Mingliang Pei and I have made progress toward drafting a merged protocol specification. Working from the convergence plan we presented in Prague, he and I have developed components of a merged KEYPROV XML Schema that is based on CT-KIP, including four-pass, two-pass, and one-pass variants, while adding DSKPP capabilities, such as support for Portable Symmetric Key Container (PSKC), User Authentication, and Device Authentication. Before we get much further, attached please find the merged schema, which is very much a work-in-progress. Also attached please find XML instances for each of the KEYPROV messages, currently named ClientHello, ServerHello, ClientNonce, and ServerNonce. Comments are very welcome and hopefully sooner rather than later as we hope to incorporate feedback before submitting I-D for IETF-69. Andrea <<SampleServerHelloFourPass.xml>> <<KEYPROV Draft 05-23-2007.xsd>> <<SampleClientHelloTwoPass.xml>> <<SampleClientNonceFourPass.xml>> <<SampleServerFinishedHOTP.xml>> <<SampleServerFinishedSecurID.xml>>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Sample ServerHelloPDU (only valid for Four-Pass variant of protocol). -->
<KEYPROVns:ServerHello
Status="Success" Version="1.0"
xmlns:KEYPROVns="urn:ietf:params:xml:ns:keyprov:protocol"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:container"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:ietf:params:xml:schema:keyprov:protocol
C:\Projects\STSCG\IETF\KEYPROV\MERGED~1\KEYPRO~1.XSD"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<KeyType>http://www.somewhere.com/schemas/2007/05/otp-alg#SecurID-AES</KeyType>
<EncryptionAlgorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5</EncryptionAlgorithm>
<MacAlgorithm>http://www.somewhere.com/schemas/2005/12/ct-kip#ct-kip-prf-aes</MacAlgorithm>
<EncryptionKey>
<ds:KeyName>KEY-1</ds:KeyName>
</EncryptionKey>
<SecretContainerFormat>urn:ietf:params:xml:schema:keyprov:container</SecretContainerFormat>
<Payload>
<Nonce>qw2ewasde312asder394jw==</Nonce>
</Payload>
</KEYPROVns:ServerHello>
Attachment:
KEYPROV Draft 05-23-2007.xsd
Description: KEYPROV Draft 05-23-2007.xsd
<?xml version="1.0" encoding="UTF-8"?>
<!-- Sample ClientHelloPDU showing support for Two-Pass version of protocol. -->
<KEYPROVns:ClientHello Version="1.0"
xmlns:KEYPROVns="urn:ietf:params:xml:ns:keyprov:protocol"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:container"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:ietf:params:xml:schema:keyprov:protocol
C:\Projects\STSCG\IETF\KEYPROV\MERGED~1\KEYPRO~1.XSD"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<DeviceData>
<DeviceId xmlns="urn:ietf:params:xml:ns:keyprov:container">
<Manufacturer>ManufacturerABC</Manufacturer>
<SerialNo>XL0000000001234</SerialNo>
<Model>U2</Model>
</DeviceId>
</DeviceData>
<SupportedKeyTypes>
<Algorithm>http://www.somewhere.com/schemas/2007/05/otp-alg#SecurID-AES</Algorithm>
<Algorithm>http://www.somewhereelse.com/schemas/2007/05/otp-alg#HOTP-AES</Algorithm>
</SupportedKeyTypes>
<SupportedEncryptionAlgorithms>
<Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5</Algorithm>
<Algorithm>http://www.somewhere.com/schemas/2005/12/ct-kip#ct-kip-prf-aes</Algorithm>
</SupportedEncryptionAlgorithms>
<SupportedMACAlgorithms>
<Algorithm>http://www.somewhere.com/schemas/2005/12/ct-kip#ct-kip-prf-aes</Algorithm>
</SupportedMACAlgorithms>
<SupportedProtocolVariants>
<Variant>
<TwoPass>
<SupportedKeyInitializationMethod>
http://www.somewhere.com/ct-kip#wrap
</SupportedKeyInitializationMethod>
<Payload xsi:type="ds:KeyInfoType">
<ds:KeyName>Key-001></ds:KeyName>
</Payload>
<SupportedKeyInitializationMethod>
