idnits 2.17.1 

draft-ietf-keyprov-pskc-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Sep 2009 rather than the newer Notice from 28 Dec 2009.  (See
     https://trustee.ietf.org/license-info/)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'SHOULD not' in this paragraph:
     
     Deprecated:  TRUE if based on expert approval this entry has been
     deprecated and SHOULD not be used in any new implementations. Otherwise
     FALSE.

  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'SHOULD not' in this paragraph:
     
     Deprecated:  TRUE if based on expert approval this entry has been
     deprecated and SHOULD not be used in any new implementations. Otherwise
     FALSE.

  -- The document date (June 28, 2010) is 5049 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-04) exists of
     draft-housley-aes-key-wrap-with-pad-02

  ** Downref: Normative reference to an Informational draft:
     draft-housley-aes-key-wrap-with-pad (ref. 'AESKWPAD')

  -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS197'

  ** Downref: Normative reference to an Informational RFC: RFC 4226 (ref.
     'HOTP')

  -- Possible downref: Non-RFC (?) normative reference: ref. 'IANAPENREG'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISOIEC7812'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'OATHMAN'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'PKCS5'

  ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303)

  ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838)

  ** Obsolete normative reference: RFC 4646 (Obsoleted by RFC 5646)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'SP800-67'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLDSIG'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC11'

  -- Obsolete informational reference (is this intentional?): RFC 5226
     (Obsoleted by RFC 8126)

  -- Obsolete informational reference (is this intentional?): RFC 5246 (ref.
     'TLS') (Obsoleted by RFC 8446)


     Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	keyprov                                                         P. Hoyer
3	Internet-Draft                                             ActivIdentity
4	Intended status: Standards Track                                  M. Pei
5	Expires: December 30, 2010                                      VeriSign
6	                                                              S. Machani
7	                                                              Diversinet
8	                                                           June 28, 2010

10	                Portable Symmetric Key Container (PSKC)
11	                       draft-ietf-keyprov-pskc-07

13	Abstract

15	   This document specifies a symmetric key format for transport and
16	   provisioning of symmetric keys to different types of crypto modules.
17	   For example, One Time Password (OTP) shared secrets or symmetric
18	   cryptographic keys to strong authentication devices.  A standard key
19	   transport format enables enterprises to deploy best-of-breed
20	   solutions combining components from different vendors into the same
21	   infrastructure.

23	Status of this Memo

25	   This Internet-Draft is submitted to IETF in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF), its areas, and its working groups.  Note that
30	   other groups may also distribute working documents as Internet-
31	   Drafts.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   The list of current Internet-Drafts can be accessed at
39	   http://www.ietf.org/ietf/1id-abstracts.txt.

41	   The list of Internet-Draft Shadow Directories can be accessed at
42	   http://www.ietf.org/shadow.html.

44	   This Internet-Draft will expire on December 30, 2010.

46	Copyright Notice

48	   Copyright (c) 2010 IETF Trust and the persons identified as the
49	   document authors.  All rights reserved.

51	   This document is subject to BCP 78 and the IETF Trust's Legal
52	   Provisions Relating to IETF Documents
53	   (http://trustee.ietf.org/license-info) in effect on the date of
54	   publication of this document.  Please review these documents
55	   carefully, as they describe your rights and restrictions with respect
56	   to this document.  Code Components extracted from this document must
57	   include Simplified BSD License text as described in Section 4.e of
58	   the Trust Legal Provisions and are provided without warranty as
59	   described in the BSD License.

61	Table of Contents

63	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
64	     1.1.  Key Words  . . . . . . . . . . . . . . . . . . . . . . . .  4
65	     1.2.  Version Support  . . . . . . . . . . . . . . . . . . . . .  4
66	     1.3.  Namespace Identifiers  . . . . . . . . . . . . . . . . . .  5
67	       1.3.1.  Defined Identifiers  . . . . . . . . . . . . . . . . .  5
68	       1.3.2.  Referenced Identifiers . . . . . . . . . . . . . . . .  5
69	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  7
70	   3.  Portable Key Container Entities Overview and Relationships . .  8
71	   4.  <KeyContainer> Element: The Basics . . . . . . . . . . . . . . 10
72	     4.1.  <Key>: Embedding Keying Material and Key Related
73	           Information  . . . . . . . . . . . . . . . . . . . . . . . 10
74	     4.2.  Key Value Encoding . . . . . . . . . . . . . . . . . . . . 12
75	       4.2.1.  AES Key Value Encoding . . . . . . . . . . . . . . . . 13
76	       4.2.2.  Triple DES Key Value Encoding  . . . . . . . . . . . . 13
77	     4.3.  Transmission of supplementary Information  . . . . . . . . 14
78	       4.3.1.  <DeviceInfo> Element: Unique Device Identification . . 15
79	       4.3.2.  <CryptoModuleInfo> Element: CryptoModule
80	               Identification . . . . . . . . . . . . . . . . . . . . 16
81	       4.3.3.  <UserId> Element: User Identification  . . . . . . . . 17
82	       4.3.4.  <AlgorithmParameters> Element: Supplementary
83	               Information for OTP and CR Algorithms  . . . . . . . . 17
84	     4.4.  Transmission of Key Derivation Values  . . . . . . . . . . 19
85	   5.  Key Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 21
86	     5.1.  PIN Algorithm definition . . . . . . . . . . . . . . . . . 25
87	   6.  Key Protection Methods . . . . . . . . . . . . . . . . . . . . 26
88	     6.1.  Encryption based on Pre-Shared Keys  . . . . . . . . . . . 26
89	       6.1.1.  MAC Method . . . . . . . . . . . . . . . . . . . . . . 28
90	     6.2.  Encryption based on Passphrase-based Keys  . . . . . . . . 29
91	     6.3.  Encryption based on Asymmetric Keys  . . . . . . . . . . . 32
92	     6.4.  Padding of Encrypted Values for Non-Padded Encryption
93	           Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 33
94	   7.  Digital Signature  . . . . . . . . . . . . . . . . . . . . . . 34
95	   8.  Bulk Provisioning  . . . . . . . . . . . . . . . . . . . . . . 36
96	   9.  Extensibility  . . . . . . . . . . . . . . . . . . . . . . . . 39
97	   10. PSKC Algorithm Profile . . . . . . . . . . . . . . . . . . . . 40
98	     10.1. HOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
99	     10.2. PIN  . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
100	   11. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 42
101	   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 49
102	     12.1. Content-type registration for 'application/pskc+xml' . . . 49
103	     12.2. XML Schema Registration  . . . . . . . . . . . . . . . . . 50
104	     12.3. URN Sub-Namespace Registration . . . . . . . . . . . . . . 50
105	     12.4. PSKC Algorithm Profile Registry  . . . . . . . . . . . . . 51
106	     12.5. PSKC Version Registry  . . . . . . . . . . . . . . . . . . 52
107	     12.6. Key Usage Registry . . . . . . . . . . . . . . . . . . . . 52
108	   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 54
109	     13.1. PSKC Confidentiality . . . . . . . . . . . . . . . . . . . 54
110	     13.2. PSKC Integrity . . . . . . . . . . . . . . . . . . . . . . 55
111	     13.3. PSKC Authenticity  . . . . . . . . . . . . . . . . . . . . 55
112	   14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 56
113	   15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57
114	   16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58
115	     16.1. Normative References . . . . . . . . . . . . . . . . . . . 58
116	     16.2. Informative References . . . . . . . . . . . . . . . . . . 59
117	   Appendix A.  Use Cases . . . . . . . . . . . . . . . . . . . . . . 61
118	     A.1.  Online Use Cases . . . . . . . . . . . . . . . . . . . . . 61
119	       A.1.1.  Transport of keys from Server to Cryptographic
120	               Module . . . . . . . . . . . . . . . . . . . . . . . . 61
121	       A.1.2.  Transport of keys from Cryptographic Module to
122	               Cryptographic Module . . . . . . . . . . . . . . . . . 61
123	       A.1.3.  Transport of keys from Cryptographic Module to
124	               Server . . . . . . . . . . . . . . . . . . . . . . . . 62
125	       A.1.4.  Server to server Bulk import/export of keys  . . . . . 62
126	     A.2.  Offline Use Cases  . . . . . . . . . . . . . . . . . . . . 62
127	       A.2.1.  Server to server Bulk import/export of keys  . . . . . 62
128	   Appendix B.  Requirements  . . . . . . . . . . . . . . . . . . . . 64
129	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 66

131	1.  Introduction

133	   With increasing use of symmetric key based systems, such as
134	   encryption of data at rest, or systems used for strong
135	   authentication, such as those based on one-time-password (OTP) and
136	   challenge response (CR) mechanisms, there is a need for vendor
137	   interoperability and a standard format for importing and exporting
138	   (provisioning) symmetric keys.  For instance, traditionally, vendors
139	   of authentication servers and service providers have used proprietary
140	   formats for importing and exporting these keys into their systems,
141	   thus making it hard to use tokens from two different vendors.

