The drawings contained in this Recommendation have been done in AUTOCAD ANNEX A (to Recommendation X.509) Security requirements This Annex does not form an integral part of this Recommendation. [Additional material relevant to this topic can be found in OSI 7498 - Information Processing Systems - OSI Reference Model - Part 2, Security Architecture.] Many OSI applications, CCITT-defined services and non-CCITT-defined services will have requirements for security. Such requirements derive from the need to protect the transfer of information from a range of potential threats. A.1 Threats Some commonly known threats are: a) identity interception: the identity of one or more of the users involved in a communication is observed for misuse; b) masquerade: the pretense by a user to be a different user in order to gain access to information or to acquire additional privileges; c) replay: the recording and subsequent replay of a communication at some later date; d) data interception: the observation of user data during a communication by an unauthorized user; e) manipulation: the replacement, insertion, deletion or misordering of user data during a communication by an unauthorized user; f) repudiation: the denial by a user of having participated in part or all of a communication; g) denial of service: the prevention or interruption of a communication or the delay of time-critical operations; Note - This security threat is a more general one and depends on the individual application or on the intention of the unauthorized disruption and is therefore not explicitly within the scope of the authentication framework. h) mis-routing: the mis-routing of a communication path intended for one user to another; Note - Mis-routing will naturally occur in OSI layers 1 - 3. Therefore mis-routing is outside of the scope of the authentication framework. However, it may be possible to avoid the consequences of mis-routing by using appropriate security services as provided within the authentication framework. i) traffic analysis: the observation of information about a communication between users (e.g. absence/presence, frequency, direction, sequence, type, amount, etc.). Note - Traffic analysis threats are naturally not restricted to a certain OSI layer. Therefore traffic analysis is generally outside the scope of the authentication framework. However, traffic analysis can be partially protected against by generating additional unintelligible traffic (traffic padding), using enciphered or random data. A.2 Security services In order to protect against perceived threats, various security services need to be provided. Security services as provided by the authentication framework are performed by means of the security mechanisms described in A.3 of this Annex. a) peer entity authentication: this service provides corroboration that a user in a certain instance of communication is the one claimed. Two different peer entity authentication services may be requested: - single entity authentication (either data origin entity authentication or data recipient entity authentication); - mutual authentication, where both users communicating authenticate each other. When requesting a peer entity authentication service, the two users agree whether their identities will be protected or not. The peer entity authentication service is supported by the authentication framework. It can be used to protect against masquerade and replay, concerning the user's identities; b) access control: this service can be used to protect against the unauthorized use of resources. The access control service is provided Fascicle VIII.8 - Rec. X.511 PAGE21 by the Directory or another application and is therefore not a concern of the authentication framework; c) data confidentiality: this service can be used to provide for protection of data from unauthorized disclosure. The data confidentiality service is supported by the authentication framework. It can be used to protect against data interception; d) data integrity: this service provides proof of the integrity of data in a communication. The data integrity service is supported by the authentication framework. It can be used to detect and protect against manipulation; e) non-repudiation: this service provides proof of the integrity and origin of data - both in an unforgeable relationship - which can be verified by any third party at any time. A.3 Security mechanisms The security mechanisms outlined here perform the security services described in A.2. a) autbhentication exchange: there are two grades of authentication framework: - simple authentication: relies on the originator supplying its name and password, which are checked by the recipient; - strong authentication: relies on the use of cryptographic techniques to protect the exchange of validating information. In the authentication framework, strong authentication is based upon an asymmetric scheme. The