< draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt   draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt >
keyprov P. Hoyer keyprov P. Hoyer
Internet-Draft ActivIdentity Internet-Draft ActivIdentity
Intended status: Informational M. Pei Intended status: Informational M. Pei
Expires: June 27, 2009 VeriSign Expires: November 3, 2010 VeriSign
S. Machani S. Machani
Diversinet Diversinet
A. Doherty A. Doherty
RSA, The Security Division of EMC RSA, The Security Division of EMC
December 24, 2008 May 2, 2010
Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt
Abstract
The Portable Symmetric Key Container (PSKC) contains a number of XML
elements and XML attributes carrying keys and related information.
Not all algorithms, however, are able to use all elements and for
other algorithm certain information is mandatory. This lead to the
introduction of PSKC algorithm profiles that provide further
description about the mandatory and optional information elements and
their semantic, including extensions that may be needed. The main
PSKC specification defines two PSKC algorithm profiles, namely "HOTP"
and "PIN". This document extends the initial set and specifies nine
further algorithm profiles for PKSC.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on November 3, 2010.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 27, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2008 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Abstract the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
The Portable Symmetric Key Container (PSKC) contains a number of XML
elements and XML attributes carrying keys and related information.
Not all algorithms, however, are able to use all elements and for
other algorithm certain information is mandatory. This lead to the
introduction of PSKC algorithm profiles that provide further
description about the mandatory and optional information elements and
their semantic, including extensions that may be needed. The main
PSKC specification defines two PSKC algorithm profiles, namely "HOTP"
and "PIN". This document extends the initial set and specifies nine
further algorithm profiles for PKSC.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. OCRA (OATH Challenge Response Algorithm) . . . . . . . . . . . 5 3. OCRA (OATH Challenge Response Algorithm) . . . . . . . . . . . 5
4. TOTP (OATH Time based OTP) . . . . . . . . . . . . . . . . . . 7 4. TOTP (OATH Time based OTP) . . . . . . . . . . . . . . . . . . 7
5. SecurID-AES . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. SecurID-AES . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. SecurID-AES-Counter . . . . . . . . . . . . . . . . . . . . . 11 6. SecurID-AES-Counter . . . . . . . . . . . . . . . . . . . . . 11
7. SecurID-ALGOR . . . . . . . . . . . . . . . . . . . . . . . . 13 7. SecurID-ALGOR . . . . . . . . . . . . . . . . . . . . . . . . 13
8. ActivIdentity-3DES . . . . . . . . . . . . . . . . . . . . . . 15 8. ActivIdentity-3DES . . . . . . . . . . . . . . . . . . . . . . 15
9. ActivIdentity-AES . . . . . . . . . . . . . . . . . . . . . . 18 9. ActivIdentity-AES . . . . . . . . . . . . . . . . . . . . . . 18
10. ActivIdentity-DES . . . . . . . . . . . . . . . . . . . . . . 21 10. ActivIdentity-DES . . . . . . . . . . . . . . . . . . . . . . 21
11. ActivIdentity-EVENT . . . . . . . . . . . . . . . . . . . . . 24 11. ActivIdentity-EVENT . . . . . . . . . . . . . . . . . . . . . 24
12. Security Considerations . . . . . . . . . . . . . . . . . . . 26 12. Security Considerations . . . . . . . . . . . . . . . . . . . 26
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
15. Normative References . . . . . . . . . . . . . . . . . . . . . 29 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
15.1. Normative References . . . . . . . . . . . . . . . . . . 29
15.2. Informative References . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
This document specifies a set of algorithm profiles for PKSC, namely This document specifies a set of algorithm profiles for PKSC, namely
OCRA (OATH Challenge Response Algorithm) OCRA (OATH Challenge Response Algorithm)
TOTP (OATH Time based OTP) TOTP (OATH Time based OTP)
skipping to change at page 5, line 11 skipping to change at page 5, line 11
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. OCRA (OATH Challenge Response Algorithm) 3. OCRA (OATH Challenge Response Algorithm)
Common Name: OCRA Common Name: OCRA
Class: OTP Class: OTP
URI: http://www.ietf.org/keyprov/pskc#OCRA-1:(ocra_suite_parameters) URI:
urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:(ocra_suite_parameters)
- e.g. - e.g.