143	   This document defines a standardized XML-based key container, called
144	   Portable Symmetric Key Container (PSKC), for transporting symmetric
145	   keys and key related meta data.  The document also specifies the
146	   information elements that are required when the symmetric key is
147	   utilized for specific purposes, such as the initial counter in the
148	   HMAC-Based One Time Password (HOTP) [HOTP] algorithm.  It also
149	   requests the creation of an IANA registry for algorithm profiles
150	   where algorithms, their meta-data and PSKC transmission profile can
151	   be recorded for centralised standardised reference.

153	1.1.  Key Words

155	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
156	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
157	   document are to be interpreted as described in [RFC2119].

159	1.2.  Version Support

161	   There is a provision made in the syntax for an explicit version
162	   number.  Only version "1.0" is currently specified.

164	   The numbering scheme for PSKC versions is "<major>.<minor>".  The
165	   major and minor numbers MUST be treated as separate integers and each
166	   number MAY be incremented higher than a single digit.  Thus, "PSKC
167	   2.4" would be a lower version than "PSKC 2.13", which in turn would
168	   be lower than "PSKC 12.3".  Leading zeros (e.g., "PSKC 6.01") MUST be
169	   ignored by recipients and MUST NOT be sent.

171	   The major version number should be incremented only if the message
172	   format (E.g.  Element structure) has changed so dramatically that an
173	   older version implementation would not be able to interoperate with a
174	   newer version.  The minor version number indicates new capabilities,
175	   and MUST be ignored by an entity with a smaller minor version number,
176	   but used for informational purposes by the entity with the larger
177	   minor version number.

179	1.3.  Namespace Identifiers

181	   This document uses Uniform Resource Identifiers [RFC3986] to identify
182	   resources, algorithms, and semantics.

184	1.3.1.  Defined Identifiers

186	   The XML namespace [XMLNS] URI for Version 1.0 of PSKC is:

188	   "urn:ietf:params:xml:ns:keyprov:pskc"

190	   References to qualified elements in the PSKC schema defined in this
191	   specification and used in the example use the prefix "pskc" (defined
192	   as xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc") .  It is
193	   RECOMMENDED to use this namespace in implementations.

195	1.3.2.  Referenced Identifiers

197	   The PSKC syntax presented in this document relies on algorithm
198	   identifiers and elements defined in the XML Signature [XMLDSIG]
199	   namespace:

201	   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

203	   References to the XML Signature namespace are represented by the
204	   prefix "ds".

206	   PSKC also relies on algorithm identifiers and elements defined in the
207	   XML Encryption [XMLENC] namespace:

209	   xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

211	   References to the XML Encryption namespace are represented by the
212	   prefix "xenc".

214	   When protecting keys in transport with passphrase-based keys, PSKC
215	   also relies on the derived key element defined in the XML Encryption
216	   Version 1.1 [XMLENC11] namespace:

218	   xmlns:xenc11="http://www.w3.org/2009/xmlenc11#""

220	   References to the XML Encryption Version 1.1 namespace are
221	   represented by the prefix "xenc11".

223	   When protecting keys in transport with passphrase-based keys, PSKC
224	   also relies on algorithm identifiers and elements defined in the
225	   PKCS#5 [PKCS5] namespace:

227	   xmlns:pkcs5=
228	   "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"

230	   References to the PKCS#5 namespace are represented by the prefix
231	   "pkcs5".

233	2.  Terminology

235	   NOTE: In subsequent sections of the document we highlight
236	   **mandatory** XML elements and attributes.  Optional elements and
237	   attributes are not explicitly indicated, i.e., if it does not say
238	   mandatory it is optional.

240	3.  Portable Key Container Entities Overview and Relationships

242	   The portable key container is based on an XML schema definition and
243	   contains the following main conceptual entities:

245	   1.  KeyContainer entity - representing the container that carries a
246	       number of KeyPackages.  A valid container MUST carry at least 1
247	       KeyPackage.

249	   2.  KeyPackage entity - representing the package of at most one key
250	       and its related provisioning endpoint or current usage endpoint,
251	       such as a physical or virtual device and a specific CryptoModule

253	   3.  DeviceInfo entity - representing the information about the device
254	       and criteria to uniquely identify the device

256	   4.  CryptoModuleInfo entity - representing the information about the
257	       CryptoModule where the keys reside or are provisioned to

259	   5.  Key entity - representing the key transported or provisioned

261	   6.  Data entity - representing a list of meta-data related to the
262	       key, where the element name is the name of the meta-data and its
263	       associated value is either in encrypted form (for example for
264	       Data element <Secret>) or plaintext (for example the Data element
265	       <Counter>)

267	   Figure 1 shows the high-level structure of the PSKC data elements.

269	      -----------------
270	      | KeyContainer  |
271	      |---------------|
272	      | EncryptionKey |
273	      | Signature     |
274	      | ...           |
275	      -----------------
276	              |
277	              |
278	             /|\ 1..n
279	      ----------------        ----------------
280	      | KeyPackage   |    0..1| DeviceInfo   |
281	      |--------------|--------|--------------|
282	      |              |--      | SerialNumber |
283	      ----------------  |     | Manufacturer |
284	              |         |     | ....         |
285	              |         |     ----------------
286	             /|\ 0..1   |
287	      ----------------  |     --------------------
288	      | Key          |  | 0..1| CryptoModuleInfo |
289	      |--------------|   -----|------------------|
290	      | Id           |        | Id               |
291	      | Algorithm    |        |....              |
292	      | UserId       |        --------------------
293	      | Policy       |
294	      | ....         |
295	      ----------------
296	              |
297	              |
298	             /|\ 0..n
299	          --------------------------------------- -  -
300	          |                     |              |
301	      ------------------  ----------------  -------- - -
302	      | Data:Secret    |  | Data:Counter |  | Data:other
303	      |----------------|  |--------------|  |-- - -
304	      | EncryptedValue |  | PlainValue   |
305	      | ValueMAC       |  ----------------
306	      ------------------

308	             Figure 1: PSKC data elements relationship diagram

310	   The following sections describe in detail all the entities and
311	   related XML schema elements and attributes.

313	4.  <KeyContainer> Element: The Basics

315	   In its most basic form, a PSKC document uses the top-level element
316	   <KeyContainer> and a single <KeyPackage> element to carry key
317	   information.

319	   The following example shows such a simple PSKC document.  We will use
320	   it to describe the structure of the <KeyContainer> element and its
321	   child elements.

