idnits 2.17.1 

draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 358 has weird spacing: '...inition  http:...'

  == Line 502 has weird spacing: '...inition  http:...'

  == Line 606 has weird spacing: '...inition  http:...'

  == Line 710 has weird spacing: '...inition  http:...'

  == Line 813 has weird spacing: '...inition  http:...'

  -- The document date (December 24, 2008) is 5599 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	keyprov                                                         P. Hoyer
3	Internet-Draft                                             ActivIdentity
4	Intended status: Informational                                    M. Pei
5	Expires: June 27, 2009                                          VeriSign
6	                                                              S. Machani
7	                                                              Diversinet
8	                                                              A. Doherty
9	                                       RSA, The Security Division of EMC
10	                                                       December 24, 2008

12	 Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
13	           draft-hoyer-keyprov-pskc-algorithm-profiles-00.txt

15	Status of this Memo

17	   This Internet-Draft is submitted to IETF in full conformance with the
18	   provisions of BCP 78 and BCP 79.

20	   Internet-Drafts are working documents of the Internet Engineering
21	   Task Force (IETF), its areas, and its working groups.  Note that
22	   other groups may also distribute working documents as Internet-
23	   Drafts.

25	   Internet-Drafts are draft documents valid for a maximum of six months
26	   and may be updated, replaced, or obsoleted by other documents at any
27	   time.  It is inappropriate to use Internet-Drafts as reference
28	   material or to cite them other than as "work in progress."

30	   The list of current Internet-Drafts can be accessed at
31	   http://www.ietf.org/ietf/1id-abstracts.txt.

33	   The list of Internet-Draft Shadow Directories can be accessed at
34	   http://www.ietf.org/shadow.html.

36	   This Internet-Draft will expire on June 27, 2009.

38	Copyright Notice

40	   Copyright (c) 2008 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (http://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.

50	Abstract

52	   The Portable Symmetric Key Container (PSKC) contains a number of XML
53	   elements and XML attributes carrying keys and related information.
54	   Not all algorithms, however, are able to use all elements and for
55	   other algorithm certain information is mandatory.  This lead to the
56	   introduction of PSKC algorithm profiles that provide further
57	   description about the mandatory and optional information elements and
58	   their semantic, including extensions that may be needed.  The main
59	   PSKC specification defines two PSKC algorithm profiles, namely "HOTP"
60	   and "PIN".  This document extends the initial set and specifies nine
61	   further algorithm profiles for PKSC.

63	Table of Contents

65	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
66	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
67	   3.  OCRA (OATH Challenge Response Algorithm) . . . . . . . . . . .  5
68	   4.  TOTP (OATH Time based OTP) . . . . . . . . . . . . . . . . . .  7
69	   5.  SecurID-AES  . . . . . . . . . . . . . . . . . . . . . . . . .  9
70	   6.  SecurID-AES-Counter  . . . . . . . . . . . . . . . . . . . . . 11
71	   7.  SecurID-ALGOR  . . . . . . . . . . . . . . . . . . . . . . . . 13
72	   8.  ActivIdentity-3DES . . . . . . . . . . . . . . . . . . . . . . 15
73	   9.  ActivIdentity-AES  . . . . . . . . . . . . . . . . . . . . . . 18
74	   10. ActivIdentity-DES  . . . . . . . . . . . . . . . . . . . . . . 21
75	   11. ActivIdentity-EVENT  . . . . . . . . . . . . . . . . . . . . . 24
76	   12. Security Considerations  . . . . . . . . . . . . . . . . . . . 26
77	   13. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 27
78	   14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
79	   15. Normative References . . . . . . . . . . . . . . . . . . . . . 29
80	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30

82	1.  Introduction

84	   This document specifies a set of algorithm profiles for PKSC, namely

86	      OCRA (OATH Challenge Response Algorithm)

88	      TOTP (OATH Time based OTP)

90	      SecurID-AES

92	      SecurID-AES-Counter

94	      SecurID-ALGOR

96	      ActivIdentity-3DES

98	      ActivIdentity-AES

100	      ActivIdentity-DES

102	      ActivIdentity-EVENT

104	   [Editor's Note: The content of this document was created by moving a
105	   number of PSKC algorithm profiles from
106	   draft-ietf-keyprov-portable-symmetric-key-container-06.txt into this
107	   document.  Since
108	   draft-ietf-keyprov-portable-symmetric-key-container-07.txt had
109	   experienced a number of changes the description and the examples in
110	   this document are likely to be out-of-sync.  Re-alignment will be
111	   provided in a future version.]

