This standard: specifies the format of the authentication information held by the directory; describes how to obtain the authentication information from the directory; describes how to construct and store the assumptions of the authentication information in the directory; defines various applications to use the authentication information to perform authentication The three methods and describe how authentication supports other security services. This standard describes two levels of authentication: simple authentication, which uses passwords as a form of verification of claimed identity; and strong authentication, which involves the use of cryptographic forms of credentials. Simple authentication only provides some limited guarantees to avoid unauthorized access, and only strong authentication can be used as the basis for providing security services. This standard is not intended to establish a general framework for authentication, but this standard may be general for applications where those techniques are considered adequate, as they are sufficient for them. Provides authentication only (and other full services) within the context of a defined security policy. User security policies, limited by the services provided by the standard, are defined by the users of an application themselves. It is up to the application's criteria defined using this authentication framework to specify the protocol exchanges that must be performed in order to perform authentication based on the authentication address obtained from the directory. The protocol for an application to obtain credentials from a directory is called the Directory Access Protocol (DAP), which is specified in GB/T 16264.5. The strong authentication method specified in this standard is based on the public key cryptosystem. The main advantage of this system is that the user certificate can be stored in the directory as an attribute of the directory, and it allows free exchange in the directory system. The user of the directory can also obtain the user certificate in the same way as obtaining other directory addresses. User certificates can be formed 'offline' and placed in the directory by their creator. Generation of user certificates shall be the responsibility of a 'certification authority' completely independent of any DSA in the directory. In particular, no special requirements should be placed on the secure method used by directory providers to store or exchange user certificates. Appendix B gives an overview of public-key cryptography. In general, the authentication framework should be independent of the encryption algorithm used as described in 6.1, that is, various encryption algorithms can be used. However, two users who want to authenticate each other are supported to use the same encryption algorithm, thus ensuring the correct authentication. Therefore, the choice of a single algorithm will enhance the consistency of user security authentication and communication within a set of related primary usage contexts. Note C gives an example of a public curtain key encryption algorithm. Similarly, two users who want to authenticate each other must support the same hash function, which is mainly used to generate credentials and authenticate tokens. Similarly, in principle, multiple hash functions can also be used, but this will be at the expense of reducing the consistency of user authentication. Appendix D gives an overview and examples of hash functions.
GB/T 16264.8-1996 history
2005GB/T 16264.8-2005 Information technology.Open Systems Interconnection.The Directory.Part 8:Public-key and attribute certificate frameworks
1996GB/T 16264.8-1996 Information technology--Open systems interconnection--The directory. Part 8: Authentication framework