323	   <?xml version="1.0" encoding="UTF-8"?>
324	   <KeyContainer Version="1.0"
325	       Id="exampleID1"
326	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
327	       <KeyPackage>
328	           <Key Id="12345678"
329	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
330	               <Issuer>Issuer-A</Issuer>
331	               <Data>
332	                   <Secret>
333	                       <PlainValue>MTIzNA==
334	                       </PlainValue>
335	                   </Secret>
336	               </Data>
337	           </Key>
338	       </KeyPackage>
339	   </KeyContainer>

341	                Figure 2: Basic PSKC Key Container Example

343	   The attributes of the <KeyContainer> element have the following
344	   semantics:

346	   'Version:'  The 'Version' attribute is used to identify the version
347	      of the PSKC schema version.  This specification defines the
348	      initial version ("1.0") of the PSKC schema.  This attribute MUST
349	      be included.

351	   'Id:'  The 'Id' attribute carries a unique identifier for the
352	      container.  As such, it helps to identify a specific key container
353	      in cases when multiple containers are embedded in larger xml
354	      documents.

356	4.1.  <Key>: Embedding Keying Material and Key Related Information

358	   The following attributes of the <Key> element MUST be included at a
359	   minimum:

361	   'Id':  This attribute carries a unique identifier for the symmetric
362	      key in the context of key provisioning exchanges between two
363	      parties.  This means that if PSKC is used in multiple interactions
364	      between a sending and receiving party, using different containers
365	      referencing the same keys, the KeyId MUST use the same KeyId
366	      values (e.g. after initial provisioning, if a system wants to
367	      update key meta data values in the other system the KeyId value of
368	      the key where the meta data is to be updates MUST be the same of
369	      the original KeyId value provisioned).  The identifier is defined
370	      as a string of alphanumeric characters.

372	   'Algorithm':  This attribute contains a unique identifier for the
373	      PSKC algorithm profile.  This profile associates specific
374	      semantics to the elements and attributes contained in the <Key>
375	      element.  This document describes profiles for open standards
376	      algorithms in Section 10.  Additional profiles are defined in the
377	      following information draft [PSKC-ALGORITHM-PROFILES].

379	   The <Key> element has a number of optional child elements.  An
380	   initial set is described below:

382	   <Issuer>:  This element represents the name of the party that issued
383	      the key.  For example, a bank "Foobar Bank Inc." issuing hardware
384	      tokens to their retail banking users may set this element to
385	      "Foobar Bank Inc.".

387	   <FriendlyName>:  A human readable name for the secret key for easier
388	      reference.  This element serves informational purposes only.  This
389	      element is a language dependent string hence it SHOULD have an
390	      attribute xml:lang="xx" where xx is the language identifier as
391	      specified in [RFC4646].  If no xml:lang attribute is present
392	      implementations MUST assume the language to be English as defined
393	      by setting the attribute value to "en" (e.g. xml:lang="en").

395	   <AlgorithmParameters>:  This element carries parameters that
396	      influence the result of the algorithmic computation, for example
397	      response truncation and format in OTP and CR algorithms.  A more
398	      detailed discussion of the element can be found in Section 4.3.4.

400	   <Data>:  This element carries data about and related to the key.  The
401	      following child elements are defined for the <Data> element:

403	      <Secret>:  This element carries the value of the key itself in a
404	         binary representation, please see Section 4.2 for more details
405	         on Key Value Encoding.

407	      <Counter>:  This element contains the event counter for event
408	         based OTP algorithms.

410	      <Time>:  This element contains the time for time based OTP
411	         algorithms.  (If time interval is used, this element carries
412	         the number of time intervals passed from a specific start
413	         point, normally algorithm dependent).

415	      <TimeInterval>:  This element carries the time interval value for
416	         time based OTP algorithms in seconds (typical value for this
417	         would be 30 indicating a time interval of 30 seconds).

419	      <TimeDrift>:  This element contains the device clock drift value
420	         for time-based OTP algorithms.  The integer value (positive or
421	         negative drift) that indicates the number of time intervals
422	         that a validation server has established the device clock
423	         drifted after the last succssful authentication.  So for
424	         example if the last successful authentication established a
425	         device time value of 8 intervals from a specific start date but
426	         the validation server determines the time value at 9 intervals,
427	         the server SHOULD record the drift as -1.

429	      All the elements listed above (and those defined in the future)
430	      obey a simple structure in that they MUST support child elements
431	      to convey the data value in either plaintext or encrypted format:

433	      Plaintext:  The <PlainValue> element carries plaintext value that
434	         is typed, for example to xs:integer.

436	      Encrypted:  The <EncryptedValue> element carries encrypted value.

438	      ValueMAC:  The <ValueMAC> element is populated with a MAC
439	         generated from the encrypted value in case the encryption
440	         algorithm does not support integrity checks.  The example shown
441	         at Figure 2 illustrates the usage of the <Data> element with
442	         two child elements, namely <Secret> and <Counter>.  Both
443	         elements carry plaintext value within the <PlainValue> child
444	         element.

446	4.2.  Key Value Encoding

448	   Two parties receiving the same key value OCTET STRING, resulting in
449	   decoding the xs:base64Binary, inside the <PlainValue> or
450	   <EncryptedValue> elements, must make use of the key in exactly the
451	   same way in order to interoperate.  To ensure that, it is necessary
452	   to define a correspondence between the OCTET STRING and the notation
453	   in the standard algorithm description that defines how the key is
454	   used.  The next sections establish that correspondence for the
455	   algorithms AES [FIPS197] and TDEA [SP800-67].  Unless otherwise
456	   specified for a specific algorithm the OCTET STRING encoding MUST
457	   follow the AES Key Value Encoding.

459	4.2.1.  AES Key Value Encoding

461	   [FIPS197] section 5.2, titled Key Expansion, uses the input key as an
462	   array of bytes indexed starting at 0.  The first octet of OCTET
463	   STRING SHALL become the key byte in AES labeled index 0 in [FIPS197];
464	   the succeeding octets of OCTET STRING SHALL become key bytes in AES
465	   in increasing index order.

467	   Proper parsing and key load of the contents of OCTET STRING for AES
468	   SHALL be determined by using the following value for the <PlainValue>
469	   element (binaryBase64 encoded) to generate and match the key
470	   expansion test vectors in [FIPS197] Appendix A for AES

472	   Cipher Key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

474	   ...
475	    <PlainValue>K34VFiiu0qar9xWICc9PPA==</PlainValue>
476	   ...

478	4.2.2.  Triple DES Key Value Encoding

480	   A Triple-DES key consists of three keys for the cryptographic engine
481	   (Key1, Key2, and Key3) that are each 64 bits (56 key bits and 8
482	   parity bits); the three keys are also collectively referred to as a
483	   key bundle [SP800-67].  A key bundle may employ either two or three
484	   independent keys.  When only two independent keys are employed
485	   (called two-key Triple DES), then the same value is used for Key1 and
486	   Key3.

488	   Each key in a Triple-DES key bundle is expanded into a key schedule
489	   according to a procedure defined in [SP800-67] Appendix A.  That
490	   procedure numbers the bits in the key from 1 to 64, with number 1
491	   being the left-most, or most significant bit (MSB).  The first octet
492	   of OCTET STRING SHALL be bits 1 through 8 of Key1 with bit 1 being
493	   the MSB.  The second octet of OCTET STRING SHALL be bits 9 through 16
494	   of Key1, and so forth, so that the trailing octet of OCTET STRING
495	   SHALL be bits 57 through 64 of Key3 (or Key2 for two-key Triple DES).

497	   Proper parsing and key load of the contents of OCTET STRING for
498	   Triple-DES SHALL be determined by using the following <PlainValue>
499	   element (binaryBase64 encoded) to generate and match the key
500	   expansion test vectors in [SP800-67] appendix B for the key bundle:

502	   Key1 = 0123456789ABCDEF

504	   Key2 = 23456789ABCDEF01

506	   Key3 = 456789ABCDEF0123

508	   ...
509	    <PlainValue>ASNFZ4mrze8jRWeJq83vAUVniavN7wEj</PlainValue>
510	   ...

