idnits 2.17.1 draft-ietf-keyprov-portable-symmetric-key-container-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 3808. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3819. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3826. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3832. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Too long document name: The document name (without revision number), 'draft-ietf-keyprov-portable-symmetric-key-container', is 51 characters long, but may be at most 50 characters Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Line 2604 has weird spacing: '...inition http:...' == Line 2749 has weird spacing: '...inition http:...' == Line 2854 has weird spacing: '...inition http:...' == Line 2959 has weird spacing: '...inition http:...' == Line 3062 has weird spacing: '...inition http:...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the start date of the key, it MUST not be possible to use this key before this date. MUST be expressed in UTC form, with no time zone component. Implementations SHOULD NOT rely on time resolution finer than milliseconds and MUST NOT generate time instants that specify leap seconds. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the expiry date of the key, it MUST not be possible to use this key after this date. MUST be expressed in UTC form, with no time zone component. Implementations SHOULD NOT rely on time resolution finer than milliseconds and MUST NOT generate time instants that specify leap seconds. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the maximum number of times the PIN can be entered wrongly before it MUST not be possible to use the key anymore. If PinUsageMode is 'Local' the device MUST enforce this value, otherwise it MUST be enforced by the validation server. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the minimum lenght of a PIN that can be set to protect this key. It MUST not be possible to set a PIN shorter than this value. If the Format element is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of digits/characters. If the Format attribute is 'BASE64' or 'BINARY', this value indicates the number of bytes of the unencoded value. If PinUsageMode is 'Local' the device MUST enforce this value, otherwise it MUST be enforced by the validation server. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the maximum lenght of a PIN that can be set to protect this key. It MUST not be possible to set a PIN longer than this value. If the Format element is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of digits/characters. If the Format attribute is 'BASE64' or 'BINARY', this value indicates the number of bytes of the unencoded value. If PinUsageMode is 'Local' the device MUST enforce this value, otherwise it MUST be enforced by the validation server. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 03, 2008) is 5652 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'PKCS1' is defined on line 3680, but no explicit reference was found in the text == Unused Reference: 'AlgorithmURIs' is defined on line 3721, but no explicit reference was found in the text == Unused Reference: 'OATH' is defined on line 3745, but no explicit reference was found in the text == Unused Reference: 'OCRA' is defined on line 3748, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'LUHN' ** Obsolete normative reference: RFC 2437 (ref. 'PKCS1') (Obsoleted by RFC 3447) -- Possible downref: Non-RFC (?) normative reference: ref. 'PKCS5' ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLDSIG' -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC' -- Obsolete informational reference (is this intentional?): RFC 4051 (ref. 'AlgorithmURIs') (Obsoleted by RFC 6931) == Outdated reference: A later version (-14) exists of draft-mraihi-mutual-oath-hotp-variants-06 Summary: 6 errors (**), 0 flaws (~~), 16 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 keyprov P. Hoyer 3 Internet-Draft ActivIdentity 4 Intended status: Standards Track M. Pei 5 Expires: May 7, 2009 VeriSign 6 S. Machani 7 Diversinet 8 November 03, 2008 10 Portable Symmetric Key Container 11 draft-ietf-keyprov-portable-symmetric-key-container-06.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on May 7, 2009. 38 Abstract 40 This document specifies a symmetric key format for transport and 41 provisioning of symmetric keys (for example One Time Password (OTP) 42 shared secrets or symmetric cryptographic keys) to different types of 43 crypto modules such as a strong authentication device. The standard 44 key transport format enables enterprises to deploy best-of-breed 45 solutions combining components from different vendors into the same 46 infrastructure. 48 This work is based on earlier work by the members of OATH (Initiative 49 for Open AuTHentication) to specify a format that can be freely 50 distributed to the technical community. The authors believe that a 51 common and shared specification will facilitate adoption of two- 52 factor authentication on the Internet by enabling interoperability 53 between commercial and open-source implementations. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 60 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 61 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 8 62 3.1. Online Use Cases . . . . . . . . . . . . . . . . . . . . . 8 63 3.1.1. Transport of keys from Server to Cryptographic 64 Module . . . . . . . . . . . . . . . . . . . . . . . . 8 65 3.1.2. Transport of keys from Cryptographic Module to 66 Cryptographic Module . . . . . . . . . . . . . . . . . 8 67 3.1.3. Transport of keys from Cryptographic Module to 68 Server . . . . . . . . . . . . . . . . . . . . . . . . 9 69 3.1.4. Server to server Bulk import/export of keys . . . . . 9 70 3.2. Offline Use Cases . . . . . . . . . . . . . . . . . . . . 9 71 3.2.1. Server to server Bulk import/export of keys . . . . . 9 72 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 5. Portable Key container definition . . . . . . . . . . . . . . 13 74 5.1. KeyContainer . . . . . . . . . . . . . . . . . . . . . . . 14 75 5.2. KeyProperties . . . . . . . . . . . . . . . . . . . . . . 15 76 5.3. Device . . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 5.3.1. DeviceInfo . . . . . . . . . . . . . . . . . . . . . . 18 78 5.4. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 79 5.4.1. KeyData . . . . . . . . . . . . . . . . . . . . . . . 23 80 5.4.2. Usage . . . . . . . . . . . . . . . . . . . . . . . . 25 81 5.4.3. ValueFormat . . . . . . . . . . . . . . . . . . . . . 29 82 5.4.4. PINPolicy . . . . . . . . . . . . . . . . . . . . . . 29 83 6. Usage and profile of algorithms for the portable symmetric 84 key container . . . . . . . . . . . . . . . . . . . . . . . . 33 85 6.1. Usage of EncryptionKey to protect keys in transit . . . . 33 86 6.1.1. Protecting keys using a pre-shared key via 87 symmetric algorithms . . . . . . . . . . . . . . . . . 33 88 6.1.2. Protecting keys using passphrase based key 89 encryption keys . . . . . . . . . . . . . . . . . . . 35 90 6.2. Protecting keys using asymmetric algorithms . . . . . . . 38 91 6.3. Profile of Key Algorithm . . . . . . . . . . . . . . . . . 39 92 6.3.1. OTP Key Algorithm Identifiers . . . . . . . . . . . . 40 93 6.3.2. PIN key value compare algorithm identifier . . . . . . 40 94 7. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 41 95 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 96 8.1. Content-type registration for 'application/pskc+xml' . . . 48 97 8.2. XML Schema Registration . . . . . . . . . . . . . . . . . 49 98 8.3. URN Sub-Namespace Registration for 99 urn:ietf:params:xml:ns:keyprov:pskc:1.0 . . . . . . . . . 49 100 8.4. Symmetric Key Algorithm Identifier Registry . . . . . . . 50 101 8.4.1. Applicability . . . . . . . . . . . . . . . . . . . . 50 102 8.4.2. Registerable Algorithms . . . . . . . . . . . . . . . 51 103 8.4.3. Registration Procedures . . . . . . . . . . . . . . . 52 104 8.4.4. Initial Values . . . . . . . . . . . . . . . . . . . . 54 105 9. Security Considerations . . . . . . . . . . . . . . . . . . . 76 106 9.1. Payload confidentiality . . . . . . . . . . . . . . . . . 76 107 9.2. Payload integrity . . . . . . . . . . . . . . . . . . . . 77 108 9.3. Payload authenticity . . . . . . . . . . . . . . . . . . . 77 109 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 78 110 11. Appendix A - Example Symmetric Key Containers . . . . . . . . 79 111 11.1. Symmetric Key Container with a single Non-Encrypted 112 HOTP Secret Key . . . . . . . . . . . . . . . . . . . . . 79 113 11.2. Symmetric Key Container with a single PIN protected 114 Non-Encrypted HOTP Secret Key . . . . . . . . . . . . . . 80 115 11.3. Symmetric Key Container with a single AES-128-CBC 116 Encrypted HOTP Secret Key and non-encrypted counter 117 value . . . . . . . . . . . . . . . . . . . . . . . . . . 82 118 11.4. Symmetric Key Container with signature and a single 119 Password-based Encrypted HOTP Secret Key . . . . . . . . . 83 120 11.5. Symmetric Key Container with a single RSA 1.5 121 Encrypted HOTP Secret Key . . . . . . . . . . . . . . . . 85 122 11.6. Symmetric Key Container with a single AES-128-CBC 123 Encrypted OCRA Secret Key and non-encrypted counter 124 value . . . . . . . . . . . . . . . . . . . . . . . . . . 86 125 11.7. Symmetric Key Container with a single AES-256-CBC 126 Encrypted TOTP Secret Key and non-encrypted time values . 88 127 11.8. Symmetric Key Container with two devices containing a 128 Non-Encrypted HOTP Secret Key each sharing common 129 KeyProperties . . . . . . . . . . . . . . . . . . . . . . 90 130 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 92 131 12.1. Normative References . . . . . . . . . . . . . . . . . . . 92 132 12.2. Informative References . . . . . . . . . . . . . . . . . . 93 133 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 94 134 Intellectual Property and Copyright Statements . . . . . . . . . . 95 136 1. Introduction 138 With increasing use of symmetric key based authentication systems 139 such as systems based one time password (OTP) and challenge response 140 mechanisms, there is a need for vendor interoperability and a 141 standard format for importing, exporting or provisioning symmetric 142 keys from one system to another. Traditionally authentication server 143 vendors and service providers have used proprietary formats for 144 importing, exporting and provisioning these keys into their systems 145 making it hard to use tokens from vendor A with a server from vendor 146 B. 148 This document describes a standard format for serializing symmetric 149 keys such as OTP shared secrets for system import, export or network/ 150 protocol transport. The goal is that the format will facilitate 151 dynamic provisioning and transfer of symmetric keys such as OTP 152 shared secrets or encryption keys of different types. In the case of 153 OTP shared secrets, the format will facilitate dynamic provisioning 154 using an online provisioning protocol to different flavors of 155 embedded tokens or allow customers to import new or existing tokens 156 in batch or single instances into a compliant system. 158 This draft also specifies the key attributes required for computation 159 such as the initial event counter used in the HOTP algorithm [HOTP]. 160 It is also applicable for other time-based or proprietary algorithms. 162 To provide an analogy, in public key environments the PKCS#12 format 163 [PKCS12] is commonly used for importing and exporting private keys 164 and certificates between systems. In the environments outlined in 165 this document where OTP keys may be transported directly down to 166 smartcards or devices with limited computing capabilities and 167 explicit shared secret, configuration attribute information is 168 desirable. With PKCS#12, one would have to use opaque data to carry 169 shared secret attributes used for OTP calculations, whereas a more 170 explicit attribute schema definition is better for interoperability 171 and efficiency. 173 2. Terminology 175 2.1. Key Words 177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 179 document are to be interpreted as described in [RFC2119]. 181 2.2. Definitions 183 This section defines terms used in this document. The same terms may 184 be defined differently in other documents. 186 Authentication Token: A physical device that an authorized user of 187 computer services is given to aid in authentication. The term may 188 also refer to software tokens. 190 Bulk Provisioning: Transferring multiple keys linked to multiple 191 devices in a single execution step within one single PSKC 192 KeyContainer 194 Cryptographic Module: A component of an application, which enables 195 symmetric key cryptographic functionality 197 Cryptographic Key: A parameter used in conjunction with a 198 cryptographic algorithm that determines its operation in such a 199 way that an entity with knowledge of the key can reproduce or 200 reverse the operation, while an entity without knowledge of the 201 key cannot (see [NIST-SP800-57]) 203 Cryptographic Token: See Authentication Token 205 Device: A physical piece of hardware, or a software framework, that 206 hosts symmetric keys 208 DeviceInfo: A set of elements whose values combined uniquely 209 identify a device e.g. Manufacturer 'TokenVendorAcme' and 210 Serialnumber '12345678' 212 Dynamic Provisioning: Usage of a protocol, such as DSKPP, to make a 213 key container available to a recipient 215 Key Encryption Key: A key used to encrypt key 217 Key: See Cryptographic Key 218 Hardware Token: See Authentication Token 220 Key Algorithm: A well-defined computational procedure that takes 221 variable inputs including a cryptographic key and produces an 222 output. 