http://www.ietf.org/keyprov/pskc#OCRA-1:HOTP-SHA512-8:C-QN08 urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08
Algorithm Definition: http://www.ietf.org/internet-drafts/ Algorithm Definition: http://tools.ietf.org/id/
draft-mraihi-mutual-oath-hotp-variants-07.txt draft-mraihi-mutual-oath-hotp-variants-11.txt
Identifier Definition (this RFC) Identifier Definition (this RFC)
Registrant Contact: IESG Registrant Contact: IESG
Profile of XML attributes and subelements of the <Key> entity: Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "CR" attribute of the <Usage> MUST be set "true" and present. The "CR" attribute of the <Usage> MUST be set "true" and
it MUST be the only attribute set. The element <ChallengeFormat> it MUST be the only attribute set. The element <ChallengeFormat>
skipping to change at page 6, line 20 skipping to change at page 6, line 20
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" <KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"> xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device> <Device>
<DeviceInfo> <DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer> <Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654322</SerialNo> <SerialNo>987654322</SerialNo>
</DeviceInfo> </DeviceInfo>
<Key KeyId="12345678" <Key KeyId="12345678"
KeyAlgorithm="http://www.ietf.org/keyprov/ KeyAlgorithm=
pskc#OCRA-1:HOTP-SHA512-8:C-QN08"> "urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08">
<Issuer>Issuer</Issuer> <Issuer>Issuer</Issuer>
<Usage CR="true"> <Usage CR="true">
<ChallengeFormat Min="8" Max="8" Format="DECIMAL"/> <ChallengeFormat Min="8" Max="8" Format="DECIMAL"/>
<ResponseFormat Length="8" Format="DECIMAL"/> <ResponseFormat Length="8" Format="DECIMAL"/>
</Usage> </Usage>
<Data> <Data>
<Secret> <Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue> <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue>
</Secret> </Secret>
<Counter> <Counter>
skipping to change at page 7, line 11 skipping to change at page 7, line 11
</Key> </Key>
</Device> </Device>
</KeyContainer> </KeyContainer>
4. TOTP (OATH Time based OTP) 4. TOTP (OATH Time based OTP)
Common Name: TOTP Common Name: TOTP
Class: OTP Class: OTP
URI: http://www.ietf.org/keyprov/pskc#totp URI: urn:ietf:params:xml:ns:keyprov:pskc#totp
Algorithm Definition: http://www.ietf.org/internet-drafts/ Algorithm Definition:
draft-mraihi-totp-timebased-00.txt http://tools.ietf.org/id/draft-mraihi-totp-timebased-05.txt
Identifier Definition (this RFC) Identifier Definition (this RFC)
Registrant Contact: IESG Registrant Contact: IESG
Profile of XML attributes and subelements of the <Key> entity: Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "OTP" attribute of the <Usage> MUST be set "true" present. The "OTP" attribute of the <Usage> MUST be set "true"
and it MUST be the only attribute set. The element and it MUST be the only attribute set. The element
skipping to change at page 8, line 13 skipping to change at page 8, line 13
An example of a <Key> of this algorithm is as follows. An example of a <Key> of this algorithm is as follows.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" <KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"> xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device> <Device>
<DeviceInfo> <DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer> <Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654323</SerialNo> <SerialNo>987654323</SerialNo>
</DeviceInfo> </DeviceInfo>
<Key KeyAlgorithm="http://www.ietf.org/keyprov/pskc#totp" <Key KeyAlgorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp"
KeyId="987654323"> KeyId="987654323">
<Issuer>Issuer</Issuer> <Issuer>Issuer</Issuer>
<Usage OTP="true"> <Usage OTP="true">
<ResponseFormat Length="6" Format="DECIMAL"/> <ResponseFormat Length="6" Format="DECIMAL"/>
</Usage> </Usage>
<Data> <Data>
<Secret> <Secret>
<PlainValue> <PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue> </PlainValue>
skipping to change at page 29, line 5 skipping to change at page 29, line 5
13. IANA Considerations 13. IANA Considerations
[Editor's Note: The registration of the algorithm profiles goes in [Editor's Note: The registration of the algorithm profiles goes in
here.] here.]
14. Acknowledgements 14. Acknowledgements
Add your name here. Add your name here.
15. Normative References 15. References
15.1. Normative References
[RFC2119] "Key words for use in RFCs to Indicate Requirement [RFC2119] "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
15.2. Informative References
[PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container", Internet Draft Informational,
URL: http://tools.ietf.org/html/
draft-ietf-keyprov-pskc-05, January 2010.
Authors' Addresses Authors' Addresses
Philip Hoyer Philip Hoyer
ActivIdentity, Inc. ActivIdentity, Inc.
117 Waterloo Road 117 Waterloo Road
London, SE1 8UL London, SE1 8UL
UK UK
Phone: +44 (0) 20 7744 6455 Phone: +44 (0) 20 7744 6455
Email: Philip.Hoyer@actividentity.com Email: Philip.Hoyer@actividentity.com
 End of changes. 18 change blocks. 
41 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/