113	2.  Terminology

115	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
116	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
117	   document are to be interpreted as described in [RFC2119].

119	3.  OCRA (OATH Challenge Response Algorithm)

121	   Common Name:  OCRA

123	   Class:  OTP

125	   URI:  http://www.ietf.org/keyprov/pskc#OCRA-1:(ocra_suite_parameters)
126	      - e.g.
127	      http://www.ietf.org/keyprov/pskc#OCRA-1:HOTP-SHA512-8:C-QN08

129	   Algorithm Definition:  http://www.ietf.org/internet-drafts/
130	      draft-mraihi-mutual-oath-hotp-variants-07.txt

132	   Identifier Definition  (this RFC)

134	   Registrant Contact:  IESG

136	   Profile of XML attributes and subelements of the <Key> entity:

138	      For a <Key> of this algorithm, the <Usage> subelements MUST be
139	      present.  The "CR" attribute of the <Usage> MUST be set "true" and
140	      it MUST be the only attribute set.  The element <ChallengeFormat>
141	      and <ResponseFormat> of the <Usage> MUST be present.

143	      For the <Data> elements of a <Key> of this algorithm, the
144	      following subelements MUST be present in either the <Key> element
145	      itself or an commonly shared <KeyProperties> element.

147	      *  Counter

149	      *  Time

151	      If the element <Time> is present, the following elements MUST be
152	      also present.

154	      *  TimeInterval

156	      The following additional constraints apply:

158	         - The value of the <Secret> element MUST contain key material
159	         with a lengthy of at least 16 octets (128 bits) if it is
160	         present.

162	         - The <ResponseFormat> element MUST have the 'Format' attribute
163	         set to "DECIMAL", and the 'Length' attribute MUST be between 6
164	         and 9.

166	         - The <PINPolicy> element MAY be present but the <Format> child
167	         element of the <PINPolicy> element cannot be set to
168	         "Algorithmic".

170	      An example of a <Key> of this algorithm is as follows.

172	  <?xml version="1.0" encoding="UTF-8"?>
173	  <KeyContainer Version="1.0"
174	  xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
175	      <Device>
176	          <DeviceInfo>
177	              <Manufacturer>TokenVendorAcme</Manufacturer>
178	              <SerialNo>987654322</SerialNo>
179	          </DeviceInfo>
180	          <Key KeyId="12345678"
181	          KeyAlgorithm="http://www.ietf.org/keyprov/
182	          pskc#OCRA-1:HOTP-SHA512-8:C-QN08">
183	              <Issuer>Issuer</Issuer>
184	              <Usage CR="true">
185	                <ChallengeFormat Min="8" Max="8" Format="DECIMAL"/>
186	                <ResponseFormat Length="8" Format="DECIMAL"/>
187	              </Usage>
188	              <Data>
189	                <Secret>
190	                   <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue>
191	                </Secret>
192	                <Counter>
193	                  <PlainValue>0</PlainValue>
194	                </Counter>
195	              </Data>
196	          </Key>
197	      </Device>
198	  </KeyContainer>

200	4.  TOTP (OATH Time based OTP)

202	   Common Name:  TOTP

204	   Class:  OTP

206	   URI:  http://www.ietf.org/keyprov/pskc#totp

208	   Algorithm Definition:  http://www.ietf.org/internet-drafts/
209	      draft-mraihi-totp-timebased-00.txt

211	   Identifier Definition  (this RFC)

213	   Registrant Contact:  IESG

215	   Profile of XML attributes and subelements of the <Key> entity:

217	      For a <Key> of this algorithm, the <Usage> subelements MUST be
218	      present.  The "OTP" attribute of the <Usage> MUST be set "true"
219	      and it MUST be the only attribute set.  The element
220	      <ResponseFormat> of the <Usage> MUST be used to indicate the OTP
221	      length and the value format.