224 Key Container: An object that encapsulates symmetric keys and their 225 attributes for set of devices 227 Key ID (KeyID): A unique identifier for the symmetric key 229 Key Issuer: An organization that issues symmetric keys to end-users 231 Key Type: The type of symmetric key cryptographic methods for which 232 the key will be used (e.g., OATH HOTP or RSA SecurID 233 authentication, AES encryption, etc.) 235 Secret Key: The symmetric key data 237 Software Token: A type of authentication token that is stored on a 238 general-purpose electronic device such as a desktop computer, 239 laptop, PDA, or mobile phone 241 Token: See Authentication Token 243 User: The person or client to whom devices are issued 245 User ID: A unique identifier for the user or client 247 3. Use Cases 249 This section describes a comprehensive list of use cases that 250 inspired the development of this specification. These requirements 251 were used to derive the primary requirement that drove the design. 252 These requirements are covered in the next section. 254 These use cases also help in understanding the applicability of this 255 specification to real world situations. 257 3.1. Online Use Cases 259 This section describes the use cases related to provisioning the keys 260 using an online provisioning protocol such as [DSKPP] 262 3.1.1. Transport of keys from Server to Cryptographic Module 264 For example, a mobile device user wants to obtain a symmetric key for 265 use with a Cryptographic Module on the device. The Cryptographic 266 Module from vendor A initiates the provisioning process against a 267 provisioning system from vendor B using a standards-based 268 provisioning protocol such as [DSKPP]. The provisioning entity 269 delivers one or more keys in a standard format that can be processed 270 by the mobile device. 272 For example, in a variation of the above, instead of the user's 273 mobile phone, a key is provisioned in the user's soft token 274 application on a laptop using a network-based online protocol. As 275 before, the provisioning system delivers a key in a standard format 276 that can be processed by the soft token on the PC. 278 For example, the end-user or the key issuer wants to update or 279 configure an existing key in the Cryptographic Module and requests a 280 replacement key container. The container may or may not include a 281 new key and may include new or updated key attributes such as a new 282 counter value in HOTP key case, a modified response format or length, 283 a new friendly name, etc. 285 3.1.2. Transport of keys from Cryptographic Module to Cryptographic 286 Module 288 For example, a user wants to transport a key from one Cryptographic 289 Module to another. There may be two cryptographic modules, one on a 290 computer one on a mobile phone, and the user wants to transport a key 291 from the computer to the mobile phone. The user can export the key 292 and related data in a standard format for input into the other 293 Cryptographic Module. 295 3.1.3. Transport of keys from Cryptographic Module to Server 297 For example, a user wants to activate and use a new key and related 298 data against a validation system that is not aware of this key. This 299 key may be embedded in the Cryptographic Module (e.g. SD card, USB 300 drive) that the user has purchased at the local electronics retailer. 301 Along with the Cryptographic Module, the user may get the key on a CD 302 or a floppy in a standard format. The user can now upload via a 303 secure online channel or import this key and related data into the 304 new validation system and start using the key. 306 3.1.4. Server to server Bulk import/export of keys 308 From time to time, a key management system may be required to import 309 or export keys in bulk from one entity to another. 311 For example, instead of importing keys from a manufacturer using a 312 file, a validation server may download the keys using an online 313 protocol. The keys can be downloaded in a standard format that can 314 be processed by a validation system. 316 For example, in a variation of the above, an Over-The-Aire (OTA) key 317 provisioning gateway that provisions keys to mobile phones may obtain 318 key material from a key issuer using an online protocol. The keys 319 are delivered in a standard format that can be processed by the key 320 provisioning gateway and subsequently sent to the end-user's mobile 321 phone. 323 3.2. Offline Use Cases 325 This section describes the use cases relating to offline transport of 326 keys from one system to another, using some form of export and import 327 model. 329 3.2.1. Server to server Bulk import/export of keys 331 For example, Cryptographic Modules such as OTP authentication tokens, 332 may have their symmetric keys initialized during the manufacturing 333 process in bulk, requiring copies of the keys and algorithm data to 334 be loaded into the authentication system through a file on portable 335 media. The manufacturer provides the keys and related data in the 336 form of a file containing records in standard format, typically on a 337 CD. Note that the token manufacturer and the vendor for the 338 validation system may be the same or different. Some crypto modules 339 will allow local PIN management (the device will have a PIN pad) 340 hence random initial PINs set at manufacturing should be transmitted 341 together with the respective keys they protect. 343 For example, an enterprise wants to port keys and related data from 344 an existing validation system A into a different validation system B. 345 The existing validation system provides the enterprise with a 346 functionality that enables export of keys and related data (e.g. for 347 OTP authentication tokens) in a standard format. Since the OTP 348 tokens are in the standard format, the enterprise can import the 349 token records into the new validation system B and start using the 350 existing tokens. Note that the vendors for the two validation 351 systems may be the same or different. 353 4. Requirements 355 This section outlines the most relevant requirements that are the 356 basis of this work. Several of the requirements were derived from 357 use cases described above. 359 R1: The format MUST support transport of multiple types of 360 symmetric keys and related attributes for algorithms including 361 HOTP, other OTP, challenge-response, etc. 363 R2: The format MUST handle the symmetric key itself as well of 364 attributes that are typically associated with symmetric keys. 365 Some of these attributes may be 367 * Unique Key Identifier 369 * Issuer information 371 * Algorithm ID 373 * Algorithm mode 375 * Issuer Name 377 * Key friendly name 379 * Event counter value (moving factor for OTP algorithms) 381 * Time value 383 R3: The format SHOULD support both offline and online scenarios. 384 That is it should be serializable to a file as well as it 385 should be possible to use this format in online provisioning 386 protocols such as [DSKPP] 388 R4: The format SHOULD allow bulk representation of symmetric keys 390 R5: The format SHOULD allow bulk representation of PINs related to 391 specific keys 393 R6: The format SHOULD be portable to various platforms. 394 Furthermore, it SHOULD be computationally efficient to process. 396 R7: The format MUST provide appropriate level of security in terms 397 of data encryption and data integrity. 399 R8: For online scenarios the format SHOULD NOT rely on transport 400 level security (e.g., SSL/TLS) for core security requirements. 402 R9: The format SHOULD be extensible. It SHOULD enable extension 403 points allowing vendors to specify additional attributes in the 404 future. 406 R10: The format SHOULD allow for distribution of key derivation data 407 without the actual symmetric key itself. This is to support 408 symmetric key management schemes that rely on key derivation 409 algorithms based on a pre-placed master key. The key 410 derivation data typically consists of a reference to the key, 411 rather than the key value itself. 413 R11: The format SHOULD allow for additional lifecycle management 414 operations such as counter resynchronization. Such processes 415 require confidentiality between client and server, thus could 416 use a common secure container format, without the transfer of 417 key material. 419 R12: The format MUST support the use of pre-shared symmetric keys to 420 ensure confidentiality of sensitive data elements. 422 R13: The format MUST support a password-based encryption (PBE) 423 [PKCS5] scheme to ensure security of sensitive data elements. 424 This is a widely used method for various provisioning 425 scenarios. 427 R14: The format SHOULD support asymmetric encryption algorithms such 428 as RSA to ensure end-to-end security of sensitive data 429 elements. This is to support scenarios where a pre-set shared 430 key encryption key is difficult to use. 432 5. Portable Key container definition 434 The portable key container is based on an XML schema definition and 435 contains the following main entities: 437 1. KeyContainer entity as defined in Section 5.1 439 2. KeyProperties entity as defined in Section 5.2 441 3. Device entity as defined in Section 5.3 443 4. Key entity as defined in Section 5.4 445 Additionally other XML schema types have been defined and are 446 detailed in the relevant subsections of this document 448 A KeyContainer MAY contain one or more Device entities. A Device MAY 449 contain one or more Key entities 451 The figure below indicates a possible relationship diagram of a 452 container. 454 -------------------------------------------- 455 | KeyContainer | 456 | | 457 | -------------------- | 458 | | Keyproperties 1 | | 459 | | | | 460 | -------------------- | 461 | ------------------ ----------------- | 462 | | Device 1 | | Device n | | 463 | | | | | | 464 | | ------------ | | ------------ | | 465 | | | Key 1 | | | | Key n | | | 466 | | ------------ | | ------------ | | 467 | | | | | | 468 | | | | | | 469 | | ------------ | | ------------ | | 470 | | | Key m | | | | Key p | | | 471 | | ------------ | | ------------ | | 472 | ------------------ ----------------- | 473 | | 474 -------------------------------------------- 476 The following sections describe in detail all the entities and 477 related XML schema elements and attributes: 479 5.1. KeyContainer 481 The KeyContainer represents the key container entity. A Container 482 MAY contain more than one Device entity; each Device entity MAY 483 contain more than one Key entity. 485 The KeyContainer is defined as follows: 487 488 489 491 493 496 499 501 504 505 507 508 510 The attributes of the KeyContainer have the following meanings: 512 o Version (MANDATORY), the version number for the portable key 513 container format (the XML schema defined in this document). 515 o ID (OPTIONAL), the unique ID for this container in case an XML 516 document contains more than one container and wants to refer to 517 them uniquely. 519 The elements of the KeyContainer have the following meanings: 521 o (OPTIONAL), Identifies the key encryption key, 522 algorithm and possible parameters used to protect the Secret Key 523 data in the container. Please see Section 6.1 for detailed 524 description of how to protect key data in transit and the usage of 525 this element. 527 o (OPTIONAL), Identifies the algorithm used to 528 generate a Message Authentication Code (MAC) of the Secret Key 529 data values when protection algorithms are used that do not have 530 integrity checks. The digest guarantees the integrity and the 531 authenticity of the key data. for profile and usage please see 532 Section 6.1.1 534 o (OPTIONAL), key property entities containing key 535 related properties that are common for keys within this container. 536 Please see Section 5.2 for detailed description of this 537 element.The KeyContainer MAY contain multiple KeyProperties 538 elements each containing a set of properties related to one or 539 more keys transported within the container. 541 o (MANDATORY), the host Device for one or more Keys as 542 defined in Section 5.3 The KeyContainer MAY contain multiple 543 Device data elements, allowing for bulk provisioning of multiple 544 devices each containing multiple keys. 546 o (OPTIONAL), the signature value of the Container. 547 When the signature is applied to the entire container, it MUST use 548 XML Signature methods as defined in [XMLDSIG]. It MAY be omitted 549 when application layer provisioning or transport layer 550 provisioning protocols provide the integrity and authenticity of 551 the payload between the sender and the recipient of the container. 