authentication exchange mechanism is used to support the peer entity authentication service; b) encipherment: the authentication framework envisages the encipherment of data during transfer. Either asymmetric or symmetric schemes may be used. The necessary key exchange for either case is performed either within a preceding authentication exchange or off-line any time before the intended communication. The latter case is outside the scope of the authentication framework. The encipherment mechanism supports the data confidentiality service; c) data integrity: this mechanism involves the encipherment of a compressed string of the relevant data to be transferred. Together with the plain data, this message is sent to the recipient. The recipient repeats the compressing and subsequent encipherment of the plain data and compares the results with that created by the originator to prove integrity. The data integrity mechanism can be provided by encipherment of the compressed plain data by either an asymmetric scheme or a symmetric scheme. (With the symmetric scheme, compression and encipherment of data might be processed simultaneously.) The mechanism is not explicitely provided by the authentication framework. However it is fully provided as a part of the digital signature mechanism (see below) using an asymmetric scheme. The data integrity mechanism supports the data integrity service. It also partially supports the non-repudiation service (that service also needs the digital signature mechanism for its requirement to be fully met); d) digital signature: this mechanism involves the encipherment, by the originator's secret key, of a compressed string of the relevant data to be transferred. The digital signature together with the plain data is sent to the recipient. Similarly to the case of the data integrity mechanism, this message is processed by the recipient to prove integrity. The digital signature mechanism also proves the authenticity of the originator and the unambiguous relationship between the originator and the data that was transferred. The authentication framework supports the digital signature mechanism using an asymmetric scheme. The digital signature mechanism supports the data integrity service and also supports the non-repudiation service. A.4 Threats protected against by the security services The table at the end of this Annex indicates the security threats which each security service can protect against. The presence of an asterisk (*) PAGE21 Fascicle VIII.8 - Rec. X.511 indicates that a certain security service affords protection against a certain threat. A.5 Negotiation of security services and mechanisms The provision of security features during an instance of communication requires the negotiation of the context in which security services are required. This entails agreement on the type of security mechanisms and security parameters that are necessary to provide such security services. The procedures required for negotiating mechanisms and parameters can either be carried out as an integral part of the normal connection establishment procedure or as a separate process. The precise details of these procedures for negotiation are not specified in this Annex. SERVICES THREATS Entity Data Data Non- Authentication Confidentiali Integrit Repudiation ty y Identity * (if Interception req'd) Data interception * Masquerade * Replay * * (data) * (identity) Fascicle VIII.8 - Rec. X.511 PAGE21 Manipulation * * Repudiation * ANNEX B (to Recommendation X.509) An introduction to public key cryptography This Annex does not form an integral part of this Recommendation. In conventional cryptographic systems, the key used to encipher information by the originator of a secret message is the same as that used to decipher the message by the legitimate recipient. In public key cryptosystems (PKCS), however, keys come in pairs, one key of which is used for enciphering and the other for deciphering. Each key pair is associated with a particular user X. One of the keys, known as the public key (Xp) is publicly known, and can be used by any user to encipher data. Only X, who possesses the complementary secret key (Xs) may decipher the data. (This is represented notationally by D = Xs[Xp[D]].) It is computationally infeasible to derive the secret key from knowledge of the public key. Any user can thus communicate a piece of information which only X can find out, by enciphering it under Xp. By extension, two users can communicate in secret, by using each other's public key to encipher the data, as shown in Figure B-1/X.509. FIGURE B-1/X.509 - T0704470-88 User A has public key Ap and secret key As, and user B has another set of keys, Bp and Bs. A and B both know the public keys of each other, but are unaware of the secret key of the other party. A and B may therefore exchange secret information with one another using the following steps (illustrated in Figu e B- 1/X.509): 1) A wishes to send some secret information x to B. A therefore enciphers x under B's enciphering key and sends the enciphered information e to B. This is represented by: e = Bp[x]. 