB and Simulink for ECEN 2060 Tutorial

maxim
Getting Started with C++ Programming at Room B27 Terminals

Getting Started with C++ Programming at Room B27 Terminals

misael
libfabric: A Comprehensive Tutorial on High-Level and Low-Level Interface Design

libfabric: A Comprehensive Tutorial on High-Level and Low-Level Interface Design

faris
Fundamentals of Communications and Networks in the Networks and Communication Department Tutorial

Fundamentals of Communications and Networks in the Networks and Communication Department Tutorial

maren
Fraud, Waste, and Abuse Tutorial Certification for Small Businesses

Fraud, Waste, and Abuse Tutorial Certification for Small Businesses

caius
Micro:bit Robot Entry Tutorial - Lesson on Tracking with YahBoom

Micro:bit Robot Entry Tutorial - Lesson on Tracking with YahBoom

eliam
Interactive Tutorial on Degenerate Perturbation Theory: QuILT Development and Student Difficulties

Interactive Tutorial on Degenerate Perturbation Theory: QuILT Development and Student Difficulties

jac
Introduction to Microphone Array Beamforming: MATLAB Tutorial Series

Introduction to Microphone Array Beamforming: MATLAB Tutorial Series

lyon
Micro:bit Robot Entry Tutorial with YahBoom - Buzzer Singing Lesson

Micro:bit Robot Entry Tutorial with YahBoom - Buzzer Singing Lesson

uhtred
Tutorial on DIRAC Web Interface for JUNO DCI Group

Tutorial on DIRAC Web Interface for JUNO DCI Group

mtuth

More Related Content