552 When required, this specification recommends using a symmetric key 553 based signature with the same key used in the encryption of the 554 secret key data. The signature is enveloped. 556 o (OPTIONAL), is the extension point for this entity. 557 All extensions are grouped under this element and will be of type 558 pskc:ExtensionType, which contains an optional attribute 559 'definition' that can have a URI pointing at the defintion of the 560 extension. In this way groups of extension can be bundled under a 561 subelement. For example: 563 564 blah 565 blahblah 566 567 569 5.2. KeyProperties 571 The KeyProperties represents common properties shared by more than 572 one key held in the container. If a value is set in the properties 573 the Key element can refer to it via ID attribute. Values that are 574 present in the Key element itself MUST take precedence over values 575 set in KeyProperties. The KeyProperties is defined as follows: 577 578 579 581 583 585 587 589 591 593 595 598 599 600 602 604 The attributes of the KeyProperties entity have the following 605 meanings: 607 o ID (MANDATORY), a unique and global identifier of set of 608 KeyProperties. The identifier is defined as a string of 609 alphanumeric characters. 611 o KeyAlgorithm (MANDATORY), the unique URI of the type of algorithm 612 to use with a secret key for the profiles described in Section 6.3 614 Since KeyProperties are a method to group element values that are 615 common to multiple keys transported, please refer to Section 5.4 for 616 detailed description of all elements. 618 5.3. Device 620 The Device represents an extensible Device entity in the Container. 621 A Device MAY be bound to a user and MAY contain more than one key. A 622 key SHOULD be bound to only one Device. 624 The Device is defined as follows: 626 627 628 630 632 633 636 637 639 The elements of the Device have the following meanings: 641 o (OPTIONAL), a set of elements containing information 642 about the device, whose values uniquely identify the device, 643 defined in Section 5.3.1 645 o (MANDATORY), represents the key entity as defined in 646 Section 5.4 648 o (OPTIONAL), identifies the owner or the user of the Device, 649 a string representation of a Distinguished Name as defined in 650 [RFC4514]. For example UID=jsmith,DC=example,DC=net. In systems 651 where unique user Ids are used the string representation 652 'UID=[uniqueId]' SHOULD be used. 654 o (OPTIONAL), is the extension point for this entity. 655 All extensions are grouped under this element and will be of type 656 pskc:ExtensionType, which contains an optional attribute 657 'defintion' that can have a URI pointing at the defintion of the 658 extension. In this way groups of extension can be bundled under a 659 subelement. For example: 661 662 blah 663 blahblah 664 665 667 5.3.1. DeviceInfo 669 The DeviceInfo represents an extensible set of elements that form the 670 identifying criteria to uniquely identify the device that contains 671 the associated keys. Since devices can come in different form 672 factors such as hardware tokens, smart-cards, soft tokens in a mobile 673 phone or PC etc this element allows different criteria to be used. 674 Combined though the criteria MUST uniquely identify the device. For 675 example for hardware tokens the combination of SerialNo and 676 Manufacturer will uniquely identify a device but not SerialNo alone 677 since two different token manufacturers might issue devices with the 678 same serial number (similar to the IssuerDN and serial number of a 679 certificate). Symmetric Keys used in the payment industry are 680 usually stored on Integrated Circuit Smart Cards. These cards are 681 uniquely identified via the Primary Account Number (PAN, the long 682 number printed on the front of the card) and an expiry date of the 683 card. DeviceInfo is an extensible type that allows all these 684 different ways to uniquely identify a specific key containing device. 686 The DeviceInfo is defined as follows: 688 689 690 691 692 693 694 695 696 697 700 701 703 The elements of DeviceInfo have the following meanings: 705 o (MANDATORY), the manufacturer of the device. 707 o (MANDATORY), the serial number of the device or the PAN 708 (primary account number) in case of payment smart cards. 710 o (OPTIONAL), the model of the device (e.g. one-button-HOTP- 711 token-V1) 713 o (OPTIONAL), the issue number in case of smart cards with 714 the same PAN, equivalent to a PSN (PAN Sequence Number). 716 o (OPTIONAL), the identifier that can be used to 717 bind keys to the device or class of device. When loading keys 718 into a device, this identifier can be checked against information 719 obtained from the device to ensure that the correct device or 720 class of device is being used. 722 o (OPTIONAL), the start date of a device (such as the 723 one on a payment card, used when issue numbers are not printed on 724 cards). MUST be expressed in UTC form, with no time zone 725 component. Implementations SHOULD NOT rely on time resolution 726 finer than milliseconds and MUST NOT generate time instants that 727 specify leap seconds. 729 o (OPTIONAL), the expiry date of a device (such as the 730 one on a payment card, used when issue numbers are not printed on 731 cards). MUST be expressed in UTC form, with no time zone 732 component. Implementations SHOULD NOT rely on time resolution 733 finer than milliseconds and MUST NOT generate time instants that 734 specify leap seconds. 736 o (OPTIONAL), is the extension point for this entity. 737 All extensions are grouped under this element and will be of type 738 pskc:ExtensionType, which contains an optional attribute 739 'defintion' that can have a URI pointing at the defintion of the 740 extension. In this way groups of extension can be bundled under a 741 subelement. For example: 743 744 blah 745 blahblah 746 747 749 5.4. Key 751 The Key represents the key entity in the KeyContainer. The Key is 752 defined as follows: 754 755 756 758 760 762 764 766 768 770 772 774 776 779 780 782 784 786 788 The attributes of the Key entity have the following meanings: 790 o KeyId (MANDATORY), a unique and global identifier of the symmetric 791 key. The identifier is defined as a string of alphanumeric 792 characters. This identifier SHOULD be valid globally and outside 793 of the instance document of the container. 795 o KeyAlgorithm (MANDATORY), the unique URI of the type of algorithm 796 to use with the secret key, for profiles are described in 797 Section 6.3 799 o KeyProperties (OPTIONAL), the references to the unique id of the 800 KeyProperties whose value the instance of this key inherits. If 801 this value is set implementation MUST lookup the Keyproperties 802 element referred to by this unique Id and this instance of key 803 will inherit all values from the KeyProperties. Values held in 804 the key instance MUST take precedence over values inherited from 805 KeyProperties."/> 807 The elements of the Key entity have the following meanings: 809 o (OPTIONAL), The key issuer name, this is normally the 810 name of the organization that issues the key to the end user of 811 the key. For example MyBank issuing hardware tokens to their 812 retail banking users 'MyBank' would be the issuer. The Issuer is 813 defined as a String. 815 o (OPTIONAL), defines the intended usage of the key and 816 related metadata as defined in Section 5.4.2 818 o (OPTIONAL), A unique identifier used between the 819 sending and receiving party of the container to establish a set of 820 key attribute values, common to one or more keys, that are not 821 transmitted witin the container but agreed between sending and 822 receiving party of the container out of band. This Id will then 823 represent the unique reference to a a set of attribute values. 824 For example a smart card application personalisation profile id 825 related to attributes present on a smart card application that 826 have influence when computing a response. An example would be 827 that a sending and receiving party agree on a set of values 828 related to the EMV MasterCard CAP [CAP] algorithm that application 829 on a card personalised with data for a specific batch of cards 830 such as: 832 IAF Internet authentication flag 834 CVN Cryptogram version number, for example (MCHIP2, MCHIP4, 835 VISA 13, VISA14) 837 AIP (Application Interchange Profile), 2 bytes 839 CVR The card verification result 841 IIPB 843 So sending and reciving party would agree thet KeyProfileId '1' 844 would represent a cetain set of values (e.g. IAF="80"). When 845 sending keys these values would not be transmitted as key 846 attributes but only referred to via the KeyProfileId element set 847 to the specific agreed profile (in this case '1'). WHen the 848 receiving party receives the keys it can then associate all 849 relevant key attributes contained in the out of band agreed 850 profile with the imported keys. Often this methodology is used 851 between between the manufacturing and the validation service to 852 avoid transmission of mainly the same set of values. The 853 KeyProfileId is defined as a String. 855 o (OPTIONAL), The unique reference to an external 856 master key when key derivation schemes are used and no specific 857 key is transported but only the reference to the master key used 858 to derive a specific key and some derivation data (e.g. the 859 PKCS#11 key label in an HSM). 861 o (OPTIONAL), The user friendly name that is assigned 862 to the secret key for easy reference. The FriendlyName is defined 863 as a String. 865 o (OPTIONAL), the element carrying the data related to the 866 key as defined in Section 5.4.1 868 o (OPTIONAL), the policy of the PIN relating to the 869 usage of this key as defined in Section 5.4.4 871 o (OPTIONAL), the start date of the key, it MUST not be 872 possible to use this key before this date. MUST be expressed in 873 UTC form, with no time zone component. Implementations SHOULD NOT 874 rely on time resolution finer than milliseconds and MUST NOT 875 generate time instants that specify leap seconds. 877 o (OPTIONAL), the expiry date of the key, it MUST not 878 be possible to use this key after this date. MUST be expressed in 879 UTC form, with no time zone component. Implementations SHOULD NOT 880 rely on time resolution finer than milliseconds and MUST NOT 881 generate time instants that specify leap seconds. 883 o (OPTIONAL), identifies the user account (e.g. username or 884 user id) to which the key is assigned. The value MUST be a string 885 representation of a Distinguished Name as defined in [RFC4514]. 886 For example "UID=jsmith,DC=example,DC=net". In systems where 887 unique user Ids are used the string representation 888 'UID=[uniqueId]' SHOULD be used. 890 o (OPTIONAL), is the extension point for this entity. 891 All extensions are grouped under this element and will be of type 892 pskc:ExtensionType, which contains an optional attribute 893 'defintion' that can have a URI pointing at the defintion of the 894 extension. In this way groups of extension can be bundled under a 895 subelement. For example: 897 898 blah 899 blahblah 900 901 903 5.4.1. KeyData 905 Defines an extensible set of data elements relating to a key 906 including the key value itself (secret). After considerable 907 discussions in forums and at IETF the authors needed a mean to convey 908 data related to a key in an extensible form. A name-value pair 909 approach would be extensible for future new data fields but it lacks 910 support of typing. Hence the current apporach is to have within 911 KeyData a set of elements that have both typing and can be encrypted. 913 Regarding to the encryption, the requirements were that the data 914 elements could be simply encrypted. The XML encryption is adopted in 915 consideration of open standards and broad existing implementations. 916 In this document, a simplified profile of XML encryption is used that 917 only encrypts data value rather than XML elements. xenc: 918 EncryptedDataType is leveraged to carry encrypted data. This 919 simplified usage doesn't need to involve any XML canonicalization 920 among others. 922 All elements within hence obey a simple structure in that they 923 MUST have: 925 a choice between: 927 A element that is typed to the specific type (e.g. 928 xs:integer) 930 An element that is of type xenc:EncryptedDataType 931 where the value of the specific element is placed in case it is 932 encrypted 934 an optional element that is populated with a MAC generated 935 from the unencrypted value in case the encryption algorithm does not 936 support integrity checks 938 For example the pskc:intDataType is defined as follows: 940 941 942 943 945 947 948 950 951 953 The following typed base types have been defined within the current 954 schema of the PSKC spec with the naming convention DataType 955 (e.g. intDataType) to be able to cater transmission of key data 956 elements: 958 pskc:intDataType - to carry data elements of type integer, 959 PlainValue sub element is of type xs:integer. When encrypted the 960 binary value MUST be 4 bytes unsigned integer in big endian (i.e. 961 network byte order) form 963 pskc:longDataType - to carry data elements of type long, 964 PlainValue sub element is of type xs:long. When encrypted the 965 binary value MUST be 8 bytes unsigned integer in big endian (i.e. 966 network byte order) form 968 pskc:binaryDataType - to carry data elements of type binary, 969 PlainValue sub element is of type xs:Base64Binary 971 pskc:stringDataType - to carry data elements of type string, 972 PlainValue sub element is of type xs:string. When encrypted the 973 binary value MUST UTF-8 encoded string in binary form 975 Therefore the KeyData element is defined as follows and contains sub 976 elements to convey the values required by algorithms considered 977 during the definition of this specification: 979 980 981 983 985 987 989 991 993 994 996 The elements of the Data element have the following meanings: 998 o (OPTIONAL), the value of the key itself in binary. 