AS/NZS 4019.

8:1996
ISO/IEC 9594-8:1995

Australian/New Zealand Standard

This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

Information technology—
Open Systems Interconnection—
The Directory

Part 8: Authentication framework

 AS/NZS 4019.8:1996

This Joint Australian/New Zealand Standard was prepared by Joint Technical

Committee IT/1, Information Systems — Interconnection. It was approved on behalf of
the Council of Standards Australia on 13 February 1996 and on behalf of the Council
of Standards New Zealand on 3 May 1996. It was published on 5 May 1996.
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

The following interests are represented on Committee IT/1:

Australian Bankers’ Association
Australian Bureau of Statistics
Australian Computer Society
Australian Computer Users Association
Australian Information Industry Association
Australian Vice Chancellors Committee
Department of Defence, Australia
Department of Industry, Science and Technology, Australia
Government Computing Service, New Zealand
Information Exchange Steering Committee, Australia
Institute of Information and Communication Technologies, CSIRO, Australia
Telstra, Australia
Telecom, New Zealand

Review of Standards. To keep abreast of progress in industry, Joint Australian/

New Zealand Standards are subject to periodic review and are kept up to date by the
issue of amendments or new editions as necessary. It is important therefore that
Standards users ensure that they are in possession of the latest edition, and any
amendments thereto.
Full details of all Joint Standards and related publications will be found in the Standards
Australia and Standards New Zealand Catalogue of Publications; this information is
supplemented each month by the magazines ‘The Australian Standard’ and ‘Standards
New Zealand’, which subscribing members receive, and which give details of new
publications, new editions and amendments, and of withdrawn Standards.
Suggestions for improvements to Joint Standards, addressed to the head office of either
Standards Australia or Standards New Zealand, are welcomed. Notification of any
inaccuracy or ambiguity found in a Joint Australian/ New Zealand Standard should be
made without delay in order that the matter may be investigated and appropriate action
taken.
 AS/NZS 4019.8:1996

Australian/New Zealand Standard

This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

Information technology—
Open Systems Interconnection—
The Directory

Part 8: Authentication framework

PUBLISHED JOINTLY BY:

STANDARDS AUSTRALIA
1 The Crescent,
Homebush NSW 2140 Australia
STANDARDS NEW ZEALAND
Level 10, Standards House,
155 The Terrace,
Wellington 6001 New Zealand
ISBN 0 7337 0426 3
 ii

PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee IT/1
on Information Systems— Interconnection. It is identical with and has been reproduced from
ISO/IEC 9594-8:1995, Information technology— Open Systems Interconnection— The Directory:
Authentication framework. This edition will be concurrent with AS 4019.8 — 1992, Information
technology — Open Systems Interconnection — The Directory, Part 8: Authentication framework.
The objective of this Standard is to provide users of information technology with a definition of a
framework for the provision of authentication services by the Directory to its users.
This Standard is one of a series of Open Systems Interconnection (OSI) Standards which are currently
under development. Since OSI Standards are developmental, there may be some minor difficulties
encountered in their implementation. For this reason, Standards Australia will be providing, through
the OSI Help Desk, a service to coordinate and disseminate information concerning difficulties which
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

are identified in using this Standard.

This edition technically revises and enhances AS 4019.8. Implementation may still claim conformance
to AS 4019.8. However, at some point, AS 4019 will no longer be supported. It is recommended that
implementation conform to AS/NZS 4019.8:1996 as soon as possible.
This Standard is Part 8 of AS/NZS 4019, Information technology — Open Systems Interconnection —
The Directory, which is published in Parts as follows:
Part 1: Overview of concepts, models and services
Part 2: Models
Part 3: Abstract service definition
Part 4: Procedures for distributed operation
Part 5: Protocol specifications
Part 6: Selected attribute types
Part 7: Selected object classes
Part 8: Authentication framework (this Standard)
Part 9: Replication
Users of this Standard are advised by Standards Australia and Standards New Zealand, under
arrangements made with ISO and IEC, as well as certain other Standards organizations, that the number
of this Standard is not reproduced on each page; its identity is shown only on the cover and title pages.
For the purpose of this Standard, the source text should be modified as follows:
(a) Terminology The words ‘this Australian/New Zealand Standard’ should replace the words ‘this
International Standard’ wherever they appear.
(b) Decimal marker Substitute a full point for a comma where it appears as a decimal marker.
(c) References The references to international Standards should be replaced by references, where
appropriate, to the following Australian or Joint Australian/New Zealand Standards:
Reference to International Standard Australian or Joint
or other Publication Australian/New Zealand Standard
ISO AS
7498 Information Processing Systems — 2777 Information processing systems —
Open Systems Interconnection— Open Systems Interconnection—
Basic Reference Model Basic reference model
7498-2 Part 2: Security Architecture 2777.2 Part 2: Security architecture
 iii
ISO/IEC AS/NZS
8824 Information technology— —
Abstract Syntax Notation One (ASN.1)
8824-1 Part 1: Specification of basic notation —
8824-2 Part 2: Information object —
specification
8824-3 Part 3: Constraint specification —
8824-4 Part 4: Parameterization of ASN.1 —
specifications
8825 Information technology— ASN.1 —
encoding rules
8825-1 Part 1: Specification of Basic —
Encoding Rules (BER), Canonical
Encoding Rules (CER) and
Distinguished Encoding Rules (DER)
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