223	      For the <Data> elements of a <Key> of this algorithm, the
224	      following subelements MUST be present in either the <Key> element
225	      itself or an commonly shared <KeyProperties> element.

227	      *  Time

229	      *  TimeInterval

231	      The following additional constraints apply:

233	         - The value of the <Secret> element MUST contain key material
234	         with a lengthy of at least 16 octets (128 bits) if it is
235	         present.

237	         - The <ResponseFormat> element MUST have the 'Format' attribute
238	         set to "DECIMAL", and the 'Length' attribute MUST be between 6
239	         and 9.

241	         - The <PINPolicy> element MAY be present but the <Format> child
242	         element of the <PINPolicy> element cannot be set to
243	         "Algorithmic".

245	      An example of a <Key> of this algorithm is as follows.

247	   <?xml version="1.0" encoding="UTF-8"?>
248	   <KeyContainer Version="1.0"
249	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
250	       <Device>
251	           <DeviceInfo>
252	               <Manufacturer>TokenVendorAcme</Manufacturer>
253	               <SerialNo>987654323</SerialNo>
254	           </DeviceInfo>
255	           <Key KeyAlgorithm="http://www.ietf.org/keyprov/pskc#totp"
256	           KeyId="987654323">
257	               <Issuer>Issuer</Issuer>
258	               <Usage OTP="true">
259	                   <ResponseFormat Length="6" Format="DECIMAL"/>
260	               </Usage>
261	               <Data>
262	                   <Secret>
263	                       <PlainValue>
264	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
265	                       </PlainValue>
266	                   </Secret>
267	                   <Time>
268	                       <PlainValue>0</PlainValue>
269	                   </Time>
270	                   <TimeInterval>
271	                       <PlainValue>30</PlainValue>
272	                   </TimeInterval>
273	                   <TimeDrift>
274	                       <PlainValue>4</PlainValue>
275	                   </TimeDrift>
276	               </Data>
277	           </Key>
278	       </Device>
279	   </KeyContainer>

281	5.  SecurID-AES

283	   Common Name:  SecurID-AES

285	   Class:  OTP

287	   URI:  http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
288	      otps-wst#SecurID-AES

290	   Algorithm Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

292	   Identifier Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

294	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
295	      EMC, <andrea.doherty@rsa.com>

297	   Profile of XML attributes and subelements of the <Key> entity:

299	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
300	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
301	      <Usage> MUST be set to "true" and it MUST be the only attribute
302	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
303	      indicate the OTP length and the value format.

305	      The following additional constraints apply:

307	         - The value of the <Secret> element MUST contain key material
308	         with a lengthy of at least 16 octets (128 bits) if it is
309	         present.

311	         - The <ResponseFormat> element MUST have the 'Format' attribute
312	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
313	         minimum value of 6.

315	         - The <StartDate> and <ExpiryDate> elements MUST be of type
316	         <xs:dateTime>.

318	         - The <PINPolicy> element MAY be present but the <Format> child
319	         element of the <PINPolicy> element cannot be set to
320	         "Algorithmic".

322	      An example of a <Key> of this algorithm is as follows.

324	 <?xml version="1.0" encoding="UTF-8"?>
325	 <KeyContainer Version="1.0"
326	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
327	   <Device>
328	     <DeviceInfo>
329	       <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
330	       <SerialNo>123456798</SerialNo>
331	     </DeviceInfo>
332	     <Key
333	       KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/2005
334	       /09/otps-wst#SecurID-AES
335	       KeyId="23456789">
336	       <Issuer>Issuer</Issuer>
337	       <Usage OTP="true>
338	         <ResponseFormat Length="6" Format="DECIMAL"/>
339	       </Usage>
340	       <StartDate>2006-04-14T00:00:00Z</StartDate>
341	       <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
342	     </Key>
343	   </Device>
344	 </KeyContainer>