1000 o (OPTIONAL), the event counter for event based OTP 1001 algorithms. 1003 o (OPTIONAL), the time for time based OTP algorithms. (If 1004 time interval is used, this element carries the number of time 1005 intervals passed from a specific start point, normally algorithm 1006 dependent) 1008 o (OPTIONAL), the time interval value for time based 1009 OTP algorithms. 1011 o (OPTIONAL), the device clock drift value for time 1012 based OTP algorithms. The value indicates number of seconds that 1013 the device clock may drift each day. 1015 o the extension point for carrying future elements. 1016 Please note that all elements added MUST carry PlainValue and 1017 EncryptedValue sub eleemnts as described above. 1019 5.4.2. Usage 1021 The Usage element defines the usage attribute(s) of the key entity. 1022 Usage is defined as follows: 1024 1025 1026 1027 1028 1031 1033 1035 1037 1038 1039 1040 1041 1044 1046 1048 1049 1050 1053 1054 1056 1058 1060 1062 1064 1065 1067 The attributes of the Usage element define the intended usage of the 1068 key. This list of attributes is extensible for future needs. They 1069 are a combination of one or more of the following (set to true): 1071 o OTP, the key will be used for OTP generation 1073 o CR, the key will be used for Challenge/Response purposes 1075 o Encrypt, the key will be used for data encryption purposes 1077 o Integrity, the key will be used to generate a keyed message digest 1078 for data integrity or authentication purposes. 1080 o Unlock, the key will be used for an inverse challenge response in 1081 the case a user has locked the device by entering a wrong PIN too 1082 many times (for devices with PIN-input capability) 1084 The (OPTIONAL) element, is the extension point for the 1085 Usage entity. All extensions are grouped under this element and will 1086 be of type pskc:ExtensionType, which contains an optional attribute 1087 'defintion' that can have a URI pointing at the defintion of the 1088 extension. In this way groups of extension can be bundled under a 1089 subelement. For example: 1091 1092 blah 1093 blahblah 1094 1095 1097 5.4.2.1. OTP and CR specific Usage elements 1099 When the intended usage of a key usage is OTP and/or CR, the 1100 following additional elements MUST be provided within the Usage 1101 element to support the OTP and/or the response computation as 1102 required by the underlying algorithm. These elements also allow 1103 customizing or configuring the result of the computation (e.g. 1104 format, length). 1106 5.4.2.1.1. ChallengeFormat element (OPTIONAL) 1108 The ChallengeFormat element defines the characteristics of the 1109 challenge in a CR usage scenario. The Challenge element is defined 1110 by the following attributes: 1112 o Format (MANDATORY), defines the format of the challenge accepted 1113 by the device and MUST be one of the values defined in 1114 Section 5.4.3 1116 o CheckDigit (OPTIONAL), defines if the device needs to check the 1117 appended Luhn check digit, as defined in [LUHN], contained in a 1118 provided challenge. This is only valid if the Format attribute is 1119 'DECIMAL'. Value MUST be: 1121 TRUE device will check the appended Luhn check digit in a 1122 provided challenge 1124 FALSE device will not check appended Luhn check digit in 1125 challenge 1127 o Min (MANDATORY), defines the minimum size of the challenge 1128 accepted by the device for CR mode. If the Format attribute is 1129 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates 1130 the minimum number of digits/characters. If the Format attribute 1131 is 'BASE64' or 'BINARY', this value indicates the minimum number 1132 of bytes of the unencoded value. Value MUST be Unsigned integer. 1134 o Max (MANDATORY), defines the maximum size of the challenge 1135 accepted by the device for CR mode. If the Format attribute is 1136 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates 1137 the maximum number of digits/characters. If the Format attribute 1138 is 'BASE64' or 'BINARY', this value indicates the maximum number 1139 of bytes of the unencoded value. Value MUST be Unsigned integer. 1141 5.4.2.1.2. ResponseFormat element (MANDATORY) 1143 The ResponseFormat element defines the characteristics of the result 1144 of a computation. This defines the format of the OTP or of the 1145 response to a challenge. For cases where the key is a PIN value, 1146 this element contains the format of the PIN itself (e.g. DECIMAL, 1147 length 4 for a 4 digit PIN). The Response attribute is defined by 1148 the following attributes: 1150 o Format (MANDATORY), defines the format of the response generated 1151 by the device and MUST be one of the values defined in 1152 Section 5.4.3 1154 o CheckDigit (OPTIONAL), defines if the device needs to append a 1155 Luhn check digit,as defined in [LUHN], to the response. This is 1156 only valid if the Format attribute is 'DECIMAL'. Value MUST be: 1158 TRUE device will append a Luhn check digit to the response. 1160 FALSE device will not append a Luhn check digit to the 1161 response. 1163 o Length (MANDATORY), defines the length of the response generated 1164 by the device. If the Format attribute is 'DECIMAL', 1165 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1166 digits/characters. If the Format attribute is 'BASE64' or 1167 'BINARY', this value indicates the number of bytes of the 1168 unencoded value. Value MUST be Unsigned integer. 1170 5.4.3. ValueFormat 1172 The ValueFormat element defines allowed formats for challenges or 1173 responses in OTP algorithms. 1175 ValueFormat is defined as follows: 1177 1178 1179 1180 1181 1182 1183 1184 1185 1187 DECIMAL, Only numerical digits 1189 HEXADECIMAL, Hexadecimal response 1191 ALPHANUMERIC, All letters and numbers (case sensitive) 1193 BASE64, Base 64 encoded 1195 BINARY, Binary data, this is mainly used in case of connected 1196 devices 1198 5.4.4. PINPolicy 1200 The PINPolicy element provides an extensible mean to define how the 1201 usage of a specific key is protected by a PIN. The PIN itself can be 1202 transmitted as a key using the container. 1204 If the PINPolicy element is present in the Key element then the key 1205 is protected with a PIN as defined within the PINPolicy element. The 1206 PINPolicy element also has an extension point defined as xs:any to 1207 allow future extensibility 1209 PINPolicy is defined as follows: 1211 1212 1213 1214 1216 1218 1220 1222 1225 1226 1227 1229 The attributes of PINPolicy have the following meaning 1231 o PINKeyId (OPTIONAL), the unique key Id of the key held within this 1232 container that contains the value of the PIN that protects the key 1234 The elements of PINPolicy have the following meaning 1236 o (MANDATORY) , the way the PIN is used during the 1237 usage of the key as defined in Section 5.4.4.1 1239 o (OPTIONAL), the maximum number of times the 1240 PIN can be entered wrongly before it MUST not be possible to use 1241 the key anymore. If PinUsageMode is 'Local' the device MUST 1242 enforce this value, otherwise it MUST be enforced by the 1243 validation server. 1245 o (OPTIONAL), the minimum lenght of a PIN that can be 1246 set to protect this key. It MUST not be possible to set a PIN 1247 shorter than this value. If the Format element is 'DECIMAL', 1248 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1249 digits/characters. If the Format attribute is 'BASE64' or 1250 'BINARY', this value indicates the number of bytes of the 1251 unencoded value. If PinUsageMode is 'Local' the device MUST 1252 enforce this value, otherwise it MUST be enforced by the 1253 validation server. 1255 o (OPTIONAL), the maximum lenght of a PIN that can be 1256 set to protect this key. It MUST not be possible to set a PIN 1257 longer than this value. If the Format element is 'DECIMAL', 1258 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1259 digits/characters. If the Format attribute is 'BASE64' or 1260 'BINARY', this value indicates the number of bytes of the 1261 unencoded value. If PinUsageMode is 'Local' the device MUST 1262 enforce this value, otherwise it MUST be enforced by the 1263 validation server. 1265 o (OPTIONAL), defines the format of the PIN and MUST be one 1266 of the values defined in Section 5.4.3. If PinUsageMode is 1267 'Local' the device MUST enforce that the entered value is of this 1268 format, otherwise it MUST be enforced by the validation server. 1270 o (OPTIONAL) element, is the extension point for the 1271 entity. All extensions are grouped under this element and will be 1272 of type pskc:ExtensionType, which contains an optional attribute 1273 'defintion' that can have a URI pointing at the defintion of the 1274 extension. In this way groups of extension can be bundled under a 1275 subelement. For example: 1277 1278 blah 1279 blahblah 1280 1281 1283 5.4.4.1. PINUsageMode 1285 The PINUsageMode element defines how the PIN is used with a specific 1286 key. The PINUsageMode element also has an extension point defined as 1287 xs:any to allow future extensibility 1289 PINUsageMode is defined as follows: 1291 1292 1293 1294 1295 1296 1297 1299 1300 1302 The elements of PINPolicy have the following meaning 1303 o , the PIN is checked locally on the device before allowing 1304 the key to be used in executing the algorithm 1306 o , the PIN is prepended to the OTP or response hence it 1307 MUST be checked by the validation server 1309 o , the PIN is appended to the OTP or response hence it MUST 1310 be checked by the validation server 1312 o , the PIN is used as part of the algorithm 1313 computation 1315 6. Usage and profile of algorithms for the portable symmetric key 1316 container 1318 This section details the use of the XML encryption and XML signature 1319 elements to protect the keys transported in the container. It also 1320 profiles the number of algorithms supported by XML encryption and XML 1321 signature to a mandatory subset for interoperability. 1323 When no algorithm is provided the values within the container are 1324 unencrypted, implementations SHALL ensure the privacy of the key data 1325 through other standard mechanisms e.g. transport level encryption. 1327 6.1. Usage of EncryptionKey to protect keys in transit 1329 The EncryptionKey element in the KeyContainer defines the key, 1330 algorithm and parameters used to encrypt the Secret Key data 1331 attributes in the Container. The standard schema [XMLENC] is adopted 1332 in carry such information and an encrypted value. The encryption is 1333 applied on each individual Secret Key data in the Container. The 1334 encryption method MUST be the same for all Secret Key data in the 1335 container. 1337 The following sections define specifically the different supported 1338 means to protect the keys: 1340 6.1.1. Protecting keys using a pre-shared key via symmetric algorithms 1342 When protecting the payload with pre-shared keys implementations 1343 SHOULD set the name of the specific pre-shared key in the KeyName 1344 element of the EncryptionKey of the KeyContainer. For example: 1346 1350 1351 PRE_SHARED_KEY 1352 1353 .... 1355 The following is the list of symmetric key encryption algorithm and 1356 possible parameters used to protect the Secret Key data in the 1357 container. Systems implementing PSKC MUST support the MANDATORY 1358 algorithms detailed below. 1360 The encryption algorithm URI can be one of the following. This isn't 1361 an exhausted list. The other future OPTIONAL encryption algorithms 1362 MAY be used. 1364 o http://www.w3.org/2001/04/xmlenc#aes128-cbc - MANDATORY 1366 o http://www.w3.org/2001/04/xmlenc#aes192-cbc - OPTIONAL 1368 o http://www.w3.org/2001/04/xmlenc#aes256-cbc - OPTIONAL 1370 o http://www.w3.org/2001/04/xmlenc#tripledes-cbc - OPTIONAL 1372 o http://www.w3.org/2001/04/xmldsig-more#camellia128 - OPTIONAL 1374 o http://www.w3.org/2001/04/xmldsig-more#camellia192 - OPTIONAL 1376 o http://www.w3.org/2001/04/xmldsig-more#camellia256 - OPTIONAL 1378 o http://www.w3.org/2001/04/xmlenc#kw-aes128 - OPTIONAL 1380 o http://www.w3.org/2001/04/xmlenc#kw-aes192 - OPTIONAL 1382 o http://www.w3.org/2001/04/xmlenc#kw-aes256 - OPTIONAL 1384 o http://www.w3.org/2001/04/xmlenc#kw-tripledes - OPTIONAL 1386 o http://www.w3.org/2001/04/xmldsig-more#kw-camellia128 - OPTIONAL 1388 o http://www.w3.org/2001/04/xmldsig-more#kw-camellia192 - OPTIONAL 1390 o http://www.w3.org/2001/04/xmldsig-more#kw-camellia256 - OPTIONAL 1392 When algorithms without integrity checks are used (e.g. 1393 http://www.w3.org/2001/04/xmlenc#aes128-cbc) a keyed MAC value using 1394 the same key as the key encryption key SHOULD be placed in the 1395 ValueMAC element of the Data element. In this case the MAC algorithm 1396 type MUST be set in the MACAlgorithm element in the key container 1397 entity as defined in Section 5.1. Implementations of PSKC MUST 1398 support the MANDATORY MAC algorithms detailed below. The 1399 MACAlgorithm URI can be one of the following: 1401 o http://www.w3.org/2000/09/xmldsig#hmac-sha1 - MANDATORY 1403 o http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 - OPTIONAL 1405 o http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 - OPTIONAL 1407 o http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 - OPTIONAL 1409 For example: 1411 1415 1416 PRE_SHARED_KEY 1417 1418 http://www.w3.org/2000/09/xmldsig#hmac-sha1 1419 1420 ..... 