9594 Information technology— 4019 Information technology—

Open Systems Interconnection — Open Systems Interconnection—
The Directory: The Directory:
9594-1 Part 1: Overview of concepts, models 4019.1 Part 1: Overview of concepts, models
and services and services
9594-2 Part 2: Models 4019.2 Part 2: Models
9594-3 Part 3: Abstract service definition 4019.3 Part 3: Abstract service definition
9594-4 Part 4: Procedures for distributed 4019.4 Part 4: Procedures for distributed
operation operation
9594-5 Part 5: Protocol specifications 4019.5 Part 5: Protocol specifications
9594-6 Part 6: Selected attribute types 4019.6 Part 6: Selected attribute types
9594-7 Part 7: Selected object classes 4019.7 Part 7: Selected object classes
9594-9 Part 9: Replication 4019.9 Part 9: Replication
13712 Information technology— Remote
Operations
13712-1 Part 1: Concepts, Model and Notation —
13712-2 Part 2: OSI realizations — Remote —
Operations Service Element (ROSE)
service definition

 Copyright STANDARDS AUSTRALIA/ STANDARDS NEW ZEALAND

Users of Standards are reminded that copyright subsists in all Standards Australia and Standards New Zealand publications and software.
Except where the Copyright Act allows and except where provided for below no publications or software produced by Standards Australia
or Standards New Zealand may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission
in writing from Standards Australia or Standards New Zealand. Permission may be conditional on an appropriate royalty payment. Australian
requests for permission and information on commercial software royalties should be directed to the head office of Standards Australia.
New Zealand requests should be directed to Standards New Zealand.
Up to 10 percent of the technical content pages of a Standard may be copied for use exclusively in-house by purchasers of the
Standard without payment of a royalty or advice to Standards Australia or Standards New Zealand.
Inclusion of copyright material in computer software programs is also permitted without royalty payment provided such programs are
used exclusively in-house by the creators of the programs.
Care should be taken to ensure that material used is from the current edition of the Standard and that it is updated whenever the Standard
is amended or revised. The number and date of the Standard should therefore be clearly identified.
The use of material in print form or in computer software programs to be used commercially, with or without payment, or in commercial
contracts is subject to the payment of a royalty. This policy may be varied by Standards Australia or Standards New Zealand at any time.
 iv

CONTENTS

Page
SECTION 1 — GENERAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Identical Recommendations International Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Paired Recommendations International Standards equivalent in technical content . . . . . 2

3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . .. .. . . . .. . . . . ... . . 3
3.1 OSI Reference Model security architecture definitions . . . .. .. . .. .. . . . .. . . . . . .. . . 3
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

3.2 Directory model definitions . . . . . . . . . . . . . . . . . . . . . .. .. . .. .. . . . .. . . . . ... . . 3

3.3 Authentication framework definitions . . . . . . . . . . . . . . .. .. . .. .. . . . .. . . . . ... . . 3

4 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

SECTION 2 — SIMPLE AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

6 Simple authentication procedure . . . . . . . . . . . . . . . . . . .. . . . .. .. . . . . .. . . . . . .. .. . .. . . 5

6.1 Generation of protected identifying information . .. . . . .. . . . . . . .. . . . . . .. ... .. . . 6
6.2 Procedure for protected simple authentication . . . .. .. . .. .. . . . . .. . . . . . .. . .. .. .. 7
6.3 User Password attribute type . . . . . . . . . . . . . . .. .. . .. .. . . . . .. . . . . . .. ... .. .. 8

SECTION 3 — STRONG AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

7 Basis of strong authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

8 Obtaining a user’s public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

8.1 Optimization of the amount of information obtained from the Directory . . . . . . . . . . . . 11
8.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