2) B may now decipher this encipherment e to obtain the information x by using the secret decipherment key Bs. Note that B is the only possessor of Bs, and because this key may never be disclosed or sent, it is impossible for any other party to obtain the information x. The possession of Bs determines the identity of B. The decipherment operation is represented by: x = Bs[e], or x = Bs[Bp[x]]. 3) B may now similarly send some secret information, xw', to A, under A's enciphering key, Ap: ew' = Ap[xw']. 4) A obtains xw' by deciphering ew': xw' = As[ew'], or xw' = As[Ap[xw']]. By this means, A and B have exchanged secret information x and xw'. This information may not be obtained by anyone other than A and B, providing that their secret keys are not revealed. Such an exchange can, as well as transferring secret information between the parties, serve to verify their identities. Specifically, A and B are identified by their possession of the secret deciphering keys, As and Bs respectively. A may determine if B is in possession of the secret deciphering key, Bs, by having returned part of his information x in B's message xw'. This indicates to A that communication is taking place with the possessor of Bs. B may similarly test the identity of A. It is a property of some PKCS that the steps of decipherment and encipherment can be reversed, as in D = Xp[Xs[D]]. This allows a piece of information which could only have been originated by X, to be readable by any user (who has possession of Xp). This can therefore be used in the certifying of the source of information, and is the basis for digital signatures. Only PKCS which have this (permutability) property are suitable for use in this authentication framework. One such algorithm is described in Annex C. For further information, see: DIFFIE, W. and HELLMAN, M. E. (November 1976) - New Directions in Cryptography, IEEE Transactions on Information Theory, IT-22, No. 6. ANNEX C (to Recommendation X.509) The RSA public key cryptosystem PAGE21 Fascicle VIII.8 - Rec. X.511 This Annex does not form an integral part of this Recommendation. Note - The cryptosystem specified in this Annex, which was invented by R. L. Rivest, A. Shamir and L. Adleman, is widely known as "RSA". C.1 Scope and field of application It is beyond the scope of this paper to discuss RSA fully. However, a brief description is given on the method, which relies on the use of modular exponentiation. C.2 References For further information, see: 1) General RIVEST, R. L., SHAMIR, A. and ADLEMAN, L. (February 1978) - A Method for Obtaining Digital Signatures and Public-key Cryptosystems, Communications of the ACM, 21, 2, 120-126. Fascicle VIII.8 - Rec. X.511 PAGE21 2) Key Generation Reference GORDON, J. - Strong RSA Keys, Electronics Letters, 20, 5, 514-516. 3) Decipherment Reference QUISQUATER, J. J. and COUVREUR, C. (October 14, 1982) - Fast Decipherment Algorithm for RSA Public-key Cryptosystems, Electronics Letters, 18, 21, 905-907. C.3 Definitions a) public key: the pair of parameters consisting of the Public Exponent and the Arithmetic Modulus; Note - The ASN.1 data element subjectPublicKey defined as BIT STRING (see Annex G), should be interpreted in the case of RSA as being of type: SEQUENCE {INTEGER,INTEGER} where the first integer is the Arithmetic Modulus and the second is the Public Exponent. The sequence is represented by means of the ASN.1 Basic Encoding Rules. b) secret key: the pair of parameters consisting of the Secret Exponent and the Arithmetic Modulus. C.4 Symbols and abbreviations X,Ydata blocks which are arithmetically less than the modulus n the Arithmetic Modulus e the Public Exponent d the Secret Exponent p,qthe prime numbers whose product forms the Arithmetic Modulus (n). Note - While the prime numbers are preferably two in number, the use of a Modulus with three- or more prime factors is not precluded. mod n arithmetic modulo n. C.5 Description This asymmetric algorithm uses the power function for transformation of data blocks such that: Y = Xemod n with 0 < X < n X = Ydmod n 0 < Y < n which may be satisfied, for example, by ed mod lcm(p-1,q-1=1, ed mod (p-1)(q-1)=1 To effect this process, a data block must be interpreted as an integer. This is accomplished by considering the entire data block to be an ordered sequence of bits (of length l, say). The integer is then formed as the sum of the bits after giving a weight of 2l-1 to the first bit and dividing the weight by 2 for each subsequent bit (the last bit has a weight of 1). The data block length should be the largest number of octets containing fewer bits than the modulus. Incomplete blocks should be padded in any way desired. Any number of blocks of