1422 6.1.2. Protecting keys using passphrase based key encryption keys 1424 To be able to support passphrase based key encryption keys as defined 1425 in PKCS#5 the following XML representation of the PBE relates 1426 parameters have been introduced in the schema. Although the approach 1427 is extensible implementations of PSKC MUST support the PKCS#5 1428 recommended PBKDF2 and PBES2. Differing from the PKCS#5 XML schema 1429 definition, the PBKDF2 and PBES2 are specified in two separate 1430 elements in a . Considering that the same key 1431 encryption key is used to encrypt all data in a container, the 1432 PBKDF2 is specified in a newly defined subelement of the 1433 . The PBES2 is specified by the algorithm attribute 1434 of EncryptionMethod in the encrypted data elements with the URI 1435 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2. 1437 In the following, we introduce a newly defined type . 1438 It is used to carry passphrase based key derivation information. An 1439 instance of the type MUST be included in the EncryptionKey to 1440 indicate the passphrase identifier and key derivation. This type is 1441 defined as follows. 1443 1444 1445 1447 1449 1450 1451 1452 1453 1455 1456 1457 1458 1459 1461 1463 1465 The attributes of the DerivedKey have the following meanings: 1467 o xml:id (OPTIONAL), the unique ID for this key 1469 o Type (OPTIONAL), This attribute was included for conformance with 1470 xml encryption, it is an optional attribute identifying type 1471 information about the plaintext form of the encrypted content. 1472 Please see [XMLENC] section 3.1 Type for more details. 1474 The elements of the DerivedKey have the following meanings: 1476 o (OPTIONAL): friendly name of the key 1478 o : define how key encryption key is derived. 1479 Its algorithm attribute is used to indicate the key derivation 1480 method. When PBKDF2 is used, the URI 1481 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2 MUST 1482 be used. The extensible content of the element can 1483 include any other informations associated with the given 1484 algorithm. When PBKDF2 is used, it MUST include a subelement 1485 to indicate the PBKDF2 parameters such as 1486 salt and iteration count values.. 1488 o (OPTIONAL): a list of IDs of the elements that 1489 have been encrypted by this key 1491 When PBES2 is used for encryption, its URL 1492 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2 MUST be 1493 specified as the algorithm attribute of , and 1494 its related parameters such as underlying encryption scheme and 1495 associated parameters such as initialization vector MUST be included 1496 set in a subelement included in . The EncryptionScheme is defined as follows. 1499 1501 When PKCS#5 password based encryption is used, the EncryptionKey and 1502 EncryptionMethod MUST be used in exactly the form as shown below. 1504 1505 1513 1514 1515 Passphrase1 1516 1519 1520 1521 Df3dRAhjGh8= 1522 1523 2000 1524 16 1525 1526 1527 1528 1529 1530 1531 1532 1533 .... 1534 1535 ... 1536 1538 1539 1542 1544 1545 1546 1547 rf4dx3rvEPO0vKtKL14NbeVu8nk= 1548 1549 1550 1551 1552 1553 1555 6.2. Protecting keys using asymmetric algorithms 1557 The following is the list of asymmetric key encryption algorithm and 1558 possible parameters used to protect the Secret Key data in the 1559 container. Systems implementing PSKC MUST support the MANDATORY 1560 algorithms detailed below. The encryption algorithm URI can be one 1561 of the following. 1563 o http://www.w3.org/2001/04/xmlenc#rsa-1_5 - MANDATORY 1565 o http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p - OPTIONAL 1567 For example: 1569 1571 1575 1576 1577 miib 1578 1579 1580 1581 1582 Manufacturer 1583 0755225266 1584 1585 1588 AnIssuer 1589 1590 1592 1593 1594 1595 1596 1598 1599 rf4dx3rvEPO0vKtKL14NbeVu8nk= 1600 1601 1602 1603 1604 1605 0 1606 1607 1608 1609 1610 1612 6.3. Profile of Key Algorithm 1614 This section profiles the type(s) of algorithm of that can be used by 1615 the key(s) transported in the container. The following algorithm 1616 URIs are among the default support list. 1618 o http://www.w3.org/2001/04/xmlenc#tripledes-cbc 1620 o http://www.w3.org/2001/04/xmlenc#aes128-cbc 1622 o http://www.w3.org/2001/04/xmlenc#aes192-cbc 1624 o http://www.w3.org/2001/04/xmlenc#aes256-cbc 1626 o http://www.ietf.org/keyprov/pskc#hotp 1628 o http://www.ietf.org/keyprov/pskc#pin 1630 6.3.1. OTP Key Algorithm Identifiers 1632 OTP key algorithm URIs have not been defined in a commonly available 1633 standard specification. This document requests from IANA the 1634 creation of a registry (see Section 8.4) and defines URIs for the 1635 standard OTP algorithms in Section 8.4.4. 1637 6.3.2. PIN key value compare algorithm identifier 1639 PIN key algorithm URIs have not been defined in a commonly available 1640 standard specification. This document defines the following URIs for 1641 a straight value comparison of the transported secret key data as 1642 when required to compare a PIN. 1644 Identifier: http://www.ietf.org/keyprov/pskc#pin 1646 Note that the actual URL will be finalized once a URL for this 1647 document is determined. 1649 7. Formal Syntax 1651 The following syntax specification uses the widely adopted XML schema 1652 format as defined by a W3C recommendation 1653 (http://www.w3.org/TR/xmlschema-0/). It is a complete syntax 1654 definition in the XML Schema Definition format (XSD) 1656 All implementations of this standard must comply with the schema 1657 below. 1659 1660 1667 1671 1674 1676 1677 1678 1680 1682 1685 1687 1689 1692 1693 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1706 1708 1710 1712 1714 1716 1718 1720 1723 1724 1725 1728 1729 1730 1731 1733 1735 1737 1739 1741 1743 1745 1747 1749 1751 1754 1755 1757 1760 1762 1763 1764 1765 1768 1771 1774 1777 1780 1782 1783 1784 1785 1786 1787 1789 1791 1792 1794 1795 1796 1797 1798 1799 1801 1803 1804 1806 1807 1808 1809 1810 1811 1813 1815 1816 1818 1819 1820 1821 1822 1823 1825 1827 1828 1830 1831 1832 1833 1834 1836 1837 1839 1840 1841 1842 1843 1844 1845 1847 1848 1850 1851 1852 1853 1855 1857 1859 1861 1863 1866 1867 1869 1870 1871 1872 1873 1874 1875 1876 1879 1880 1881 1882 1883 1884 1885 1887 1889 1891 1893 1895 1898 1899 1900 1901 1902 1904 1906 1908 1911 1912 1913 1914 1915 1916 1917 1919 1921 1923 1925 1926 1927 1928 1929 1931 1933 1935 1937 1938 1941 1942 1943 1944 1946 1948 1950 1951 1952 1953 1954 1956 1957 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1973 1974 1976 1977 1978 8. IANA Considerations 1980 8.1. Content-type registration for 'application/pskc+xml' 1982 This specification requests the registration of a new MIME type 1983 according to the procedures of RFC 4288 [RFC4288] and guidelines in 1984 RFC 3023 [RFC3023]. 1986 MIME media type name: application 1988 MIME subtype name: pskc+xml 1990 Mandatory parameters: none 1992 Optional parameters: charset 1994 Indicates the character encoding of enclosed XML. 1996 Encoding considerations: Uses XML, which can employ 8-bit 1997 characters, depending on the character encoding used. See RFC 1998 3023 [RFC3023], Section 3.2. 2000 Security considerations: This content type is designed to carry PSKC 2001 protocol payloads. 2003 Interoperability considerations: None 2005 Published specification: RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please 2006 replace XXXX with the RFC number of this specification.] 2008 Applications which use this media type: This MIME type is being used 2009 as a symmetric key container format for transport and provisioning 2010 of symmetric keys (One Time Password (OTP) shared secrets or 2011 symmetric cryptographic keys) to different types of strong 2012 authentication devices. As such, it is used for key provisioning 2013 systems. 2015 Additional information: 2017 Magic Number: None 2019 File Extension: .pskcxml 2021 Macintosh file type code: 'TEXT' 2023 Personal and email address for further information: Philip Hoyer, 2024 Philip.Hoyer@actividentity.com 2026 Intended usage: LIMITED USE 2028 Author: This specification is a work item of the IETF KEYPROV 2029 working group, with mailing list address . 2031 Change controller: The IESG 2033 8.2. XML Schema Registration 2035 This section registers an XML schema as per the guidelines in 2036 [RFC3688]. 2038 URI: urn:ietf:params:xml:ns:keyprov:pskc:1.0 2040 Registrant Contact: IETF KEYPROV Working Group, Philip Hoyer 2041 (Philip.Hoyer@actividentity.com). 2043 XML Schema: The XML schema to be registered is contained in 2044 Section 7. Its first line is 2046 2048 and its last line is 2050 2052 8.3. URN Sub-Namespace Registration for 2053 urn:ietf:params:xml:ns:keyprov:pskc:1.0 2055 This section registers a new XML namespace, 2056 "urn:ietf:params:xml:ns:keyprov:pskc:1.0", per the guidelines in 2057 [RFC3688]. 2059 URI: urn:ietf:params:xml:ns:keyprov:pskc:1.0 2061 Registrant Contact: IETF KEYPROV Working Group, Philip Hoyer 2062 (Philip.Hoyer@actividentity.com). 2064 XML: 2066 BEGIN 2067 2068 2070 2071 2072 2074 PSKC Namespace 2075 2076 2077

Namespace for PSKC

2078

urn:ietf:params:xml:ns:keyprov:pskc:1.0

2079

See RFCXXXX 2080 [NOTE TO IANA/RFC-EDITOR: 2081 Please replace XXXX with the RFC number of this 2082 specification.].

2083 2084 2085 END 2087 8.4. Symmetric Key Algorithm Identifier Registry 2089 This specification requests the creation of a new IANA registry for 2090 symmetric key cryptographic algorithm identifiers in accordance with 2091 the principles set out in RFC 5226 [RFC5226]as follows: 2093 8.4.1. Applicability 2095 The use of URIs as algorithm identifiers provides an effectively 2096 unlimited namespace. While this eliminates the possibility of 2097 namespace exhaustion it creates a new concern, that divergent 2098 identifiers will be employed for the same purpose in different 2099 contexts. 2101 The key algorithm registry is intended to provide a means of 2102 specifying the canonical identifier to be used for a given algorithm. 2103 If an algorithm has an identifier specified in the registry an 2104 application that is conformant to a protocol specification that 2105 specifies use of that registry to define identifiers SHOULD always 2106 use that particular form of the identifier when originating data. A 2107 conformant application MAY accept other identifiers in data that is 2108 received. 2110 For the sake of expediency, the initial registry only defines 2111 algorithm classes for symmetric algorithms plus cryptographic message 2112 digest functions (one-way hash). While the same principles may be 2113 extended to asymmetric algorithms, doing so would require much 2114 greater consideration of issues such as key length and treatment of 2115 parameters, particularly where elliptic curve cryptography algorithms 2116 are concerned. 2118 As part of this registry the IANA will maintain the following 2119 information: 2121 Common Name The name by which the algorithm is generally referred. 2123 Class The type of algorithm, encryption, Message Authentication Code 2124 (MAC), One Time Password (OTP), Digest, etc. 2126 Canonical URI The canonical URI to be used to identify the 2127 algorithm. 2129 Algorithm Definition A reference to the document in which the 2130 algorithm described by the identifier is defined. 2132 Identifier Definition A reference to the document in which the use 2133 of the identifier to refer to the algorithm is described. This 2134 would ideally be the document in which the algorithm is defined. 2136 In the case where the registrant does not request a particular 2137 URI, the IANA will assign it a Uniform Resource Name (URN) that 2138 follows RFC 3553 [RFC3553]. 2140 Note that where a single algorithm has different forms distinguished 2141 by parameters such as key length, the algorithm class and each 2142 combination of algorithm parameters may be considered a distinct 2143 algorithm for the purpose of assigning identifiers. 2145 8.4.2. Registerable Algorithms 2147 8.4.2.1. Assigned URIs 2149 If the registrant wishes to have a URI assigned, then a URN of the 2150 form 2152 urn:ietf:params:xml:: 2154 will be assigned where is the type of the algorithm being 2155 identified (see below). is a unique id specified by the party 2156 making the request and will normally be either the common name of the 2157 algorithm or an abbreviation thereof. 