http://www.somewhere.com/ct-kip#transport
</SupportedKeyInitializationMethod>
<Payload xsi:type="ds:KeyInfoType">
<ds:X509Data>
<ds:X509Certificate>miib</ds:X509Certificate>
</ds:X509Data>
</Payload>
</TwoPass>
</Variant>
</SupportedProtocolVariants>
<SupportedSecretContainers>
<SecretContainerFormat>urn:ietf:params:xml:schema:keyprov:container</SecretContainerFormat>
</SupportedSecretContainers>
<AuthenticationData>
<AuthenticationCode>1erd354657689102abcd</AuthenticationCode>
</AuthenticationData>
</KEYPROVns:ClientHello>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Sample ClientNoncePDU (only valid for Four-Pass variant of protocol). -->
<KEYPROVns:ClientNonce SessionID="4114" Version="1.0" xmlns:KEYPROVns="urn:ietf:params:xml:ns:keyprov:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:ietf:params:xml:schema:keyprov:protocol C:\Projects\STSCG\IETF\KEYPROV\MERGED~1\KEYPRO~1.XSD">
<EncryptedNonce>VXENc+Um/9/NvmYKiHDLaErK0gk=</EncryptedNonce>
<AuthenticationData>
<ClientID>12345678</ClientID>
<AuthenticationCodeMac>
<Data>1erd354657689102abcd</Data>
</AuthenticationCodeMac>
</AuthenticationData>
</KEYPROVns:ClientNonce>
<?xml version="1.0" encoding="UTF-8"?>
<ServerFinished
xmlns="urn:ietf:params:xml:ns:keyprov:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
Version="1.0" SessionID="4114" Status="Success">
<SecretContainer version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:container">
<EncryptionMethod algorithm="PBE-3DES168-CBC">
<PBESalt>y6TzckeLRQw=</PBESalt>
<PBEIterationCount>999</PBEIterationCount>
</EncryptionMethod>
<DigestMethod algorithm="HMAC-SHA1"/>
<Device>
<Secret SecretAlgorithm="HOTP" SecretId="SDU312345678">
<Issuer>CredentialIssuer</Issuer>
<Usage otp="true">
<ResponseFormat format="DECIMAL" length="6"/>
</Usage>
<FriendlyName>MyFirstToken</FriendlyName>
<Data Name="SECRET">
<Value>7JHUyp3azOkqJENSsh6b2vxXzwGBYypzJxEr+ikQAa229KV/BgZhGA==</Value>
<ValueDigest>WldjTHZwRm9YTkhBRytseDMrUnc=</ValueDigest>
</Data>
<Data Name="COUNTER">
<Value>1</Value>
</Data>
<Expiry>10/30/2009</Expiry>
</Secret>
</Device>
</SecretContainer>
<Mac>miidfasde312asder394jw==</Mac>
</ServerFinished>
<?xml version="1.0" encoding="UTF-8"?>
<ServerFinished
xmlns="urn:ietf:params:xml:ns:keyprov:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
Version="1.0" SessionID="4114" Status="Success">
<SecretContainer version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:container">
<EncryptionMethod algorithm="PBE-3DES168-CBC">
<PBESalt>y6TzckeLRQw=</PBESalt>
<PBEIterationCount>999</PBEIterationCount>
</EncryptionMethod>
<DigestMethod algorithm="HMAC-SHA1"/>
<Device>
<Secret SecretAlgorithm="other" SecretAlgorithm-ext="SecurID" SecretId="SEID12345678">
<Issuer>CredentialIssuer</Issuer>
<FriendlyName>MyFirstToken</FriendlyName>
<Data Name="SECRET">
<Value>7JHUyp3azOkqJENSsh6b2vxXzwGBYypzJxEr+ikQAa229KV/BgZhGA==</Value>
<ValueDigest>WldjTHZwRm9YTkhBRytseDMrUnc=</ValueDigest>
</Data>
<!-- SecurID specific OTP configuration data -->
<Data Name="OTPFormat">
<Value>Decimal</Value>
</Data>
<Data Name="OTPLength">
<Value>6</Value>
</Data>
<Data Name="OTPMode">
<Value>Time</Value>
</Data>
<!--
Alternative approach in PSKC to allow any configuration extension type as follows.
<ConfigurationData xsi:type="SecurIDOTPKeyConfigurationDataType">
<OTPFormat>Decimal</OTPFormat>
<OTPLength>6</OTPLength>
<OTPMode><Time/></OTPMode>
</ConfigurationData>
<-->
<Expiry>10/30/2009</Expiry>
</Secret>
</Device>
</SecretContainer>
<Mac>miidfasde312asder394jw==</Mac>
</ServerFinished>
_______________________________________________ KEYPROV mailing list KEYPROV at ietf.org https://www1.ietf.org/mailman/listinfo/keyprov