additional padding may be added. C.6 Security requirements C.6.1 Key lengths It is recognized that the acceptable key length is likely to change with time, subject to the cost and availability of hardware, the time taken, advances in techniques and the level of security required. It is recommended that a value for the length of n of 512 bits be adopted initially, but subject to further study. C.6.2 Key generation The security of RSA relies on the difficulty of factorizing n. There are many algorithms for performing this operation, and in order to thwart the use of any currently known technique, the values p and q must be chosen carefully, according to the following rules [e.g. see Reference 2), Section C.2]: a) they should be chosen randomly; b) they should be large; c) they should be prime; d) |p-q| should be large; e) (p+1) must possess a large prime factor; f) (q+1) must possess a large prime factor; g) (p-1) must possess a large prime factor, say r; h) (q-1) must possess a large prime factor, say s; i) (r-1) must possess a large prime factor; j) (s-1) must possess a large prime factor. PAGE21 Fascicle VIII.8 - Rec. X.511 After generating the public and secret keys, e.g. "Xp" and "Xs" as defined in 3.3 and 4.1 of this Recommendation which consist of d, e and n, the values p and q together with all other data produced such as the product (p-1) (q-1) and the large prime factors should preferably be destroyed. However, keeping p and q locally can improve throughput in decryption by two to four times. The decision to keep p and q is considered to be a local matter [Reference 3)]. It must be ensured that e > log2(n) in order to prevent attack by taking the e'th root mod n to disclose the plaintext. C.7 Public exponent The Public Exponent (e) could be common to the whole environment, in order to minimize the length of that part of the public key that actually has to be distributed, in order to reduce transmission capacity and complexity of transformation (see Note 1). Exponent e should be large enough but such that exponentiation can be performed efficiently with regard to processing time and storage capacity. If a fixed public exponent e is desired, there are notable merits for the use of the Fermat Number F4 (see Note 2). eq F4 = 22\s\up6(4) + 1 = 65537 decimal, and = 1 0000 0000 0000 0001 binary. Note 1 - Although both Modulus n and Exponent e are public, the Modulus should not be the part which is common to a group of users. Knowledge of Modulus "n", Public Exponent "e" and Secret Exponent "d" is sufficient to determine the factorization of "n". Therefore if the modulus was common, everyone could deduce its factors, thereby finding everyone else's secret exponent. Note 2 - The fixed exponent should be large and prime but it should also provide efficient processing. Fermat Number F4 meets these requirements, e.g. authentication takes only 17 multiplications and is on the average 30 times faster than decipherment. C.8 Conformance Whilst this Annex specifies an algorithm for the public and secret functions, it does not define the method whereby the calculations are carried out; therefore there may be different products which comply with this Annex and are mutually compatible. Fascicle VIII.8 - Rec. X.511 PAGE21 ANNEX D (to Recommendation X.509) Hash functions This Annex does not form an integral part of this Recommendation. D.1 Requirements for hash functions To use a hash function as a secure one-way function, it must not be possible to obtain easily the same hash result from different combinations of the input message. A strong hash function will meet the following requirements: a) the hash function must be one-way, i.e. given any possible hash result it must be computationally infeasible to construct an input message which hashes to this result; b) the hash function must be collision-free, i.e. it must be computationally infeasible to construct two distinct input messages which hash to the same result. D.2 Description of a hash function The following hash function ("square-mod n") performs the compression of the data on a block by block basis. Hashing is done in three major steps: 1) The string of data to be hashed is divided into blocks B of equal length. This length is determined by the characteristics of the asymmetric cryptosystem used for signing. With the RSA cryptosystem, this length (in octets) is the largest integer, l, such that, with modulus n, 16 l < log2 n. 2) For non-invertibility reasons each octet of the block is split in half. Each of the halves is headed ("padded") by binary ones. By this zoning, stiffness r redundancy is introduced that increases the non- invertibility property of the hash function considerably. Each block generated in step 1 is spread to the length of the modulus n. 3) Each block resulting from step 2 is added to the previous block modulo 2, squared, and reduced modulo n, until all m blocks are