512	4.3.  Transmission of supplementary Information

514	   A PSKC document can contain a number of additional information
515	   regarding device identification, cryptomodule identification, user
516	   identification and parameters for usage with OTP and CR algorithms.
517	   The following example, see Figure 3, is used as a reference for the
518	   subsequent sub-sections.

520	   <?xml version="1.0" encoding="UTF-8"?>
521	   <KeyContainer Version="1.0"
522	       Id="exampleID1"
523	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
524	       <KeyPackage>
525	           <DeviceInfo>
526	               <Manufacturer>Manufacturer</Manufacturer>
527	               <SerialNo>987654321</SerialNo>
528	               <UserId>DC=example-bank,DC=net</UserId>
529	           </DeviceInfo>
530	           <CryptoModuleInfo>
531	               <Id>CM_ID_001</Id>
532	           </CryptoModuleInfo>
533	           <Key Id="12345678"
534	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
535	               <Issuer>Issuer</Issuer>
536	               <AlgorithmParameters>
537	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
538	               </AlgorithmParameters>
539	               <Data>
540	                   <Secret>
541	                       <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
542	                       </PlainValue>
543	                   </Secret>
544	                   <Counter>
545	                       <PlainValue>0</PlainValue>
546	                   </Counter>
547	               </Data>
548	               <UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
549	           </Key>
550	       </KeyPackage>
551	   </KeyContainer>

553	       Figure 3: PSKC Key Container Example with Supplementary Data

555	4.3.1.  <DeviceInfo> Element: Unique Device Identification

557	   The <DeviceInfo> element uniquely identifies the device the
558	   <KeyPackage> is provisioned to.  Since devices can come in different
559	   form factors, such as hardware tokens, smart-cards, soft tokens in a
560	   mobile phone or as a PC, this element allows different child element
561	   combinations to be used.  When combined, the values of the child
562	   elements MUST uniquely identify the device.  For example, for
563	   hardware tokens the combination of <SerialNo> and <Manufacturer>
564	   elements uniquely identifies a device but the <SerialNo> element
565	   alone is insufficient since two different token manufacturers might
566	   issue devices with the same serial number (similar to the Issuer
567	   Distinguished Name and serial number of a certificate).

569	   The <DeviceInfo> element has the following child elements:

571	   <Manufacturer>:  This element indicates the manufacturer of the
572	      device.  Values for Manufacturer SHOULD be taken from either
573	      [OATHMAN] prefixes (i.e., the left column) or they SHOULD be taken
574	      from IANA Private Enterprise Number Registry [IANAPENREG], using
575	      the Organisation value.

577	   <SerialNo>:  This element contains the serial number of the device.

579	   <Model>:  This element describes the model of the device (e.g., one-
580	      button-HOTP-token-V1).

582	   <IssueNo>:  This element contains the issue number in case devices
583	      with the same serial number that are distinguished by different
584	      issue numbers.

586	   <DeviceBinding>:  This element allows a provisioning server to ensure
587	      that the key is going to be loaded into the device for which the
588	      key provisioning request was approved.  The device is bound to the
589	      request using a device identifier, e.g., an International Mobile
590	      Equipment Identity (IMEI) for the phone, or an identifier for a
591	      class of identifiers, e.g., those for which the keys are protected
592	      by a Trusted Platform Module (TPM).

594	   <StartDate>: and <ExpiryDate>:  These two elements indicate the start
595	      and end date of a device (such as the one on a payment card, used
596	      when issue numbers are not printed on cards).  The date MUST be
597	      expressed in UTC form with no timezone component.  Implementations
598	      SHOULD NOT rely on time resolution finer than milliseconds and
599	      MUST NOT generate time instants that specify leap seconds.  Keys
600	      that reside on the device SHOULD only be used when the current
601	      date is after the <StartDate> and before the <ExpiryDate>.  Note
602	      that usage enforcement of the keys with respective to the dates
603	      MAY only happen on the validation server as some devices such as
604	      smart cards do not have an internal clock.  Systems thus SHOULD
605	      NOT rely upon the device to enforce key usage date restrictions.

607	   Depending on the device type certain child elements of the
608	   <DeviceInfo> element MUST be included in order to uniquely identify a
609	   device.  This document does not enumerate the different device types
610	   and therefore does not list the elements that are mandatory for each
611	   type of device.

613	4.3.2.  <CryptoModuleInfo> Element: CryptoModule Identification

615	   The <CryptoModuleInfo> element identifies the cryptographic module to
616	   which the symmetric keys are or have been provisioned to.  This
617	   allows the identification of the specific cases where a device MAY
618	   contain more than one crypto module (e.g. a PC hosting a TPM and a
619	   connected token).

621	   The <CryptoModuleInfo> element has a single child element that MUST
622	   be included:

624	   <Id>:  This element carries a unique identifier for the CryptoModule
625	      and is implementation specific.  As such, it helps to identify a
626	      specific CryptoModule to which the key is being or was
627	      proivisioned.

629	4.3.3.  <UserId> Element: User Identification

631	   The <UserId> element identifies the user using a distinguished name,
632	   as defined in [RFC4514].  For example: UID=jsmith,DC=example,DC=net.

634	   Although the syntax of the user identifier is defined, there are no
635	   semantics associated with this element, i.e., there are no checks
636	   enforcing that only a specific user can use this key.  As such, this
637	   element is for informational purposes only.

639	   This element may appear in two places, namely as a child element of
640	   the <Key> element where it indicates the user with whom the key is
641	   associated with and as a child element of the <DeviceInfo> element
642	   where it indicates the user the device is associated with.

644	4.3.4.  <AlgorithmParameters> Element: Supplementary Information for OTP
645	        and CR Algorithms

647	   The <AlgorithmParameters> element is a child element of the <Key>
648	   element and this document defines three child elements: <Suite>,
649	   <ChallengeFormat> and <ResponseFormat>

651	   <Suite>:

653	      The optional <Suite> element defines additional characteristics of
654	      the algorithm used, which are algorithm specific.  For example in
655	      HMAC based OTP algorithm it could designate the strength of the
656	      hash algorithm used (SHA1, SHA256, etc).  Please refer to
657	      algorithm profile specification Section 10 for the exact semantic
658	      of the value for each algorithm profile.

660	   <ChallengeFormat>:

662	      The <ChallengeFormat> element defines the characteristics of the
663	      challenge in a CR usage scenario whereby the following attributes
664	      are defined:

666	      'Encoding':  This attribute, which MUST be included, defines the
667	         encoding of the challenge accepted by the device and MUST be
668	         one of the following values:

670	         DECIMAL  Only numerical digits

672	         HEXADECIMAL  Hexadecimal response

674	         ALPHANUMERIC  All letters and numbers (case sensitive)

676	         BASE64  Base 64 encoded as defined in Section 4 of [RFC4648].

678	         BINARY  Binary data

680	      'CheckDigit':  This attribute indicates whether a device needs to
681	         check the appended Luhn check digit, as defined in
682	         [ISOIEC7812], contained in a challenge.  This is only valid if
683	         the 'Encoding' attribute is 'DECIMAL'.  A value of TRUE
684	         indicates that the device will check the appended Luhn check
685	         digit in a provided challenge.  A value of FALSE indicates that
686	         the device will not check the appended Luhn check digit in the
687	         challenge.

689	      'Min':  This attribute defines the minimum size of the challenge
690	         accepted by the device for CR mode and MUST be included.  If
691	         the 'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
692	         'ALPHANUMERIC' this value indicates the minimum number of
693	         digits/characters.  If the 'Encoding' attribute is 'BASE64' or
694	         'BINARY', this value indicates the minimum number of bytes of
695	         the unencoded value.