346	6.  SecurID-AES-Counter

348	   Common Name:  SecurID-AES-Counter

350	   Class:  OTP

352	   URI:  http://www.rsa.com/names/2008/04/algorithms/SecurID/
353	      SecurID-AES128-Counter

355	   Algorithm Definition:  http://www.rsa.com/names/2008/04/algorithms/
356	      SecurID/SecurID-AES128-Counter

358	   Identifier Definition  http://www.rsa.com/names/2008/04/algorithms/
359	      SecurID/SecurID-AES128-Counter

361	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
362	      EMC, <andrea.doherty@rsa.com>

364	   Profile of XML attributes and subelements of the <Key> entity:

366	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
367	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
368	      <Usage> MUST be set to "true" and it MUST be the only attribute
369	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
370	      indicate the OTP length and the value format.

372	      For the Data elements of a <Key> of this algorithm, the following
373	      subelements MUST be present in either the <Key> element itself or
374	      an commonly shared <KeyProperties> element.

376	      *  Counter

378	      The following additional constraints apply:

380	         - The value of the <Secret> element MUST contain key material
381	         with a lengthy of at least 16 octets (128 bits) if it is
382	         present.

384	         - The <ResponseFormat> element MUST have the 'Format' attribute
385	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
386	         minimum value of 6.

388	         - The <StartDate> and <ExpiryDate> elements MUST be of type
389	         <xs:dateTime>.

391	         - The <PINPolicy> element MAY be present but the <Format> child
392	         element of the <PINPolicy> element cannot be set to
393	         "Algorithmic".

395	      An example of a <Key> of this algorithm is as follows.

397	<?xml version="1.0" encoding="UTF-8"?>
398	<KeyContainer Version="1.0"
399	  xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
400	    <Device>
401	       <DeviceInfo>
402	          <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
403	          <SerialNo>123456798</SerialNo>
404	       </DeviceInfo>
405	       <Key
406	          KeyAlgorithm=http://www.rsa.com/names/2008/04/algorithms/
407	          SecurID/SecurID-AES128-Counter
408	          KeyId="23456789">
409	          <Issuer>Issuer</Issuer>
410	          <Usage OTP="true>
411	            <ResponseFormat Length="6" Format="DECIMAL"/>
412	          </Usage>
413	          <StartDate>2006-04-14T00:00:00Z</StartDate>
414	          <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
415	          <Data>
416	            <Secret>
417	              <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
418	              </PlainValue>
419	            </Secret>
420	            <Counter>
421	              <PlainValue>0</PlainValue>
422	            </Counter>
423	          </Data>
424	        </Key>
425	    </Device>
426	</KeyContainer>
427	7.  SecurID-ALGOR

429	   Common Name:  SecurID-ALGOR

431	   Class:  OTP

433	   URI:  http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
434	      otps-wst#SecurID-ALGOR

436	   Algorithm Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

438	   Identifier Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

440	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
441	      EMC, <andrea.doherty@rsa.com>

443	   Profile of XML attributes and subelements of the <Key> entity:

445	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
446	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
447	      <Usage> MUST be set to "true" and it MUST be the only attribute
448	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
449	      indicate the OTP length and the value format.

451	      The following additional constraints apply:

453	         - The value of the <Secret> element MUST contain key material
454	         with a lengthy of at least 8 octets (64 bits) if it is present.

456	         - The <ResponseFormat> element MUST have the 'Format' attribute
457	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
458	         value of 6 through 8.

460	         - The <StartDate> and <ExpiryDate> elements MUST be of type
461	         <xs:dateTime>.

463	         - The <PINPolicy> element MAY be present but the <Format> child
464	         element of the <PINPolicy> element cannot be set to
465	         "Algorithmic".