2159 NOTE: in order for a URN of this type to be assigned, the item being 2160 registered MUST have been through the IETF consensus process. 2161 Basically, this means that it must be documented in a RFC. 2163 NOTE: Expert Review is sufficient in cases where the request does not 2164 require a URN assignment in the IETF namespace. IETF consensus is 2165 not required. 2167 8.4.2.2. Assigned Classes 2169 Each algorithm MUST belong to an assigned algorithm class. In the 2170 case that additional classes are required these are to be specified 2171 by IETF Consensus action. 2173 The initial assigned classes are: 2175 Digest A cryptographic Digest algorithm. 2177 MAC A Message Authentication Code algorithm. 2179 Symmetric A symmetric encryption algorithm. 2181 OTP A one time password (OTP) algorithm. 2183 8.4.3. Registration Procedures 2185 8.4.3.1. Review 2187 Algorithm identifier registrations are to be subject to Expert Review 2188 as per RFC 5226 [RFC5226]. 2190 The need for supporting documentation for the registration depends on 2191 the nature of the request. In the case of a cryptographic algorithm 2192 that is being described for publication as an RFC, the request for a 2193 URI allocation would normally appear within the RFC itself. In the 2194 case of a cryptographic algorithm that is fully and comprehensively 2195 defined in another form, it would not be necessary to duplicate the 2196 information for the sake of issuing the information in the RFC 2197 series. In other cases an RFC may be required in order to ensure 2198 that certain algorithm parameters are sufficiently and unambiguously 2199 defined. 2201 The scope of such expert review is to be strictly limited to 2202 identifying possible ambiguity and/or duplication of existing 2203 identifiers. The expert review MUST NOT consider the cryptographic 2204 properties, intellectual property considerations or any other factor 2205 not related to the use of the identifier. 2207 In reviewing a request, the expert should consider whether other URI 2208 identifiers are already defined for a given algorithm. In such cases 2209 it is the duty of the expert to bring the potential duplication to 2210 the notice of the proposers of the registration and the Security Area 2211 Directors. If the proposers are not willing to accept registration 2212 of the existing identifier the IETF Consensus policy is to apply. 2214 In reviewing a request, the expert should consider whether the 2215 algorithm is sufficiently defined to allow successful interoperation. 2216 In particular the expert should consider whether issues such as key 2217 sizes and byte order are sufficiently defined to allow for 2218 interoperation. 2220 While the definition requirement MAY be satisfed by a comprehensive 2221 specification of the algorithm, disclosure of the algorithm is not 2222 mandatory. 2224 8.4.3.2. Canonical URI 2226 Until the IANA requests or implements an automated process for the 2227 registration of these elements, any specifications must make that 2228 request part of the IANA considerations section of their respective 2229 documents. That request must be in the form of the following 2230 template: 2232 Common Name The name by which the algorithm is generally referred. 2234 Class The type of algorithm, encryption, Message Authentication Code 2235 (MAC), One Time Password (OTP), Digest, etc. As specified by a 2236 defined algorithm class. 2238 URI The canonical URI to be used to identify the algorithm. 2240 Algorithm Definition A reference to the document in which the 2241 algorithm described by the identifier is defined. 2243 Identifier Definition A reference to the document in which the use 2244 of the identifier to refer to the algorithm is described. This 2245 would ideally be the document in which the algorithm is defined. 2247 Registrant Contact A reference to the document in which the use of 2248 the identifier to refer to the algorithm is described. This would 2249 ideally be the document in which the algorithm is defined. 2251 8.4.3.3. Alias URI 2253 In the case that multiple identifiers have been assigned to the same 2254 identifiers, additional identifiers MAY be registered as aliases. An 2255 entry for an alias contains all the entries for a canonical URI with 2256 the addition of a reference to the canonical URI to be used: 2258 Alias for URI The canonical URI that identifies the algorithm. The 2259 URI referenced MUST be a canonical URI. 2261 In the case of dispute as to which URI is to be considered canonical 2262 the matter is to be settled by IESG action. 2264 8.4.4. Initial Values 2266 The following initial values are defined. Note that these values are 2267 limited to identifiers that are required by KEYPROV but not specified 2268 elsewhere: 2270 8.4.4.1. HOTP 2272 Common Name: HOTP 2274 Class: OTP 2276 URI: http://www.ietf.org/keyprov/pskc#hotp 2278 Algorithm Definition: http://www.ietf.org/rfc/rfc4226.txt 2280 Identifier Definition: (this RFC) 2282 Registrant Contact: IESG 2284 Profile of XML attributes and subelements of the entity: 2286 For a of this algorithm, the subelements MUST be 2287 present. The "OTP" attribute of the MUST be set "true" 2288 and it MUST be the only attribute set. The element 2289 of the MUST be used to indicate the OTP 2290 length and the value format. 2292 For the elements of a of this algorithm, the 2293 following subelements MUST be present in either the element 2294 itself or an commonly shared element. 2296 * Counter 2298 The following additional constraints apply: 2300 - The value of the element MUST contain key material 2301 with a lengthy of at least 16 octets (128 bits) if it is 2302 present. 2304 - The element MUST have the 'Format' attribute 2305 set to "DECIMAL", and the 'Length' attribute MUST be between 6 2306 and 9. 2308 - The element MAY be present but the child 2309 element of the element cannot be set to 2310 "Algorithmic". 2312 An example of a of this algorithm is as follows. 2314 2315 2317 2318 2319 TokenVendorAcme 2320 987654321 2321 2322 2324 Issuer 2325 2326 2327 2328 2329 2330 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2331 2332 2333 0 2334 2335 2336 2337 2338 2340 8.4.4.2. OCRA (OATH Chellenge Response Algorithm) 2342 Common Name: OCRA 2344 Class: OTP 2346 URI: http://www.ietf.org/keyprov/pskc#OCRA-1:(ocra_suite_parameters) 2347 - e.g. 2348 http://www.ietf.org/keyprov/pskc#OCRA-1:HOTP-SHA512-8:C-QN08 2350 Algorithm Definition: http://www.ietf.org/internet-drafts/ 2351 draft-mraihi-mutual-oath-hotp-variants-07.txt 2353 Identifier Definition (this RFC) 2355 Registrant Contact: IESG 2357 Profile of XML attributes and subelements of the entity: 2359 For a of this algorithm, the subelements MUST be 2360 present. The "CR" attribute of the MUST be set "true" and 2361 it MUST be the only attribute set. The element 2362 and of the MUST be present. 2364 For the elements of a of this algorithm, the 2365 following subelements MUST be present in either the element 2366 itself or an commonly shared element. 2368 * Counter 2370 * Time 2372 If the element is present, the following elements MUST be 2373 also present. 2375 * TimeInterval 2377 The following additional constraints apply: 2379 - The value of the element MUST contain key material 2380 with a lengthy of at least 16 octets (128 bits) if it is 2381 present. 2383 - The element MUST have the 'Format' attribute 2384 set to "DECIMAL", and the 'Length' attribute MUST be between 6 2385 and 9. 2387 - The element MAY be present but the child 2388 element of the element cannot be set to 2389 "Algorithmic". 2391 An example of a of this algorithm is as follows. 2393 2394 2396 2397 2398 TokenVendorAcme 2399 987654322 2400 2401 2404 Issuer 2405 2406 2407 2408 2409 2410 2411 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2412 2413 2414 0 2415 2416 2417 2418 2419 2421 8.4.4.3. TOTP (OATH Time based OTP) 2423 Common Name: TOTP 2425 Class: OTP 2427 URI: http://www.ietf.org/keyprov/pskc#totp 2429 Algorithm Definition: http://www.ietf.org/internet-drafts/ 2430 draft-mraihi-totp-timebased-00.txt 2432 Identifier Definition (this RFC) 2434 Registrant Contact: IESG 2436 Profile of XML attributes and subelements of the entity: 2438 For a of this algorithm, the subelements MUST be 2439 present. The "OTP" attribute of the MUST be set "true" 2440 and it MUST be the only attribute set. The element 2441 of the MUST be used to indicate the OTP 2442 length and the value format. 2444 For the elements of a of this algorithm, the 2445 following subelements MUST be present in either the element 2446 itself or an commonly shared element. 2448 * Time 2450 * TimeInterval 2452 The following additional constraints apply: 2454 - The value of the element MUST contain key material 2455 with a lengthy of at least 16 octets (128 bits) if it is 2456 present. 2458 - The element MUST have the 'Format' attribute 2459 set to "DECIMAL", and the 'Length' attribute MUST be between 6 2460 and 9. 2462 - The element MAY be present but the child 2463 element of the element cannot be set to 2464 "Algorithmic". 2466 An example of a of this algorithm is as follows. 2468 2469 2471 2472 2473 TokenVendorAcme 2474 987654323 2475 2476 2478 Issuer 2479 2480 2481 2482 2483 2484 2485 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2486 2487 2488 2489 0 2490 2491 2492 30 2493 2494 2495 4 2496 2497 2498 2499 2500 2502 8.4.4.4. KEYPROV-PIN 2504 Common Name: KEYPROV-PIN 2506 Class: Symmetric static credential comparison 2508 URI: http://www.ietf.org/keyprov/pskc#pin 2510 Algorithm Definition: (this document) 2512 Identifier Definition (this document) 2513 Registrant Contact: IESG 2515 Profile of XML attributes and subelements of the entity: 2517 For a of this algorithm, the subelements MAY be 2518 present. No attribute of the is required. The element 2519 MAY be used to indicate the PIN value format. 2521 The elements of a of this algorithm MUST include 2522 . A key of this type is usually paired with another key 2523 where the PIN may be used together, for example, a HOTP key. 2525 See the example in section Section 11.2 2527 8.4.4.5. SecurID-AES 2529 Common Name: SecurID-AES 2531 Class: OTP 2533 URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/ 2534 otps-wst#SecurID-AES 2536 Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2538 Identifier Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2540 Registrant Contact: Andrea Doherty, RSA the Security Division of 2541 EMC, 2543 Profile of XML attributes and subelements of the entity: 2545 For a of this algorithm, the , , and 2546 sub-elements MUST be present. The "OTP" attribute of 2547 MUST be set to "true" and it MUST be the only attribute 2548 set. The sub-element of MUST be used to 2549 indicate the OTP length and the value format. 2551 The following additional constraints apply: 2553 - The value of the element MUST contain key material 2554 with a lengthy of at least 16 octets (128 bits) if it is 2555 present. 2557 - The element MUST have the 'Format' attribute 2558 set to "DECIMAL", and the 'Length' attribute MUST be set to a 2559 minimum value of 6. 2561 - The and elements MUST be of type 2562 . 2564 - The element MAY be present but the child 2565 element of the element cannot be set to 2566 "Algorithmic". 2568 An example of a of this algorithm is as follows. 2570 2571 2574 2575 RSA, The Security Division of EMC 2576 123456798 2577 2578 2582 Issuer 2583 2585 2586 2006-04-14T00:00:00Z 2587 2010-09-30T00:00:00Z 2588 2589 2590 2592 8.4.4.6. SecurID-AES-Counter 2594 Common Name: SecurID-AES-Counter 2596 Class: OTP 2598 URI: http://www.rsa.com/names/2008/04/algorithms/SecurID/ 2599 SecurID-AES128-Counter 2601 Algorithm Definition: http://www.rsa.com/names/2008/04/algorithms/ 2602 SecurID/SecurID-AES128-Counter 2604 Identifier Definition http://www.rsa.com/names/2008/04/algorithms/ 2605 SecurID/SecurID-AES128-Counter 2607 Registrant Contact: Andrea Doherty, RSA the Security Division of 2608 EMC, 2610 Profile of XML attributes and subelements of the entity: 2612 For a of this algorithm, the , , and 2613 sub-elements MUST be present. The "OTP" attribute of 2614 MUST be set to "true" and it MUST be the only attribute 2615 set. The sub-element of MUST be used to 2616 indicate the OTP length and the value format. 2618 For the Data elements of a of this algorithm, the following 2619 subelements MUST be present in either the element itself or 2620 an commonly shared element. 2622 * Counter 2624 The following additional constraints apply: 2626 - The value of the element MUST contain key material 2627 with a lengthy of at least 16 octets (128 bits) if it is 2628 present. 2630 - The element MUST have the 'Format' attribute 2631 set to "DECIMAL", and the 'Length' attribute MUST be set to a 2632 minimum value of 6. 2634 - The and elements MUST be of type 2635 . 2637 - The element MAY be present but the child 2638 element of the element cannot be set to 2639 "Algorithmic". 2641 An example of a of this algorithm is as follows. 