697	      'Max':  This attribute defines the maximum size of the challenge
698	         accepted by the device for CR mode and MUST be included.  If
699	         the 'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
700	         'ALPHANUMERIC' this value indicates the maximum number of
701	         digits/characters.  If the 'Encoding' attribute is 'BASE64' or
702	         'BINARY', this value indicates the maximum number of bytes of
703	         the unencoded value.

705	   <ResponseFormat>:

707	      The <ResponseFormat> element defines the characteristics of the
708	      result of a computation and defines the format of the OTP or the
709	      response to a challenge.  For cases where the key is a PIN value,
710	      this element contains the format of the PIN itself (e.g., DECIMAL,
711	      length 4 for a 4 digit PIN).  The following attributes are
712	      defined:

714	      'Encoding':  This attribute defines the encoding of the response
715	         generated by the device, it MUST be included and MUST be one of
716	         the following values: DECIMAL, HEXADECIMAL, ALPHANUMERIC,
717	         BASE64, or BINARY.

719	      'CheckDigit':  This attribute indicates whether the device needs
720	         to append a Luhn check digit, as defined in [ISOIEC7812], to
721	         the response.  This is only valid if the 'Encoding' attribute
722	         is 'DECIMAL'.  If the value is TRUE then the device will append
723	         a Luhn check digit to the response.  If the value is FALSE,
724	         then the device will not append a Luhn check digit to the
725	         response.

727	      'Length':  This attribute defines the length of the response
728	         generated by the device and MUST be included.  If the
729	         'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
730	         'ALPHANUMERIC' this value indicates the number of digits/
731	         characters.  If the 'Encoding' attribute is 'BASE64' or
732	         'BINARY', this value indicates the number of bytes of the
733	         unencoded value.

735	4.4.  Transmission of Key Derivation Values

737	   <KeyProfileId> element, which is a child element of the <Key>
738	   element, carries a unique identifier used between the sending and
739	   receiving parties to establish a set of key attribute values that are
740	   not transmitted within the container but agreed between the two
741	   parties out of band.  This element will then represent the unique
742	   reference to a set of key attribute values.  (For example, a smart
743	   card application personalisation profile id related to specific
744	   attribute values present on a smart card application, that have
745	   influence when computing a response.).

747	   For example, in the case of MasterCard's Chip Authentication Program
748	   [CAP], the sending and the receiving party would agree that
749	   KeyProfileId='1' represents a certain set of values (e.g., Internet
750	   Authentication Flag IAF set to a specific value).  During
751	   transmission of the KeyContainer, these values would not be
752	   transmitted as key attributes but only referred to via the
753	   <KeyProfileId> element set to the specific agreed profile (in this
754	   case '1').  The receiving party can then associate all relevant key
755	   attributes contained in the out of band agreed profile with the
756	   imported keys.  Often this methodology is used between a
757	   manufacturing service, run by company A and the validation service
758	   run by company B, to avoid repeated transmission of the same set of
759	   key attribute values.

761	   The <KeyReference> element contains a reference to an external key to
762	   be used with a key derivation scheme and no specific key value
763	   (secret) is transported but only the reference to the external master
764	   key is used (e.g., the PKCS#11 key label).

766	   <?xml version="1.0" encoding="UTF-8"?>
767	   <KeyContainer Version="1.0" Id="exampleID1"
768	        xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
769	       <KeyPackage>
770	           <DeviceInfo>
771	               <Manufacturer>Manufacturer</Manufacturer>
772	               <SerialNo>987654321</SerialNo>
773	           </DeviceInfo>
774	           <CryptoModuleInfo>
775	               <Id>CM_ID_001</Id>
776	           </CryptoModuleInfo>
777	           <Key Id="12345678"
778	            Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
779	               <Issuer>Issuer</Issuer>
780	               <AlgorithmParameters>
781	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
782	               </AlgorithmParameters>
783	               <KeyProfileId>keyProfile1</KeyProfileId>
784	               <KeyReference>MasterKeyLabel
785	               </KeyReference>
786	               <Data>
787	                   <Counter>
788	                       <PlainValue>0</PlainValue>
789	                   </Counter>
790	               </Data>
791	               <Policy>
792	                   <KeyUsage>OTP</KeyUsage>
793	               </Policy>
794	           </Key>
795	       </KeyPackage>
796	   </KeyContainer>

798	   Figure 4: Example of a PSKC Document transmitting a HOTP key via key
799	                             derivation values

801	   The key value will be derived using the value of the <SerialNo>
802	   element, values agreed between the sending and the receiving parties
803	   and identified by the KeyProfile 'keyProfile1' and an externally
804	   agreed key referenced by the label 'MasterKeyLabel'.

806	5.  Key Policy

808	   This section illustrates the functionality of the <Policy> element
809	   within PSKC that allows a key usage and key PIN protection policy to
810	   be attached to a specific key and its related meta data.  This
811	   element is a child element of the <Key> element.

813	   If the <Policy> element contains child elements or values within
814	   elements/attributes that are not understood by the recipient of the
815	   PSKC document then the recipient MUST assume that key usage is not
816	   permitted.  This statement ensures that the lack of understanding of
817	   certain extensions does not lead to unintended key usage.

819	   We will start our description with an example that expands the
820	   example shown in Figure 3.

822	   <?xml version="1.0" encoding="UTF-8"?>
823	   <KeyContainer
824	       Version="1.0" Id="exampleID1"
825	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
826	       <KeyPackage>
827	           <DeviceInfo>
828	               <Manufacturer>Manufacturer</Manufacturer>
829	               <SerialNo>987654321</SerialNo>
830	           </DeviceInfo>
831	           <CryptoModuleInfo>
832	               <Id>CM_ID_001</Id>
833	           </CryptoModuleInfo>
834	           <Key Id="12345678"
835	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
836	               <Issuer>Issuer</Issuer>
837	               <AlgorithmParameters>
838	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
839	               </AlgorithmParameters>
840	               <Data>
841	                   <Secret>
842	                       <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
843	                       </PlainValue>
844	                   </Secret>
845	                   <Counter>
846	                       <PlainValue>0</PlainValue>
847	                   </Counter>
848	               </Data>
849	               <Policy>
850	                   <PINPolicy MinLength="4" MaxLength="4"
851	                       PINKeyId="123456781" PINEncoding="DECIMAL"
852	                       PINUsageMode="Local"/>
853	                   <KeyUsage>OTP</KeyUsage>

855	               </Policy>
856	           </Key>
857	       </KeyPackage>
858	       <KeyPackage>
859	           <DeviceInfo>
860	               <Manufacturer>Manufacturer</Manufacturer>
861	               <SerialNo>987654321</SerialNo>
862	           </DeviceInfo>
863	           <CryptoModuleInfo>
864	               <Id>CM_ID_001</Id>
865	           </CryptoModuleInfo>
866	           <Key Id="123456781"
867	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:pin">
868	               <Issuer>Issuer</Issuer>
869	               <AlgorithmParameters>
870	                   <ResponseFormat Length="4" Encoding="DECIMAL"/>
871	               </AlgorithmParameters>
872	               <Data>
873	                   <Secret>
874	                       <PlainValue>MTIzNA==</PlainValue>
875	                   </Secret>
876	               </Data>
877	           </Key>
878	       </KeyPackage>
879	   </KeyContainer>

881	         Figure 5: Non-Encrypted HOTP Secret Key protected by PIN

883	   This document defines the following Policy child elements:

885	   <StartDate> and <ExpiryDate>:  These two elements denote the validity
886	      period of a key.  It MUST be ensured that the key is only used
887	      between the start and the end date (inclusive).  The value MUST be
888	      expressed in UTC form, with no time zone component.
889	      Implementations SHOULD NOT rely on time resolution finer than
890	      milliseconds and MUST NOT generate time instants that specify leap
891	      seconds.  When this element is absent the current time is assumed
892	      as the start time.