467	      An example of a <Key> of this algorithm is as follows.

469	   <?xml version="1.0" encoding="UTF-8"?>
470	   <KeyContainer Version="1.0"
471	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
472	     <Device>
473	       <DeviceInfo>
474	         <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
475	         <SerialNo>123456798</SerialNo>
476	       </DeviceInfo>
477	       <Key
478	           KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/
479	           2005/09/otps-wst#SecurID-ALGOR KeyId="23456789">
480	         <Issuer>Issuer</Issuer>
481	         <Usage OTP="true>
482	            <ResponseFormat Length="6" Format="DECIMAL"/>
483	         </Usage>
484	         <StartDate>2006-04-14T00:00:00Z</StartDate>
485	         <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
486	       </Key>
487	     </Device>
488	   </KeyContainer>

490	8.  ActivIdentity-3DES

492	   Common Name:  ActivIdentity-3DES

494	   Class:  OTP

496	   URI:  http://www.actividentity.com/2008/04/algorithms/
497	      algorithms#ActivIdentity-3DES

499	   Algorithm Definition:  http://www.actividentity.com/2008/04/
500	      algorithms/algorithms#ActivIdentity-3DES

502	   Identifier Definition  http://www.actividentity.com/2008/04/
503	      algorithms/algorithms#ActivIdentity-3DES

505	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
506	      <philip.hoyer@actividentity.com>

508	   Profile of XML attributes and subelements of the <Key> entity:

510	      For a <Key> of this algorithm, the <Usage> subelements MUST be
511	      present.  This algorithm can be used for otp, challenge response,
512	      parameter based MACing (integrity) and to generate a device unlock
513	      code (n case of devices where there is local PIN management and
514	      the devce has been locked after a specific amount of wrong PIN
515	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
516	      attribute of the <Usage> can be set to "true", but at least one of
517	      the above MUST be set to true.  The element <ResponseFormat> of
518	      the <Usage> MUST be used to indicate the OTP length, the value
519	      format and optionally if a check digit is being used.  If the use
520	      is challenge-response then the <ChallengeFormat> of the <Usage>
521	      MUST be used to indicate the challenge minimum and maximum length,
522	      its format and optionally if a check digit is being used.

524	      For the <Data> elements of a <Key> of this algorithm, the
525	      following subelements MUST be present in either the <Key> element
526	      itself or an commonly shared <KeyProperties> element.

528	      *  Secret

530	      *  Counter

532	      *  Time

534	      *  TimeInterval
535	      The following additional constraints apply:

537	         - The value of the <Secret> element MUST contain key material
538	         with a length of at least 16 octets (Double DES keys 128 bits
539	         including parity) if it is present.

541	         - The <ResponseFormat> element MUST have the 'Format' attribute
542	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
543	         MUST be between 6 and 16.

545	         - The <ChallengeFormat> element MUST have the 'Format'
546	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
547	         be between 4 and 16 (The Min attribute MUST be equal or less
548	         than the Max).

550	         - The <PINPolicy> element MAY be present but the <Format> child
551	         element of the <PINPolicy> element cannot be set to
552	         "Algorithmic".

554	      An example of a Key of this algorithm is as follows.

556	   <?xml version="1.0" encoding="UTF-8"?>
557	   <KeyContainer Version="1.0"
558	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
559	       <Device>
560	           <DeviceInfo>
561	               <Manufacturer>ActivIdentity</Manufacturer>
562	               <SerialNo>34567890</SerialNo>
563	           </DeviceInfo>
564	           <Key KeyAlgorithm="http://www.actividentity.com/
565	           2008/04/algorithms/algorithms#ActivIdentity-3DES"
566	           KeyId="12345677">
567	               <Issuer>Issuer</Issuer>
568	               <Usage OTP="true">
569	                   <ResponseFormat Length="8" Format="DECIMAL"/>
570	               </Usage>
571	               <Data>
572	                   <Secret>
573	                       <PlainValue>
574	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
575	                       </PlainValue>
576	                   </Secret>
577	                   <Counter>
578	                       <PlainValue>0</PlainValue>
579	                   </Counter>
580	                   <Time>
581	                       <PlainValue>0</PlainValue>
582	                   </Time>
583	                   <TimeInterval>
584	                       <PlainValue>32</PlainValue>
585	                   </TimeInterval>
586	                   <TimeDrift>
587	                       <PlainValue>0</PlainValue>
588	                   </TimeDrift>
589	               </Data>
590	           </Key>
591	       </Device>
592	   </KeyContainer>