processed. The result is thus the value Hm, where H0 = 0 Hi = (Hi-1 + Bi)2 mod n, for 1 < i < m If the last block of the data to be hashed is incomplete, it is padded with "l"s. ANNEX E (to Recommendation X.509) Threats protected against by the strong authentication method This Annex does not form an integral part of this Recommendation. The strong authentication method described in this Recommendation offers protection against the threats as described in Annex A for strong authentication. In addition, there is a range of potential threats that are specific to the strong authentication method itself. These are: Compromise of the user's secret key - one of the basic principles of strong authentication is that the user's secret key remain secure. A number of practical methods are available for the user to hold his secret key in a manner that provides adequate security. The consequences of the compromise are limited to subversion of communication involving that user. Compromise of the CA's secret key - that the secret key of a CA remain secure is also a basic principle of strong authentication. Physical security and "need to know" methods apply. The consequences of the compromise are limited to subversion of communication involving any user certified by that CA. Misleading CA into producing an invalid certificate - the fact that CAs are off-line affords some protection. The onus is on the CA to check that purported strong credentials are valid before creating a certificate. The consequences of the compromise are limited to subversion of communication involving the user for whom the certificate was created, and anyone impacted by the invalid certificate. Collusion between a rogue CA and user - such a collusive attack will defeat the method. This would constitute a betrayal of the trust placed in the CA. The consequences of a rogue CA are limited to subversion of communication involving any user certified by that CA. Forging of a certificate - the strong authentication method protects against the forging of a certificate by having the CA sign it. The method depends PAGE21 Fascicle VIII.8 - Rec. X.511 on maintaining the secrecy of the CA's secret key. Forging of a token - the strong authentication method protects against the forging of a token by having the sender sign it. The method depends on maintaining the secrecy of the sender's secret key. Replay of a token - the one- and two-way authentication methods protect against the replay of a token by the inclusion of a timestamp in the token. The three-way method does so by checking the random numbers. Attack on the cryptographic system - the likelihood of effective cryptanalysis of the system, based on advances in computational number theory and leading to the need for a greater key length are reasonably predictable. ANNEX F (to Recommendation X.509) Data confidentiality This Annex does not form an integral part of this Recommendation. F.1 Introduction The process of data confidentiality can be initiated after the necessary keys for encipherment have been exchanged. This might be provided by a preceding authentication exchange as described in 9 or by some other key exchange process, the latter being outside the scope of this document. Data confidentiality can be provided either by the application of an asymmetric or symmetric enciphering scheme. F.2 Data confidentiality by asymmetric encipherment In this case Data Confidentiality is performed by means of an originator enciphering the data to be sent using the intended recipient's public key: the recipient will then decipher it using its secret key. F.3 Data confidentiality by symmetric encipherment In this case Data Confidentiality is achieved by the use of a symmetric enciphering algorithm. Its choice is outside the scope of the authentication framework. Where an authentication exchange according to 9 has been carried out by the two parties involved, then a key for the usage of a symmetric algorithm can be derived. Choosing secret keys depends on the transformation to be used. The parties must be sure that they are strong keys. This Recommendation does not specify how this choice is made, although clearly this would need to be agreed by the parties concerned, or specified in other standards. Fascicle VIII.8 - Rec. X.511 PAGE21 ANNEX G (to Recommendation X.509) Authentication framework in ASN.1 This Annex is part of the Recommendation. This Annex includes all of the ASN.1 type, macro and value definitions contained in this Recommendation in the form of the ASN.1 module, "AuthenticationFramework". AuthenticationFramework {joint-iso-ccitt ds(5) modules(1) authenticationFramework(7)} DEFINITIONS ::= BEGIN EXPORTS AlgorithmIdentifier, AuthorityRevocationList, CACertificate, Certificate, Certificates, CertificationPath, CertificateRevocationList, UserCertificate, CrossCertificatePair, UserPassword, ALGORITHM, ENCRYPTED, PROTECTED, SIGNATURE, SIGNED; IMPORTS