894	   <NumberOfTransactions>:  The value in this element indicates the
895	      maximum number of times a key carried within the PSKC document can
896	      be used by an application after having received it..  When this
897	      element is omitted then there is no restriction regarding the
898	      number of times a key can be used.

900	   <KeyUsage>:  The <KeyUsage> element puts constraints on the intended
901	      usage of the key.  The recipient of the PSKC document MUST enforce
902	      the key usage.  Currently, the following tokens are registered by
903	      this document:

905	      OTP:  The key MUST only be used for OTP generation.

907	      CR:  The key MUST only be used for Challenge/Response purposes.

909	      Encrypt:  The key MUST only be used for data encryption purposes.

911	      Integrity:  The key MUST only be used to generate a keyed message
912	         digest for data integrity or authentication purposes.

914	      Verify:  The key MUST only be used to verify a keyed message
915	         digest for data integrity or authentication purposes. (this is
916	         the vice versa of Integrity)

918	      Unlock:  The key MUST only be used for an inverse challenge
919	         response in the case where a user has locked the device by
920	         entering a wrong PIN too many times (for devices with PIN-input
921	         capability).

923	      Decrypt:  The key MUST only be used for data decryption purposes.

925	      KeyWrap:  The key MUST only be used for key wrap purposes.

927	      Unwrap:  The key MUST only be used for key unwrap purposes.

929	      Derive:  The key MUST only be used with a key derivation function
930	         to derive a new key (see also Section 8.2.4 of [NIST800-57]).

932	      Generate:  The key MUST only be used to generate a new key based
933	         on a random number and the previous value of the key (see also
934	         Section 8.1.5.2.1 of[NIST800-57]).

936	      The element MAY also be repeated to allow several key usages to be
937	      expressed.  When this element is absent then no key usage
938	      constraint is assumed, i.e., the key MAY be utilized for every
939	      usage.

941	   <PINPolicy>:  The <PINPolicy> element allows policy about the PIN
942	      usage to be associated with the key.  The following attributes are
943	      specified:

945	      'PINKeyId':  This attribute contains the unique key id of the key
946	         held within this container that contains the value of the PIN
947	         that protects the key.

949	      'PINUsageMode':  This mandatory attribute indicates the way the
950	         PIN is used during the usage of the key.  The following values
951	         are defined:

953	         Local:  This value indicates that the PIN is checked locally on
954	            the device before allowing the key to be used in executing
955	            the algorithm.

957	         Prepend:  This value indicates that the PIN is prepended to the
958	            algorithm response hence it MUST be checked by the party
959	            validating the response.

961	         Append:  This value indicates that the PIN is appended to the
962	            algorithm response hence it MUST be checked by the party
963	            validating the response.

965	         Algorithmic:  This value indicates that the PIN is used as part
966	            of the algorithm computation.

968	      'MaxFailedAttempts':  This attribute indicates the maximum number
969	         of times the PIN may be entered wrongly before it MUST NOT be
970	         possible to use the key anymore (typical reasonable values are
971	         in the positive integer range of at least 2 and no more than
972	         10).

974	      'MinLength':  This attribute indicates the minimum length of a PIN
975	         that can be set to protect the associated key.  It MUST NOT be
976	         possible to set a PIN shorter than this value.  If the
977	         'PINFormat' attribute is 'DECIMAL', 'HEXADECIMAL' or
978	         'ALPHANUMERIC' this value indicates the number of digits/
979	         characters.  If the 'PINFormat' attribute is 'BASE64' or
980	         'BINARY', this value indicates the number of bytes of the
981	         unencoded value.

983	      'MaxLength':  This attribute indicates the maximum length of a PIN
984	         that can be set to protect this key.  It MUST NOT be possible
985	         to set a PIN longer than this value.  If the 'PINFormat'
986	         attribute is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this
987	         value indicates the number of digits/characters.  If the
988	         'PINFormat' attribute is 'BASE64' or 'BINARY', this value
989	         indicates the number of bytes of the unencoded value.

991	      'PINEncoding':  This attribute indicates the encoding of the PIN
992	         and MUST be one of the values: DECIMAL, HEXADECIMAL,
993	         ALPHANUMERIC, BASE64, or BINARY.

995	      If the 'PinUsageMode' attribute is set to "Local" then the device
996	      MUST enforce the restriction indicated in the 'MaxFailedAttempts',
997	      'MinLength', 'MaxLength' and 'PINEncoding' attribute, otherwise it
998	      MUST be enforced on the server side.

1000	5.1.  PIN Algorithm definition

1002	   The PIN algorithm is defined as:

1004	   boolean = comparePIN(K,P)

1006	   Where:

1008	   'K':  Is the stored symmetric credential (PIN) in binary format.

1010	   'P':  Is the proposed PIN to be compared in binary format.

1012	   The function comparePIN is a straight octet comparison of K and P.
1013	   Such comparison MUST yield TRUE (credentials matched) when the the
1014	   octet length of K is the same as the octet length of P and all octets
1015	   comprising K are the same as the octets comprising P.

1017	6.  Key Protection Methods

1019	   With the functionality described in the previous sections,
1020	   information related to keys had to be transmitted in clear text.
1021	   With the help of the <EncryptionKey> element, which is a child
1022	   element of the <KeyContainer> element, it is possible to encrypt keys
1023	   and associated information.  The level of encryption is applied to
1024	   the value of individual elements and the applied encryption algorithm
1025	   MUST be the same for all encrypted elements.  Keys are protected
1026	   using the following methods: pre-shared keys, passphrase-based keys,
1027	   and asymmetric keys.  When encryption algorithms are used that make
1028	   use of Initialisation Vectors (IV), for example AES128-CBC, then a
1029	   random IV value MUST be generated for each value to be encrypted and
1030	   it MUST be prepended to the resulting encrypted value as specified in
1031	   [XMLENC].

1033	6.1.  Encryption based on Pre-Shared Keys

1035	   Figure 6 shows an example that illustrates the encryption of the
1036	   content of the <Secret> element using AES128-CBC and PKCS5 Padding.
1037	   The plaintext value of <Secret> is
1038	   '3132333435363738393031323334353637383930'.  The name of the pre-
1039	   shared secret is "Pre-shared-key", as set in the <KeyName> element
1040	   (which is a child element of the <EncryptionKey> element).  The value
1041	   of the encryption key used is '12345678901234567890123456789012'.

1043	   The IV for the MAC key is '11223344556677889900112233445566' and the
1044	   IV for the HOTP key is '000102030405060708090a0b0c0d0e0f'.

1046	   As AES128-CBC does not provide integrity checks a keyed MAC is
1047	   applied to the encrypted value using a MAC key and a MAC algorithm as
1048	   declared in the <MACMethod> element (in our example
1049	   "http://www.w3.org/2000/09/xmldsig#hmac-sha1" is used as the
1050	   algorithm and the value of the MAC key is randomly generated, in our
1051	   case '1122334455667788990011223344556677889900', and encrypted with
1052	   the above encryption key).  The result of the keyed MAC computation
1053	   is placed in the <ValueMAC> child element of <Secret>.