594	9.  ActivIdentity-AES

596	   Common Name:  ActivIdentity-AES

598	   Class:  OTP

600	   URI:  http://www.actividentity.com/2008/04/algorithms/
601	      algorithms#ActivIdentity-AES

603	   Algorithm Definition:  http://www.actividentity.com/2008/04/
604	      algorithms/algorithms#ActivIdentity-AES

606	   Identifier Definition  http://www.actividentity.com/2008/04/
607	      algorithms/algorithms#ActivIdentity-AES

609	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
610	      <philip.hoyer@actividentity.com>

612	   Profile of XML attributes and subelements of the <Key> entity:

614	      For a <Key> of this algorithm, the <Usage> subelements MUST be
615	      present.  This algorithm can be used for otp, challenge response,
616	      parameter based MACing (integrity) and to generate a device unlock
617	      code (n case of devices where there is local PIN management and
618	      the devce has been locked after a specific amount of wrong PIN
619	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
620	      attribute of the <Usage> can be set to "true", but at least one of
621	      the above MUST be set to true.  The element <ResponseFormat> of
622	      the <Usage> MUST be used to indicate the OTP length, the value
623	      format and optionally if a check digit is being used.  If the use
624	      is challenge-response then the <ChallengeFormat> of the <Usage>
625	      MUST be used to indicate the challenge minimum and maximum length,
626	      its format and optionally if a check digit is being used.

628	      For the <Data> elements of a key of this algorithm, the following
629	      subelements MUST be present in either the <Key> element itself or
630	      an commonly shared <KeyProperties> element.

632	      *  Secret

634	      *  Counter

636	      *  Time

638	      *  TimeInterval
639	      The following additional constraints apply:

641	         - The value of the <Secret> element MUST contain key material
642	         with a length of at least 16 octets (128 bits) if it is
643	         present.

645	         - The <ResponseFormat> element MUST have the 'Format' attribute
646	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
647	         MUST be between 6 and 16.

649	         - The <ChallengeFormat> element MUST have the 'Format'
650	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
651	         be between 4 and 16 (The Min attribute MUST be equal or less
652	         than the Max).

654	         - The <PINPolicy> element MAY be present but the <Format> child
655	         element of the <PINPolicy> element cannot be set to
656	         "Algorithmic".

658	      An example of a <Key> of this algorithm is as follows.

660	   <?xml version="1.0" encoding="UTF-8"?>
661	   <KeyContainer Version="1.0"
662	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
663	       <Device>
664	           <DeviceInfo>
665	               <Manufacturer>ActivIdentity</Manufacturer>
666	               <SerialNo>34567890</SerialNo>
667	           </DeviceInfo>
668	           <Key KeyAlgorithm="http://www.actividentity.com/
669	           2008/04/algorithms/algorithms#ActivIdentity-AES"
670	           KeyId="12345677">
671	               <Issuer>Issuer</Issuer>
672	               <Usage OTP="true">
673	                   <ResponseFormat Length="8" Format="DECIMAL"/>
674	               </Usage>
675	               <Data>
676	                   <Secret>
677	                       <PlainValue>
678	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
679	                       </PlainValue>
680	                   </Secret>
681	                   <Counter>
682	                       <PlainValue>0</PlainValue>
683	                   </Counter>
684	                   <Time>
685	                       <PlainValue>0</PlainValue>
686	                   </Time>
687	                   <TimeInterval>
688	                       <PlainValue>32</PlainValue>
689	                   </TimeInterval>
690	                   <TimeDrift>
691	                       <PlainValue>0</PlainValue>
692	                   </TimeDrift>
693	               </Data>
694	           </Key>
695	       </Device>
696	   </KeyContainer>