informationFramework, selectedAttributeTypes, upperBounds FROM UsefulDefinitions {joint-iso-ccitt ds(5)modules(1) usefulDefinitions(0)} Name, ATTRIBUTE,ATTRIBUTE-SYNTAX FROM InformationFramework informationFramework ub-user-passwordFROM Upper Bounds upperBounds; -- types Certificate ::= SIGNED SEQUENCE{ version [0] Version DEFAULT 1988, serialNumber SerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo} Version ::= INTEGER { 1988(0)} SerialNumber ::= INTEGER Validity ::= SEQUENCE{ notBefore UTCTime notAfter UTCTime} SubjectPublicKeyInfo ::= SEQUENCE{ algorithm AlgorithmIdentifier PAGE21 Fascicle VIII.8 - Rec. X.511 subjectPublicKey BIT STRING} AlgorithmIdentifier ::= SEQUENCE{ algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL} Certificates ::= SEQUENCE{ certificate Certificate, certificationPath ForwardCertificationPath OPTIONAL} ForwardCertificationPath ::= SEQUENCE OF CrossCertificates Fascicle VIII.8 - Rec. X.511 PAGE21 CertificationPath ::= SEQUENCE{ userCertificate Certificate, theCACertificates SEQUENCE OF CertificatePair OPTIONAL} CrossCertificates ::= SET OF Certificate CertificateList ::= SIGNED SEQUENCE{ signature AlgorithmIdentifier, issuer Name, lastUpdate UTCTime, revokedCertificates SIGNEDSEQUENCE OF SEQUENCE{ signature AlgorithmIdentifier, issuer Name, userCertificate SerialNumber, revocationDate UTCTime} OPTIONAL} CertificatePair ::= SEQUENCE{ forward [0] Certificate OPTIONAL, reverse [1] Certificate OPTIONAL - -at least one of the pair must be present --} --attribute types UserCertificate ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAXCertificate CACertificate ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAXCertificate CrossCertificatePair ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAXCertificatePair CertificateRevocationList ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAXCertificateList AuthorityRevocationList ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAXCertificateList UserPassword ::= ATTRIBUTE WITH ATTRIBUTE-SYNTAX OCTETSTRING(SIZE(0...ub-user-password)) PAGE21 Fascicle VIII.8 - Rec. X.511 MATCHES FOR EQUALITY -- macros ALGORITHM MACRO ::= BEGIN TYPE NOTATION ::= "PARAMETER" type VALUE NOTATION ::= value(VALUE OBJECT IDENTIFIER) END -- of ALGORITHM ENCRYPTED MACRO ::= BEGIN TYPE NOTATION ::= type (ToBeEnciphered) VALUENOTATION ::= value (VALUE BIT STRING - -the value of the bit string is generated by - -taking the octets which form the complete - -encoding (using the ASN.1 Basic Encoding Rules) - -of the value of the ToBeEnciphered type and - -applying an encipherment procedure to those octets-- END Fascicle VIII.8 - Rec. X.511 PAGE21 SIGNED MACRO ::= BEGIN TYPE NOTATION ::= type (ToBeSigned) VALUE NOTATION ::= value(VALUE SEQUENCE{ ToBeSigned, AlgorithmIdentifier, -- of the algorithm used to generate the signature ENCRYPTED OCTET STRING - -where the octet string is the result - -of the hashing of the value of - -"ToBeSigned"- -} ) END -- of SIGNED SIGNATURE MACRO ::= BEGIN TYPE NOTATION ::= type (OfSignature) VALUE NOTATION ::= value(VALUE SEQUENCE{ AlgorithmIdentifier, - -of the algorithm used to compute the signature ENCRYPTED OCTET STRING - -where the octet string is a function (e.g. a compressed or hashed version) - -of the value "OfSignature", which may include the identifier of the --algorithm used to compute the signature- -} ) END -- of SIGNATURE PROTECTED MACRO ::= SIGNATURE END- -of Authentication Framework Definitions ANNEX H (to Recommendation X.509) Reference Definition of algorithm object identifiers This Annex is not an integral part of the Recommendation. This Annex defines object identifiers assigned to authentication and encryption algorithms, in the absence of a formal register. It is intended to make use of such a register as it becomes available. The definitions take the form of the ASN.1 module, AlgorithmObjectIdentifiers. AlgorithmObjectIdentifiers {joint-iso-ccitt ds(5) modules(1) algorithmObjectIdentifiers(8)} DEFINITIONS ::= PAGE21 Fascicle VIII.8 - Rec. X.511 BEGIN EXPORTS encryptionAlgorithm, hashAlgorithm, signatureAlgorithm, rsa,squareMod-n,sqMod-nWithRSA; IMPORTS algorithm,authenticationFramework FROM UsefulDefinitions {joint-iso-ccitt ds(5)modules(1) usefulDefinitions(0)} Fascicle VIII.8 - Rec. X.511 PAGE21 ALGORITHM FROM AuthenticationFramework authenticationFramework; -- categories of object identifier encryptionAlgorithm OBJECT IDENTIFIER ::= {algorithm 1} hashAlgorithm OBJECT IDENTIFIER ::= {algorithm 2} signatureAlgorithm OBJECT IDENTIFIER ::= {algorithm 3} -- algorithms rsa ALGORITHM PARAMETER KeySize ::= {encryptionAlgorithm 1} KeySize ::= INTEGER sqMod-n ALGORITHM PARAMETER BlockSize ::= {hashAlgorithm 1} BlockSize ::= INTEGER sqMod-nWithRSA ALGORITHM PARAMETER KeyAndBlockSize ::= {signatureAlgorithm 1} KeyAndBlockSize ::= INTEGER END -- of Algorithm Object Identifier Definitions PAGE21 Fascicle VIII.8 - Rec. X.511