[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[KEYPROV] Extending the PSKC Algorithm Profiles

Hi all, 

In a review of the PSKC document a question regarding the registration of
new PSKC algorithm profiles came up. The example here is the OCRA algorithm.

Note that there is a document (although a bit out-dated already) that
defines a new of PSKC algorithm profiles, see
http://tools.ietf.org/id/draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt

There are essentially two approaches for defining algorithm profiles. In the
first version below new XML elements are defined that do not exist in PSKC
to carry parameters of the OCRA algorithm, namely information about a hash
function and information about the truncation size. 

<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" Id="exampleID1" 
    xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
    xmlns:ocra="urn:ietf:params:xml:ns:keyprov:pskc#ocra">
    <KeyPackage>
        <DeviceInfo>
            <Manufacturer>Manufacturer</Manufacturer>
            <SerialNo>987654321</SerialNo>
            <UserId>DC=example-bank,DC=net</UserId>
        </DeviceInfo>
        <CryptoModuleInfo>
            <Id>CM_ID_001</Id>
        </CryptoModuleInfo>
        <Key Id="12345678"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#ocra">
            <Issuer>Issuer</Issuer>
            <UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
            <AlgorithmParameters>
                <ResponseFormat Length="8" Encoding="DECIMAL"/>
 
<ocra:hashFunction>http://www.w3.org/2001/04/xmlenc#sha256</ocra:hashFunctio
n>
                <ocra:TruncationSize>8</ocra:TruncationSize>
            </AlgorithmParameters>
            <Data>
                <Secret>
                    <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= </PlainValue>
                </Secret>
                <Counter>
                    <PlainValue>0</PlainValue>
                </Counter>
            </Data>
        </Key>
    </KeyPackage>
</KeyContainer>

In the second example, the registered algorithm URN contains the parameter
encoding. This requires more URNs to be registered but does not require new
XML elements to be defined. 
Regarding the URN registration I believe that the full set of URNs need to
be registered and it would not be sufficient to just register
urn:ietf:params:xml:ns:keyprov:pskc#ocra and to just attach the other
parameters. Maybe someone knows more about this aspect. 

<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" Id="exampleID1" 
    xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
    <KeyPackage>
        <DeviceInfo>
            <Manufacturer>Manufacturer</Manufacturer>
            <SerialNo>987654321</SerialNo>
            <UserId>DC=example-bank,DC=net</UserId>
        </DeviceInfo>
        <CryptoModuleInfo>
            <Id>CM_ID_001</Id>
        </CryptoModuleInfo>
        <Key Id="12345678"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#ocra:sha256:8">
            <Issuer>Issuer</Issuer>
            <UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
            <AlgorithmParameters>
                <ResponseFormat Length="8" Encoding="DECIMAL"/>
            </AlgorithmParameters>
            <Data>
                <Secret>
                    <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= </PlainValue>
                </Secret>
                <Counter>
                    <PlainValue>0</PlainValue>
                </Counter>
            </Data>
        </Key>
    </KeyPackage>
</KeyContainer>

Both options are possible; it might be a matter of taste which one to apply
and the extension style should be chosen in the
http://tools.ietf.org/id/draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt
document. 

Ciao
Hannes

PS: Note that some new algorithm profiles might not require any XML elements
to be defined nor multiple URNs to be registered. It very much depends on
the specific algorithm profile but I have chosen OCRA since the issue came
up there.