2643 2644 2647 2648 RSA, The Security Division of EMC 2649 123456798 2650 2651 2655 Issuer 2656 2658 2659 2006-04-14T00:00:00Z 2660 2010-09-30T00:00:00Z 2661 2662 2663 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2664 2665 2666 2667 0 2668 2669 2670 2671 2672 2674 8.4.4.7. SecurID-ALGOR 2676 Common Name: SecurID-ALGOR 2678 Class: OTP 2680 URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/ 2681 otps-wst#SecurID-ALGOR 2683 Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2685 Identifier Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2687 Registrant Contact: Andrea Doherty, RSA the Security Division of 2688 EMC, 2690 Profile of XML attributes and subelements of the entity: 2692 For a of this algorithm, the , , and 2693 sub-elements MUST be present. The "OTP" attribute of 2694 MUST be set to "true" and it MUST be the only attribute 2695 set. The sub-element of MUST be used to 2696 indicate the OTP length and the value format. 2698 The following additional constraints apply: 2700 - The value of the element MUST contain key material 2701 with a lengthy of at least 8 octets (64 bits) if it is present. 2703 - The element MUST have the 'Format' attribute 2704 set to "DECIMAL", and the 'Length' attribute MUST be set to a 2705 value of 6 through 8. 2707 - The and elements MUST be of type 2708 . 2710 - The element MAY be present but the child 2711 element of the element cannot be set to 2712 "Algorithmic". 2714 An example of a of this algorithm is as follows. 2716 2717 2720 2721 RSA, The Security Division of EMC 2722 123456798 2723 2724 2727 Issuer 2728 2730 2731 2006-04-14T00:00:00Z 2732 2010-09-30T00:00:00Z 2733 2734 2735 2737 8.4.4.8. ActivIdentity-3DES 2739 Common Name: ActivIdentity-3DES 2741 Class: OTP 2743 URI: http://www.actividentity.com/2008/04/algorithms/ 2744 algorithms#ActivIdentity-3DES 2746 Algorithm Definition: http://www.actividentity.com/2008/04/ 2747 algorithms/algorithms#ActivIdentity-3DES 2749 Identifier Definition http://www.actividentity.com/2008/04/ 2750 algorithms/algorithms#ActivIdentity-3DES 2752 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2753 2755 Profile of XML attributes and subelements of the entity: 2757 For a of this algorithm, the subelements MUST be 2758 present. This algorithm can be used for otp, challenge response, 2759 parameter based MACing (integrity) and to generate a device unlock 2760 code (n case of devices where there is local PIN management and 2761 the devce has been locked after a specific amount of wrong PIN 2762 entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" 2763 attribute of the can be set to "true", but at least one of 2764 the above MUST be set to true. The element of 2765 the MUST be used to indicate the OTP length, the value 2766 format and optionally if a check digit is being used. If the use 2767 is challenge-response then the of the 2768 MUST be used to indicate the challenge minimum and maximum length, 2769 its format and optionally if a check digit is being used. 2771 For the elements of a of this algorithm, the 2772 following subelements MUST be present in either the element 2773 itself or an commonly shared element. 2775 * Secret 2777 * Counter 2779 * Time 2781 * TimeInterval 2783 The following additional constraints apply: 2785 - The value of the element MUST contain key material 2786 with a length of at least 16 octets (Double DES keys 128 bits 2787 including parity) if it is present. 2789 - The element MUST have the 'Format' attribute 2790 set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute 2791 MUST be between 6 and 16. 2793 - The element MUST have the 'Format' 2794 attribute set to "DECIMAL", and the 'Min' and 'Max' attributes 2795 be between 4 and 16 (The Min attribute MUST be equal or less 2796 than the Max). 2798 - The element MAY be present but the child 2799 element of the element cannot be set to 2800 "Algorithmic". 2802 An example of a Key of this algorithm is as follows. 2804 2805 2807 2808 2809 ActivIdentity 2810 34567890 2811 2812 2815 Issuer 2816 2817 2818 2819 2820 2821 2822 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2823 2824 2825 2826 0 2827 2828 2829 0 2830 2831 2832 32 2833 2834 2835 0 2836 2837 2838 2839 2840 2842 8.4.4.9. ActivIdentity-AES 2844 Common Name: ActivIdentity-AES 2846 Class: OTP 2848 URI: http://www.actividentity.com/2008/04/algorithms/ 2849 algorithms#ActivIdentity-AES 2851 Algorithm Definition: http://www.actividentity.com/2008/04/ 2852 algorithms/algorithms#ActivIdentity-AES 2854 Identifier Definition http://www.actividentity.com/2008/04/ 2855 algorithms/algorithms#ActivIdentity-AES 2857 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2858 2860 Profile of XML attributes and subelements of the entity: 2862 For a of this algorithm, the subelements MUST be 2863 present. This algorithm can be used for otp, challenge response, 2864 parameter based MACing (integrity) and to generate a device unlock 2865 code (n case of devices where there is local PIN management and 2866 the devce has been locked after a specific amount of wrong PIN 2867 entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" 2868 attribute of the can be set to "true", but at least one of 2869 the above MUST be set to true. The element of 2870 the MUST be used to indicate the OTP length, the value 2871 format and optionally if a check digit is being used. If the use 2872 is challenge-response then the of the 2873 MUST be used to indicate the challenge minimum and maximum length, 2874 its format and optionally if a check digit is being used. 2876 For the elements of a key of this algorithm, the following 2877 subelements MUST be present in either the element itself or 2878 an commonly shared element. 2880 * Secret 2882 * Counter 2884 * Time 2886 * TimeInterval 2888 The following additional constraints apply: 2890 - The value of the element MUST contain key material 2891 with a length of at least 16 octets (128 bits) if it is 2892 present. 2894 - The element MUST have the 'Format' attribute 2895 set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute 2896 MUST be between 6 and 16. 2898 - The element MUST have the 'Format' 2899 attribute set to "DECIMAL", and the 'Min' and 'Max' attributes 2900 be between 4 and 16 (The Min attribute MUST be equal or less 2901 than the Max). 2903 - The element MAY be present but the child 2904 element of the element cannot be set to 2905 "Algorithmic". 2907 An example of a of this algorithm is as follows. 2909 2910 2912 2913 2914 ActivIdentity 2915 34567890 2916 2917 2920 Issuer 2921 2922 2923 2924 2925 2926 2927 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2928 2929 2930 2931 0 2932 2933 2934 0 2935 2936 2937 32 2938 2939 2940 0 2941 2942 2943 2944 2945 2947 8.4.4.10. ActivIdentity-DES 2949 Common Name: ActivIdentity-DES 2951 Class: OTP 2953 URI: http://www.actividentity.com/2008/04/algorithms/ 2954 algorithms#ActivIdentity-DES 2956 Algorithm Definition: http://www.actividentity.com/2008/04/ 2957 algorithms/algorithms#ActivIdentity-DES 2959 Identifier Definition http://www.actividentity.com/2008/04/ 2960 algorithms/algorithms#ActivIdentity-DES 2962 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2963 2965 Profile of XML attributes and subelements of the entity: 2967 For a of this algorithm, the subelements MUST be 2968 present. This algorithm can be used for otp, challenge response, 2969 parameter based MACing (integrity) and to generate a device unlock 2970 code (n case of devices where there is local PIN management and 2971 the devce has been locked after a specific amount of wrong PIN 2972 entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" 2973 attribute of the can be set to "true", but at least one of 2974 the above MUST be set to true. The element of 2975 the MUST be used to indicate the OTP length, the value 2976 format and optionally if a check digit is being used. If the use 2977 is challenge-response then the of the 2978 MUST be used to indicate the challenge minimum and maximum length, 2979 its format and optionally if a check digit is being used. 2981 For the elements of a key of this algorithm, the following 2982 subelements MUST be present in either the element itself or 2983 an commonly shared element. 2985 * Counter 2987 * Time 2989 * TimeInterval 2991 The following additional constraints apply: 2993 - The value of the element MUST contain key material 2994 with a length of at least 8 octets (56 bits + parity) if it is 2995 present. 2997 - The element MUST have the 'Format' attribute 2998 set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute 2999 MUST be between 6 and 16. 3001 - The element MUST have the 'Format' 3002 attribute set to "DECIMAL", and the 'Min' and 'Max' attributes 3003 be between 4 and 16 (The Min attribute MUST be equal or less 3004 than the Max). 3006 - The element MAY be present but the child 3007 element of the element cannot be set to 3008 "Algorithmic". 3010 An example of a of this algorithm is as follows. 3012 3013 3015 3016 3017 ActivIdentity 3018 34567890 3019 3020 3023 Issuer 3024 3025 3026 3027 3028 3029 3030 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3031 3032 3033 3034 0 3035 3036 3037 0 3038 3039 3040 32 3041 3042 3043 0 3044 3045 3046 3047 3048 3050 8.4.4.11. ActivIdentity-EVENT 3052 Common Name: ActivIdentity-EVENT 3054 Class: OTP 3056 URI: http://www.actividentity.com/2008/04/algorithms/ 3057 algorithms#ActivIdentity-EVENT 3059 Algorithm Definition: http://www.actividentity.com/2008/04/ 3060 algorithms/algorithms#ActivIdentity-EVENT 3062 Identifier Definition http://www.actividentity.com/2008/04/ 3063 algorithms/algorithms#ActivIdentity-EVENT 3065 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 3066 3068 Profile of XML attributes and subelements of the entity: 3070 For a of this algorithm, the subelements MUST be 3071 present. This algorithm can be used for otp, challenge response, 3072 parameter based MACing (integrity) and to generate a device unlock 3073 code (n case of devices where there is local PIN management and 3074 the device has been locked after a specific amount of wrong PIN 3075 entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" 3076 attribute of the can be set to "true", but at least one of 3077 the above MUST be set to true. The element of 3078 the MUST be used to indicate the OTP length, the value 3079 format and optionally if a check digit is being used. If the use 3080 is challenge-response then the of the 3081 MUST be used to indicate the challenge minimum and maximum length, 3082 its format and optionally if a check digit is being used. 3084 For the elements of a key of this algorithm, the following 3085 subelements MUST be present in either the element itself or 3086 an commonly shared element. 3088 * Counter 3090 The following additional constraints apply: 3092 - The value of the element MUST contain key material 3093 with a length of at least 8 octets (56 bits + parity) if it is 3094 present. 3096 - The element MUST have the 'Format' attribute 3097 set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute 3098 MUST be between 6 and 16. 3100 - The element MAY be present but the child 3101 element of the element cannot be set to 3102 "Algorithmic". 3104 An example of a of this algorithm is as follows. 3106 3107 3109 3110 3111 ActivIdentity 3112 34567890 3113 3114 3117 Issuer 3118 3119 3120 3121 3122 3123 3124 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3125 3126 3127 3128 0 3129 3130 3131 3132 3133 3135 9. Security Considerations 3137 The portable key container carries sensitive information (e.g., 3138 cryptographic keys) and may be transported across the boundaries of 3139 one secure perimeter to another. For example, a container residing 3140 within the secure perimeter of a back-end provisioning server in a 3141 secure room may be transported across the internet to an end-user 3142 device attached to a personal computer. This means that special care 3143 must be taken to ensure the confidentiality, integrity, and 3144 authenticity of the information contained within. 3146 9.1. Payload confidentiality 3148 By design, the container allows two main approaches to guaranteeing 3149 the confidentiality of the information it contains while transported. 3151 First, the container key data payload may be encrypted. 3153 In this case no transport layer security is required. However, 3154 standard security best practices apply when selecting the strength of 3155 the cryptographic algorithm for payload encryption. Symmetric 3156 cryptographic cipher should be used - the longer the cryptographic 3157 key, the stronger the protection. At the time of this writing both 3158 3DES and AES are mandatory algorithms but 3DES may be dropped in the 3159 relatively near future. Applications concerned with algorithm 3160 longevity are advised to use AES-256-CBC. In cases where the 3161 exchange of key encryption keys between the sender and the receiver 3162 is not possible, asymmetric encryption of the secret key payload may 3163 be employed. Similarly to symmetric key cryptography, the stronger 3164 the asymmetric key, the more secure the protection is. 3166 If the payload is encrypted with a method that uses one of the 3167 password-based encryption methods provided above, the payload may be 3168 subjected to password dictionary attacks to break the encryption 3169 password and recover the information. Standard security best 3170 practices for selection of strong encryption passwords apply 3171 [Schneier]. 