1055	 <?xml version="1.0" encoding="UTF-8"?>
1056	 <KeyContainer Version="1.0"
1057	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
1058	     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1059	     xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
1060	     <EncryptionKey>
1061	         <ds:KeyName>Pre-shared-key</ds:KeyName>
1062	     </EncryptionKey>
1063	     <MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
1064	         <MACKey>
1065	             <xenc:EncryptionMethod
1066	             Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1067	             <xenc:CipherData>
1068	                 <xenc:CipherValue>
1069	     ESIzRFVmd4iZABEiM0RVZgKn6WjLaTC1sbeBMSvIhRejN9vJa2BOlSaMrR7I5wSX
1070	                 </xenc:CipherValue>
1071	             </xenc:CipherData>
1072	         </MACKey>
1073	     </MACMethod>
1074	     <KeyPackage>
1075	         <DeviceInfo>
1076	             <Manufacturer>Manufacturer</Manufacturer>
1077	             <SerialNo>987654321</SerialNo>
1078	         </DeviceInfo>
1079	         <CryptoModuleInfo>
1080	             <Id>CM_ID_001</Id>
1081	         </CryptoModuleInfo>
1082	         <Key Id="12345678"
1083	             Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1084	             <Issuer>Issuer</Issuer>
1085	             <AlgorithmParameters>
1086	                 <ResponseFormat Length="8" Encoding="DECIMAL"/>
1087	             </AlgorithmParameters>
1088	             <Data>
1089	                 <Secret>
1090	                     <EncryptedValue>
1091	                         <xenc:EncryptionMethod
1092	             Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1093	                         <xenc:CipherData>
1094	                             <xenc:CipherValue>
1095	     AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGv
1096	                             </xenc:CipherValue>
1097	                         </xenc:CipherData>
1098	                     </EncryptedValue>
1099	                     <ValueMAC>Su+NvtQfmvfJzF6bmQiJqoLRExc=
1100	                     </ValueMAC>
1101	                 </Secret>
1102	                 <Counter>
1103	                     <PlainValue>0</PlainValue>
1104	                 </Counter>
1105	             </Data>
1106	         </Key>
1107	     </KeyPackage>
1108	 </KeyContainer>

1110	   Figure 6: AES-128-CBC Encrypted Pre-Shared Secret Key with HMAC-SHA1
1111	   When protecting the payload with pre-shared keys implementations MUST
1112	   set the name of the specific pre-shared key in the <KeyName> element
1113	   inside the <EncryptionKey> element.  When the encryption method uses
1114	   a CBC mode that requires an explicit initialization vector (IV), the
1115	   IV MUST be passed by prepending it to the encrypted value.

1117	   For systems implementing PSKC it is RECOMMENDED to support AES-128-
1118	   CBC (with the URI of http://www.w3.org/2001/04/xmlenc#aes128-cbc) and
1119	   KW-AES128 (with the URI of
1120	   http://www.w3.org/2001/04/xmlenc#kw-aes128).  Please note that KW-
1121	   AES128 requires that the key to be protected must be a multiple of 8
1122	   bytes in length.  Hence, if keys of a different length have to be
1123	   protected then the usage of the key wrap algorithm with padding, as
1124	   described in [AESKWPAD] is RECOMMENDED.  Some of the encryption
1125	   algorithms that can optionally be implemented are:

1127	 Algorithm      | Uniform Resource Locator (URL)
1128	 ---------------+-------------------------------------------------------
1129	 AES192-CBC     | http://www.w3.org/2001/04/xmlenc#aes192-cbc
1130	 AES256-CBC     | http://www.w3.org/2001/04/xmlenc#aes256-cbc
1131	 TripleDES-CBC  | http://www.w3.org/2001/04/xmlenc#tripledes-cbc
1132	 Camellia128    | http://www.w3.org/2001/04/xmldsig-more#camellia128
1133	 Camellia192    | http://www.w3.org/2001/04/xmldsig-more#camellia192
1134	 Camellia256    | http://www.w3.org/2001/04/xmldsig-more#camellia256
1135	 KW-AES128      | http://www.w3.org/2001/04/xmlenc#kw-aes128
1136	 KW-AES192      | http://www.w3.org/2001/04/xmlenc#kw-aes192
1137	 KW-AES256      | http://www.w3.org/2001/04/xmlenc#kw-aes256
1138	 KW-TripleDES   | http://www.w3.org/2001/04/xmlenc#kw-tripledes
1139	 KW-Camellia128 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia128
1140	 KW-Camellia192 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia192
1141	 KW-Camellia256 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia256

1143	6.1.1.  MAC Method

1145	   When algorithms without integrity checks are used, such as AES-128-
1146	   CBC, a keyed MAC value MUST be placed in the <ValueMAC> element of
1147	   the <Data> element.  In this case the MAC algorithm type MUST be set
1148	   in the <MACMethod> element of the <KeyContainer> element.  The MAC
1149	   key MUST be a randomly generated key by the sender, be pre-agreed
1150	   between the receiver and the sender, or be set by the application
1151	   protocol that carries the PSKC document.  It is RECOMMENDED that the
1152	   sender generates a random MAC key.  When the sender generates such a
1153	   random MAC key, the MAC key material MUST be encrypted with the same
1154	   encryption key specified in <EncryptionKey> element of the key
1155	   container.  The encryption method and encrypted value MUST be set
1156	   respectively in the <EncryptionMethod> element and the <CipherData>
1157	   element of the <MACKey> element in the <MACMethod> element.  The
1158	   <MACKeyReference> element of the <MACMethod> element MAY be used to
1159	   indicate a pre-shared MAC key or a provisioning protocol derived MAC
1160	   key.  For systems implementing PSKC it is RECOMMENDED to implement
1161	   the HMAC-SHA1 (with the URI of
1162	   'http://www.w3.org/2000/09/xmldsig#hmac-sha1').  Some of the MAC
1163	   algorithms that can optionally be implemented are:

1165	   Algorithm      | Uniform Resource Locator (URL)
1166	   ---------------+-----------------------------------------------------
1167	   HMAC-SHA224    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha224
1168	   HMAC-SHA256    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256
1169	   HMAC-SHA384    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384
1170	   HMAC-SHA512    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512

1172	6.2.  Encryption based on Passphrase-based Keys

1174	   Figure 7 shows an example that illustrates the encryption of the
1175	   content of the <Secret> element using passphrase based key derivation
1176	   (PBKDF2) to derive the encryption key as defined in [PKCS5].  When
1177	   using passphrase based key derivation, the <DerivedKey> element
1178	   defined in XML Encryption v1.1 [XMLENC11] MUST be used to specify the
1179	   passphrased-based key.  A <DerivedKey> element is set as the child
1180	   element of <EncryptionKey> element of the key container.

1182	   The <DerivedKey> element is used to specify the key derivation
1183	   function and related parameters.  The encryption algorithm, in this
1184	   example AES-128-CBC ( URI
1185	   'http://www.w3.org/2001/04/xmlenc#aes128-cbc'), MUST be set in the
1186	   'Algorithm' attribute of <EncryptionMethod> element used inside the
1187	   encrypted data elements.

1189	   When PBKDF2 is used, the 'Algorithm' attribute of the <xenc11:
1190	   KeyDerivationMethod> element MUST be set to the URI
1191	   'http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2'.  The
1192	   <xenc11:KeyDerivationMethod> element MUST include the <PBKDF2-params>
1193	   child element to indicate the PBKDF2 parameters, such as salt and
1194	   iteration count.

1196	   When the encryption method uses a CBC mode that uses an explicit
1197	   initialization vector (IV) other than a derived one, the IV MUST be
1198	   passed by prepending it to the encrypted value.

1200	   In the example below, the following data is used.

1202	   Password:   qwerty

1204	   Salt:   0x123eff3c4a72129c

1206	   Iteration Count:  1000

1208	   MAC Key:   0xbdaab8d648e850d25a3289364f7d7eaaf53ce581

1210	   OTP Secret:   12345678901234567890

1212	   The derived encryption key is "0x651e63cd57008476af1ff6422cd02e41".
1213	   The initialization vector (IV) is
1214	   "0xa13be8f92db69ec992d99fd1b5ca05f0".  This key is also used to
1215	   encrypt the randomly chosen MAC key.  A different IV can be used,
1216	   say, "0xd864d39cbc0cdc8e1ee483b9164b9fa0" in the example.  The
1217	   encryption with algorithm "AES-128-CBC" follows the specification
1218	   defined in [XMLENC].