9 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

10 Strong authentication procedures . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.1 Overview . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.2 One-way authentication . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.3 Two-way authentication . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.4 Three-way authentication . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

11 Management of keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

11.1 Generation of key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
11.2 Management of certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
 v
Page
Annex A — Authentication Framework in ASN.1 . . . . . . . . . . . . . . . . . .. . . . .. .. .. . .. . .. .. . . 20
Annex B — Security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. .. . . . .. . .. .. . . 23
Annex C — An introduction to public key cryptography . . . . . . . . . . . . .. . . . .. .. .. . .. . .. .. . . 26
Annex D — The RSA Public Key Cryptosystem . . . . . . . . . . . . . . . . . . .. . . . .. .. .. . .. . .. .. . . 28
Annex E — Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. .. .. . . . . .. .. . . 31
Annex F — Threats protected against by the strong authentication method . . . . .. .. . . . .. . .. .. . . 32
Annex G — Data confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. .. . . . .. . . . .. . . 33
Annex H — Reference definition of algorithm object identifiers . . . . . . . .. . . . .. .. .. . .. . .. .. . . 34
Annex J — Amendments and corrigenda . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. .. .. . .. . . . .. . . 35
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

Originated in Australi a as AS 4019.8 — 1992.

Jointl y revised and designated AS/NZS 4019.8:1996.
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

vi

NOTES
 1

AUSTRALIAN/NEW ZEALAND STANDARD

INFORMATION TECHNOLOGY — OPEN SYSTEMS INTERCONNECTION —

THE DIRECTORY: AUTHENTICATION FRAMEWORK

SECTION 1 — GENERAL

1 Scope
This Recommendation International Standard:

– specifies the form of authentication information held by the Directory;

– describes how authentication information may be obtained from the Directory;

This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

– states the assumptions made about how authentication information is formed and placed in the Directory;

– defines three ways in which applications may use this authentication information to perform
authentication and describes how other security services may be supported by authentication.

This Recommendation International Standard describes two levels of authentication: simple authentication, using a
password as a verification of claimed identity; and strong authentication, involving credentials formed using
cryptographic techniques. While simple authentication offers some limited protection against unauthorized access, only
strong authentication should be used as the basis for providing secure services. It is not intended to establish this as a
general framework for authentication, but it can be of general use for applications which consider these techniques
adequate.

Authentication (and other security services) can only be provided within the context of a defined security policy. It is
a matter for users of an application to define their own security policy which may be constrained by the services
provided by a standard.

It is a matter for standards defining applications which use the authentication framework to specify the protocol
exchanges which need to be performed in order to achieve authentication based upon the authentication information
obtained from the Directory. The protocol used by applications to obtain credentials from the Directory is the Directory
Access Protocol (DAP), specified in ITU-T Recommendation X.519 ISO/IEC 9594-5.

The strong authentication method specified in this Recommendation International Standard is based upon public-key
cryptosystems. It is a major advantage of such systems that user certificates may be held within the Directory as
attributes, and may be freely communicated within the Directory System and obtained by users of the Directory in the
same manner as other Directory information. The user certificates are assumed to be formed by “off-line” means, and
placed in the Directory by their creator. The generation of user certificates is performed by some off-line Certification
Authority which is completely separate from the DSAs in the Directory. In particular, no special requirements are placed
upon Directory providers to store or communicate user certificates in a secure manner.

A brief introduction to public-key cryptography can be found in Annex C.

In general, the authentication framework is not dependent on the use of a particular cryptographic algorithm, provided
it has the properties described in 7.1. Potentially a number of different algorithms may be used. However, two users
wishing to authenticate shall support the same cryptographic algorithm for authentication to be performed correctly.
Thus, within the context of a set of related applications, the choice of a single algorithm will serve to maximize the
community of users able to authenticate and communicate securely. One example of a public key cryptographic
algorithm can be found in Annex D.

Similarly, two users wishing to authenticate shall support the same hash function [see 3.3 f)] (used in forming credentials
and authentication tokens). Again, in principle, a number of alternative hash functions could be used, at the cost of
narrowing the communities of users able to authenticate. A brief introduction to hash functions can be found in Annex E.

COPYRIGHT
 This is a free preview. Purchase the entire publication at the link below:

AS/NZS 4019.8:1996, Information technology -

Open Systems Interconnection - The Directory
Authentication framework
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to our Free Newsletters about Australian Standards® in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier Database

Metals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us