3173 Practical implementations should use PBESalt and PBEIterationCount 3174 when PBE encryption is used. Different PBESalt value per key 3175 container should be used for best protection. 3177 The second approach to protecting the confidentiality of the payload 3178 is based on using transport layer security. The secure channel 3179 established between the source secure perimeter (the provisioning 3180 server from the example above) and the target perimeter (the device 3181 attached to the end-user computer) utilizes encryption to transport 3182 the messages that travel across. No payload encryption is required 3183 in this mode. Secure channels that encrypt and digest each message 3184 provide an extra measure of security, especially when the signature 3185 of the payload does not encompass the entire payload. 3187 Because of the fact that the plain text payload is protected only by 3188 the transport layer security, practical implementation must ensure 3189 protection against man-in-the-middle attacks [Schneier]. Validating 3190 the secure channel end-points is critically important for eliminating 3191 intruders that may compromise the confidentiality of the payload. 3193 9.2. Payload integrity 3195 The portable symmetric key container provides a mean to guarantee the 3196 integrity of the information it contains through digital signatures. 3197 For best security practices, the digital signature of the container 3198 should encompass the entire payload. This provides assurances for 3199 the integrity of all attributes. It also allows verification of the 3200 integrity of a given payload even after the container is delivered 3201 through the communication channel to the target perimeter and channel 3202 message integrity check is no longer possible. 3204 9.3. Payload authenticity 3206 The digital signature of the payload is the primary way of showing 3207 its authenticity. The recipient of the container may use the public 3208 key associated with the signature to assert the authenticity of the 3209 sender by tracing it back to a preloaded public key or certificate. 3210 Note that the digital signature of the payload can be checked even 3211 after the container has been delivered through the secure channel of 3212 communication. 3214 A weaker payload authenticity guarantee may be provided by the 3215 transport layer if it is configured to digest each message it 3216 transports. However, no authenticity verification is possible once 3217 the container is delivered at the recipient end. This approach may 3218 be useful in cases where the digital signature of the container does 3219 not encompass the entire payload. 3221 10. Acknowledgements 3223 The authors of this draft would like to thank the following people 3224 for their contributions and support to make this a better 3225 specification: Apostol Vassilev, Shuh Chang, Jon Martinson, Siddhart 3226 Bajaj, Stu Veath, Kevin Lewis, Philip Hallam-Baker, Hannes 3227 Tschofenig, Andrea Doherty, Magnus Nystrom, Tim Moses, Anders 3228 Rundgren, Sean Turner and especially Robert Philpott. 3230 11. Appendix A - Example Symmetric Key Containers 3232 All examples are syntactically correct and compatible with the XML 3233 schema in section 7. The examples will be revised as the test 3234 vectors for implementation interoperability verification. Two of the 3235 examples below carry some sample test inputs. 3237 11.1. Symmetric Key Container with a single Non-Encrypted HOTP Secret 3238 Key 3240 Assume the following test data: 3242 OTP Secret Key Hex Value (20 bytes): 3243 0x3132333435363738393031323334353637383930 3245 Sample KeyContainer: 3247 3248 3250 3251 3252 TokenVendorAcme 3253 987654321 3254 3255 3257 Issuer 3258 3259 3260 3261 2006-04-14T00:00:00Z 3262 2010-09-30T00:00:00Z 3263 3264 3265 3266 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3267 3268 3269 3270 0 3271 3272 3273 3274 3275 3277 11.2. Symmetric Key Container with a single PIN protected Non-Encrypted 3278 HOTP Secret Key 3280 3281 3283 3284 3285 TokenVendorAcme 3286 0755225266 3287 3288 3290 AnIssuer 3291 3292 3293 3294 3295 3296 3297 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3298 3299 3300 3301 0 3302 3303 3304 3305 3306 3307 3308 3309 3310 3312 3313 3314 3315 3316 3317 3318 MTIzNA== 3319 3320 3321 3322 3323 3324 3326 11.3. Symmetric Key Container with a single AES-128-CBC Encrypted HOTP 3327 Secret Key and non-encrypted counter value 3329 Assume the following test data: 3331 OTP Secret Key Hex Value (20 bytes): 3332 0x3132333435363738393031323334353637383930 3334 AES Key Hex Value (16 bytes): 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b 3336 The MAC key is the same as the AES encryption key. 3338 The sample KeyContainer: 3340 3341 3345 3346 PRE_SHARED_KEY 3347 3348 http://www.w3.org/2000/09/xmldsig#hmac-sha1 3349 3350 3351 3352 TokenVendorAcme 3353 0755225266 3354 3355 3357 AnIssuer 3358 3359 3360 3361 3362 3363 3364 3366 3367 xxxxxxxxxxxxxxxxxxxxxx 3368 3369 3370 3371 xxxxxxxxxxxxxxxxxxxxxx 3372 3373 3374 0 3375 3376 3377 3378 3379 3381 11.4. Symmetric Key Container with signature and a single Password- 3382 based Encrypted HOTP Secret Key 3384 3385 3392 3393 3394 Passphrase1 3395 3398 3399 3400 P1ciQdGbrI0= 3401 3402 2000 3403 16 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 TokenVendorAcme 3415 0755225266 3416 3417 3419 AnIssuer 3420 3421 3422 3423 3424 3425 3426 3429 3431 3432 3433 3434 rf4dx3rvEPO0vKtKL14NbeVu8nk= 3435 3436 3437 3438 3439 3440 0 3441 3442 3443 3444 3445 3446 3447 3449 3451 3452 3454 j6lwx3rvEPO0vKtMup4NbeVu8nk= 3455 3456 3457 3458 j6lwx3rvEPO0vKtMup4NbeVu8nk= 3459 3460 3461 3462 3463 CN=KeyProvisioningUs.com,C=US 3464 3465 12345678 3466 3467 3468 3469 3470 3471 3473 11.5. Symmetric Key Container with a single RSA 1.5 Encrypted HOTP 3474 Secret Key 3476 3477 3481 3482 3483 miib 3484 3485 3486 3487 3488 TokenVendorAcme 3489 0755225266 3490 3491 3493 AnIssuer 3494 3495 3496 3497 3498 3499 3500 3502 3503 rf4dx3rvEPO0vKtKL14NbeVu8nk= 3504 3505 3506 3507 3508 3509 0 3510 3511 3512 3513 3514 3516 11.6. Symmetric Key Container with a single AES-128-CBC Encrypted OCRA 3517 Secret Key and non-encrypted counter value 3519 3520 3524 3525 Pre-shared-key 3526 3527 3528 http://www.w3.org/2000/09/xmldsig#hmac-sha1 3529 3530 3531 3532 TokenVendorAcme 3533 987654321 3534 3535 3538 Issuer 3539 3540 3542 3544 3545 3546 3547 3548 3550 3551 3552 gVc5jCsntSD1rhIgwWxmWNvEIkpTgn0E6+OH5mDPAok= 3553 3554 3555 3556 JIOeKMISfMTy7og7Saq0CZrLdfE= 3557 3558 3559 0 3560 3561 3562 3563 3564 3566 11.7. Symmetric Key Container with a single AES-256-CBC Encrypted TOTP 3567 Secret Key and non-encrypted time values 3569 3570 3574 3575 PRE_SHARED_KEY 3576 3577 http://www.w3.org/2000/09/xmldsig#hmac-sha1 3578 3579 3580 3581 TokenVendorAcme 3582 0755225266 3583 3584 3587 AnIssuer 3588 3589 3590 3591 3592 3593 3594 3596 3597 3598 gVc5jCsntSD1rhIgwWxmWNvEIkpTgn0E6+OH5mDPAok= 3599 3600 3601 3602 JIOeKMISfMTy7og7Saq0CZrLdfE= 3603 3604 3605 0 3606 3607 3608 30 3609 3610 3611 4 3612 3613 3614 3615 3616 3618 11.8. Symmetric Key Container with two devices containing a Non- 3619 Encrypted HOTP Secret Key each sharing common KeyProperties 3621 3622 3624 3626 Issuer 3627 3628 3630 3631 3632 3633 0 3634 3635 3636 3637 3638 3639 TokenVendorAcme 3640 987654321 3641 3642 3644 3645 3646 3647 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3648 3649 3650 3651 3652 3653 3654 3655 TokenVendorAcme 3656 987654322 3657 3658 3660 3661 3662 3663 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 3664 3666 3667 3668 3669 3670 3672 12. References 3674 12.1. Normative References 3676 [LUHN] Luhn, H., "Luhn algorithm", US Patent 2950048, 3677 August 1960, . 3680 [PKCS1] Kaliski, B., "PKCS #1: RSA Cryptography Specifications 3681 Version 2.0.", RFC 2437, October 1998. 3683 [PKCS5] RSA Laboratories, "PKCS #5: Password-Based Cryptography 3684 Standard", Version 2.0, 3685 URL: http://www.rsasecurity.com/rsalabs/pkcs/, March 1999. 3687 [RFC2119] "Key words for use in RFCs to Indicate Requirement 3688 Levels", BCP 14, RFC 2119, March 1997. 3690 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 3691 Types", RFC 3023, January 2001. 3693 [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An 3694 IETF URN Sub-namespace for Registered Protocol 3695 Parameters", BCP 73, RFC 3553, June 2003. 3697 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3698 January 2004. 3700 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 3701 Registration Procedures", BCP 13, RFC 4288, December 2005. 3703 [RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol 3704 (LDAP): String Representation of Distinguished Names", 3705 RFC 4514, June 2006. 3707 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 3708 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 3709 May 2008. 3711 [XMLDSIG] Eastlake, D., "XML-Signature Syntax and Processing", 3712 URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/, 3713 W3C Recommendation, February 2002. 3715 [XMLENC] Eastlake, D., "XML Encryption Syntax and Processing.", 3716 URL: http://www.w3.org/TR/xmlenc-core/, 3717 W3C Recommendation, December 2002. 3719 12.2. Informative References 3721 [AlgorithmURIs] 3722 Eastlake, D., "Additional XML Security Uniform Resource 3723 Identifiers", RFC 4051, April 2005. 3725 [CAP] MasterCard International, "Chip Authentication Program 3726 Functional Architecture", September 2004. 3728 [DSKPP] Doherty, A., Pei, M., Machani, S., and M. Nystrom, 3729 "Dynamic Symmetric Key Provisioning Protocol", Internet 3730 Draft Informational, URL: http://www.ietf.org/ 3731 internet-drafts/draft-ietf-keyprov-dskpp-05.txt, 3732 February 2008. 3734 [HOTP] MRaihi, D., Bellare, M., Hoornaert, F., Naccache, D., and 3735 O. Ranen, "HOTP: An HMAC-Based One Time Password 3736 Algorithm", RFC 4226, December 2005. 3738 [NIST-SP800-57] 3739 National Institute of Standards and Technology, 3740 "Recommendation for Key Management - Part I: General 3741 (Revised)", NIST 800-57, URL: http://csrc.nist.gov/ 3742 publications/nistpubs/800-57/ 3743 sp800-57-Part1-revised2_Mar08-2007.pdf, March 2007. 3745 [OATH] "Initiative for Open AuTHentication", 3746 URL: http://www.openauthentication.org. 3748 [OCRA] MRaihi, D., Rydell, J., Naccache, D., Machani, S., and S. 3749 Bajaj, "OCRA: OATH Challenge Response Algorithm", Internet 3750 Draft Informational, URL: http://www.ietf.org/ 3751 internet-drafts/ 3752 draft-mraihi-mutual-oath-hotp-variants-06.txt, 3753 December 2007. 3755 [PKCS12] RSA Laboratories, "PKCS #12: Personal Information Exchange 3756 Syntax Standard", Version 1.0, 3757 URL: http://www.rsasecurity.com/rsalabs/pkcs/. 3759 [Schneier] 3760 Schneier, B., "Secrets and Lies: Digitial Security in a 3761 Networked World", Wiley Computer Publishing, ISBN 0-8493- 3762 8253-7, 2000. 3764 Authors' Addresses 3766 Philip Hoyer 3767 ActivIdentity, Inc. 3768 117 Waterloo Road 3769 London, SE1 8UL 3770 UK 3772 Phone: +44 (0) 20 7744 6455 3773 Email: Philip.Hoyer@actividentity.com 3775 Mingliang Pei 3776 VeriSign, Inc. 3777 487 E. Middlefield Road 3778 Mountain View, CA 94043 3779 USA 3781 Phone: +1 650 426 5173 3782 Email: mpei@verisign.com 3784 Salah Machani 3785 Diversinet, Inc. 3786 2225 Sheppard Avenue East 3787 Suite 1801 3788 Toronto, Ontario M2J 5C2 3789 Canada 3791 Phone: +1 416 756 2324 Ext. 321 3792 Email: smachani@diversinet.com 3794 Full Copyright Statement 3796 Copyright (C) The IETF Trust (2008). 3798 This document is subject to the rights, licenses and restrictions 3799 contained in BCP 78, and except as set forth therein, the authors 3800 retain all their rights. 3802 This document and the information contained herein are provided on an 3803 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 3804 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 3805 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 3806 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 3807 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3808 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3810 Intellectual Property 3812 The IETF takes no position regarding the validity or scope of any 3813 Intellectual Property Rights or other rights that might be claimed to 3814 pertain to the implementation or use of the technology described in 3815 this document or the extent to which any license under such rights 3816 might or might not be available; nor does it represent that it has 3817 made any independent effort to identify any such rights. Information 3818 on the procedures with respect to rights in RFC documents can be 3819 found in BCP 78 and BCP 79. 3821 Copies of IPR disclosures made to the IETF Secretariat and any 3822 assurances of licenses to be made available, or the result of an 3823 attempt made to obtain a general license or permission for the use of 3824 such proprietary rights by implementers or users of this 3825 specification can be obtained from the IETF on-line IPR repository at 3826 http://www.ietf.org/ipr. 3828 The IETF invites any interested party to bring to its attention any 3829 copyrights, patents or patent applications, or other proprietary 3830 rights that may cover technology that may be required to implement 3831 this standard. Please address the information to the IETF at 3832 ietf-ipr@ietf.org.