698	10.  ActivIdentity-DES

700	   Common Name:  ActivIdentity-DES

702	   Class:  OTP

704	   URI:  http://www.actividentity.com/2008/04/algorithms/
705	      algorithms#ActivIdentity-DES

707	   Algorithm Definition:  http://www.actividentity.com/2008/04/
708	      algorithms/algorithms#ActivIdentity-DES

710	   Identifier Definition  http://www.actividentity.com/2008/04/
711	      algorithms/algorithms#ActivIdentity-DES

713	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
714	      <philip.hoyer@actividentity.com>

716	   Profile of XML attributes and subelements of the <Key> entity:

718	      For a <Key> of this algorithm, the <Usage> subelements MUST be
719	      present.  This algorithm can be used for otp, challenge response,
720	      parameter based MACing (integrity) and to generate a device unlock
721	      code (n case of devices where there is local PIN management and
722	      the devce has been locked after a specific amount of wrong PIN
723	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
724	      attribute of the <Usage> can be set to "true", but at least one of
725	      the above MUST be set to true.  The element <ResponseFormat> of
726	      the <Usage> MUST be used to indicate the OTP length, the value
727	      format and optionally if a check digit is being used.  If the use
728	      is challenge-response then the <ChallengeFormat> of the <Usage>
729	      MUST be used to indicate the challenge minimum and maximum length,
730	      its format and optionally if a check digit is being used.

732	      For the <Data> elements of a key of this algorithm, the following
733	      subelements MUST be present in either the <Key> element itself or
734	      an commonly shared <KeyProperties> element.

736	      *  Counter

738	      *  Time

740	      *  TimeInterval

742	      The following additional constraints apply:

744	         - The value of the <Secret> element MUST contain key material
745	         with a length of at least 8 octets (56 bits + parity) if it is
746	         present.

748	         - The <ResponseFormat> element MUST have the 'Format' attribute
749	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
750	         MUST be between 6 and 16.

752	         - The <ChallengeFormat> element MUST have the 'Format'
753	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
754	         be between 4 and 16 (The Min attribute MUST be equal or less
755	         than the Max).

757	         - The <PINPolicy> element MAY be present but the <Format> child
758	         element of the <PINPolicy> element cannot be set to
759	         "Algorithmic".

761	      An example of a <Key> of this algorithm is as follows.

763	   <?xml version="1.0" encoding="UTF-8"?>
764	   <KeyContainer Version="1.0"
765	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
766	       <Device>
767	           <DeviceInfo>
768	               <Manufacturer>ActivIdentity</Manufacturer>
769	               <SerialNo>34567890</SerialNo>
770	           </DeviceInfo>
771	           <Key KeyAlgorithm="http://www.actividentity.com/
772	           2008/04/algorithms/algorithms#ActivIdentity-DES"
773	           KeyId="12345677">
774	               <Issuer>Issuer</Issuer>
775	               <Usage OTP="true">
776	                   <ResponseFormat Length="8" Format="DECIMAL"/>
777	               </Usage>
778	               <Data>
779	                   <Secret>
780	                       <PlainValue>
781	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
782	                       </PlainValue>
783	                   </Secret>
784	                   <Counter>
785	                       <PlainValue>0</PlainValue>
786	                   </Counter>
787	                   <Time>
788	                       <PlainValue>0</PlainValue>
789	                   </Time>
790	                   <TimeInterval>
791	                       <PlainValue>32</PlainValue>
792	                   </TimeInterval>
793	                   <TimeDrift>
794	                       <PlainValue>0</PlainValue>
795	                   </TimeDrift>
796	               </Data>
797	           </Key>
798	       </Device>
799	   </KeyContainer>

801	11.  ActivIdentity-EVENT

803	   Common Name:  ActivIdentity-EVENT

805	   Class:  OTP

807	   URI:  http://www.actividentity.com/2008/04/algorithms/
808	      algorithms#ActivIdentity-EVENT

810	   Algorithm Definition:  http://www.actividentity.com/2008/04/
811	      algorithms/algorithms#ActivIdentity-EVENT

813	   Identifier Definition  http://www.actividentity.com/2008/04/
814	      algorithms/algorithms#ActivIdentity-EVENT

816	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
817	      <philip.hoyer@actividentity.com>

819	   Profile of XML attributes and subelements of the <Key> entity:

821	      For a <Key> of this algorithm, the <Usage> subelements MUST be
822	      present.  This algorithm can be used for otp, challenge response,
823	      parameter based MACing (integrity) and to generate a device unlock
824	      code (n case of devices where there is local PIN management and
825	      the device has been locked after a specific amount of wrong PIN
826	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
827	      attribute of the <Usage> can be set to "true", but at least one of
828	      the above MUST be set to true.  The element <ResponseFormat> of
829	      the <Usage> MUST be used to indicate the OTP length, the value
830	      format and optionally if a check digit is being used.  If the use
831	      is challenge-response then the <ChallengeFormat> of the <Usage>
832	      MUST be used to indicate the challenge minimum and maximum length,
833	      its format and optionally if a check digit is being used.

835	      For the <Data> elements of a key of this algorithm, the following
836	      subelements MUST be present in either the <Key> element itself or
837	      an commonly shared <KeyProperties> element.

839	      *  Counter

841	      The following additional constraints apply:

843	         - The value of the <Secret> element MUST contain key material
844	         with a length of at least 8 octets (56 bits + parity) if it is
845	         present.

847	         - The <ResponseFormat> element MUST have the 'Format' attribute
848	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
849	         MUST be between 6 and 16.

851	         - The <PINPolicy> element MAY be present but the <Format> child
852	         element of the <PINPolicy> element cannot be set to
853	         "Algorithmic".

855	      An example of a <Key> of this algorithm is as follows.

857	   <?xml version="1.0" encoding="UTF-8"?>
858	   <KeyContainer Version="1.0"
859	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
860	       <Device>
861	           <DeviceInfo>
862	               <Manufacturer>ActivIdentity</Manufacturer>
863	               <SerialNo>34567890</SerialNo>
864	           </DeviceInfo>
865	           <Key KeyAlgorithm="http://www.actividentity.com/
866	           2008/04/algorithms/algorithms#ActivIdentity-EVENT"
867	           KeyId="12345677">
868	               <Issuer>Issuer</Issuer>
869	               <Usage OTP="true">
870	                   <ResponseFormat Length="8" Format="DECIMAL"/>
871	               </Usage>
872	               <Data>
873	                   <Secret>
874	                       <PlainValue>
875	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
876	                       </PlainValue>
877	                   </Secret>
878	                   <Counter>
879	                       <PlainValue>0</PlainValue>
880	                   </Counter>
881	               </Data>
882	           </Key>
883	       </Device>
884	   </KeyContainer>

886	12.  Security Considerations

888	   [Editor's Note: Security considerations regarding the algorithms go
889	   in here.]

891	13.  IANA Considerations

893	   [Editor's Note: The registration of the algorithm profiles goes in
894	   here.]

896	14.  Acknowledgements

898	   Add your name here.

900	15.  Normative References

902	   [RFC2119]  "Key words for use in RFCs to Indicate Requirement
903	              Levels", BCP 14, RFC 2119, March 1997.

905	Authors' Addresses

907	   Philip Hoyer
908	   ActivIdentity, Inc.
909	   117 Waterloo Road
910	   London, SE1  8UL
911	   UK

913	   Phone: +44 (0) 20 7744 6455
914	   Email: Philip.Hoyer@actividentity.com

916	   Mingliang Pei
917	   VeriSign, Inc.
918	   487 E. Middlefield Road
919	   Mountain View, CA  94043
920	   USA

922	   Phone: +1 650 426 5173
923	   Email: mpei@verisign.com

925	   Salah Machani
926	   Diversinet, Inc.
927	   2225 Sheppard Avenue East
928	   Suite 1801
929	   Toronto, Ontario  M2J 5C2
930	   Canada

932	   Phone: +1 416 756 2324 Ext. 321
933	   Email: smachani@diversinet.com

935	   Andrea Doherty
936	   RSA, The Security Division of EMC
937	   174 Middlesex Tpk.
938	   Bedford, MA  01730
939	   USA

941	   Email: adoherty@rsa.com