1220	  <?xml version="1.0" encoding="UTF-8"?>
1221	  <pskc:KeyContainer
1222	    xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
1223	    xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
1224	    xmlns:pkcs5=
1225	    "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
1226	    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Version="1.0">
1227	      <pskc:EncryptionKey>
1228	          <xenc11:DerivedKey>
1229	              <xenc11:KeyDerivationMethod
1230	                Algorithm=
1231	   "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2">
1232	                  <pkcs5:PBKDF2-params>
1233	                      <Salt>
1234	                          <Specified>Ej7/PEpyEpw=</Specified>
1235	                      </Salt>
1236	                      <IterationCount>1000</IterationCount>
1237	                      <KeyLength>16</KeyLength>
1238	                      <PRF/>
1239	                  </pkcs5:PBKDF2-params>
1240	              </xenc11:KeyDerivationMethod>
1241	              <xenc:ReferenceList>
1242	                  <xenc:DataReference URI="#ED"/>
1243	              </xenc:ReferenceList>
1244	              <xenc11:MasterKeyName>My Password 1</xenc11:MasterKeyName>
1245	          </xenc11:DerivedKey>
1246	      </pskc:EncryptionKey>
1247	      <pskc:MACMethod
1248	          Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
1249	          <pskc:MACKey>
1250	              <xenc:EncryptionMethod
1251	              Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1252	              <xenc:CipherData>
1253	                  <xenc:CipherValue>
1254	  2GTTnLwM3I4e5IO5FkufoOEiOhNj91fhKRQBtBJYluUDsPOLTfUvoU2dStyOwYZx
1255	                  </xenc:CipherValue>
1256	              </xenc:CipherData>
1257	          </pskc:MACKey>
1258	      </pskc:MACMethod>
1259	      <pskc:KeyPackage>
1260	          <pskc:DeviceInfo>
1261	              <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
1262	              <pskc:SerialNo>987654321</pskc:SerialNo>
1263	          </pskc:DeviceInfo>
1264	          <pskc:CryptoModuleInfo>
1265	              <pskc:Id>CM_ID_001</pskc:Id>
1266	          </pskc:CryptoModuleInfo>
1267	          <pskc:Key Algorithm=
1268	          "urn:ietf:params:xml:ns:keyprov:pskc:hotp" Id="123456">
1269	              <pskc:Issuer>Example-Issuer</pskc:Issuer>
1270	              <pskc:AlgorithmParameters>
1271	                  <pskc:ResponseFormat Length="8" Encoding="DECIMAL"/>
1272	              </pskc:AlgorithmParameters>
1273	              <pskc:Data>
1274	                  <pskc:Secret>
1275	                  <pskc:EncryptedValue Id="ED">
1276	                      <xenc:EncryptionMethod
1277	                          Algorithm=
1278	  "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1279	                          <xenc:CipherData>
1280	                              <xenc:CipherValue>
1281	        oTvo+S22nsmS2Z/RtcoF8Hfh+jzMe0RkiafpoDpnoZTjPYZu6V+A4aEn032yCr4f
1282	                          </xenc:CipherValue>
1283	                      </xenc:CipherData>
1284	                      </pskc:EncryptedValue>
1285	                      <pskc:ValueMAC>LP6xMvjtypbfT9PdkJhBZ+D6O4w=
1286	                      </pskc:ValueMAC>
1287	                  </pskc:Secret>
1288	              </pskc:Data>
1289	          </pskc:Key>
1290	      </pskc:KeyPackage>
1291	  </pskc:KeyContainer>

1293	      Figure 7: Example of a PSKC Document using Encryption based on
1294	                           Passphrase-based Keys

1296	6.3.  Encryption based on Asymmetric Keys

1298	   When using asymmetric keys to encrypt child elements of the <Data>
1299	   element, information about the certificate being used MUST be stated
1300	   in the <X509Data> element, which is a child element of the
1301	   <EncryptionKey> element.  The encryption algorithm MUST be indicated
1302	   in the 'Algorithm' attribute of the <EncryptionMethod> element.  In
1303	   the example shown in Figure 8 the algorithm is set to
1304	   "http://www.w3.org/2001/04/xmlenc#rsa_1_5".

1306	   <?xml version="1.0" encoding="UTF-8" ?>
1307	   <KeyContainer
1308	       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1309	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
1310	       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1311	       id="KC0001"
1312	       Version="1.0">
1313	       <EncryptionKey>
1314	           <ds:X509Data>
1315	   <ds:X509Certificate>MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M
1316	   Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF
1317	   Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR
1318	   GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI
1319	   hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e
1320	   DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ
1321	   xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY
1322	   JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf
1323	   rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w
1324	   4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
1325	   </ds:X509Certificate>
1326	           </ds:X509Data>
1327	       </EncryptionKey>
1328	       <KeyPackage>
1329	           <DeviceInfo>
1330	               <Manufacturer>TokenVendorAcme</Manufacturer>
1331	               <SerialNo>987654321</SerialNo>
1332	           </DeviceInfo>
1333	           <Key
1334	               Id="MBK000000001"
1335	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1336	               <Issuer>Example-Issuer</Issuer>
1337	               <AlgorithmParameters>
1338	                   <ResponseFormat Length="6" Encoding="DECIMAL"/>
1339	               </AlgorithmParameters>
1340	               <Data>
1341	                   <Secret>
1342	                       <EncryptedValue>
1343	                           <xenc:EncryptionMethod
1344	                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa_1_5"/>
1345	                           <xenc:CipherData>
1346	   <xenc:CipherValue>hJ+fvpoMPMO9BYpK2rdyQYGIxiATYHTHC7e/sPLKYo5/r1v+4
1347	   xTYG3gJolCWuVMydJ7Ta0GaiBPHcWa8ctCVYmHKfSz5fdeV5nqbZApe6dofTqhRwZK6
1348	   Yx4ufevi91cjN2vBpSxYafvN3c3+xIgk0EnTV4iVPRCR0rBwyfFrPc4=
1349	   </xenc:CipherValue>
1350	                           </xenc:CipherData>
1351	                       </EncryptedValue>
1352	                   </Secret>
1353	                   <Counter>
1354	                       <PlainValue>0</PlainValue>
1355	                   </Counter>
1356	               </Data>
1357	           </Key>
1358	       </KeyPackage>
1359	   </KeyContainer>

1361	      Figure 8: Example of a PSKC Document using Encryption based on
1362	                              Asymmetric Keys

1364	   For systems implementing PSKC it is RECOMMENDED to implement the
1365	   RSA-1.5 algorithm, identified by the URI
1366	   'http://www.w3.org/2001/04/xmlenc#rsa-1_5'.

1368	   Some of the asymmetric encryption algorithms that can optionally be
1369	   implemented are:

1371	   Algorithm         | Uniform Resource Locator (URL)
1372	   ------------------+-------------------------------------------------
1373	   RSA-OAEP-MGF1P    | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

1375	6.4.  Padding of Encrypted Values for Non-Padded Encryption Algorithms

1377	   Padding of encrypted values (for example the key secret value) is
1378	   required when key protection algorithms are used that do not support
1379	   embedded padding and the value to be encrypted is not a multiple of
1380	   the encryption algorithm cypher block length.

1382	   For example, when transmitting a HOTP key (20 bytes long) protected
1383	   with the AES algorithm in CBC mode (8 byte block cypher), padding is
1384	   required since 20 bytes are not a multiple of the 8 byte block
1385	   length.

1387	   In these cases, for systems implementing PSKC it is RECOMMENDED to
1388	   pad the value before encryption using PKCS5 padding as described in
1389	   [PKCS5].

1391	7.  Digital Signature

1393	   PSKC allows a digital signature to be added to the XML document, as a
1394	   child element of the <KeyContainer> element.  The description of the
1395	   XML digital signature can be found in [XMLDSIG].

1397	   <?xml version="1.0" encoding="UTF-8"?>
1398	   <KeyContainer
1399	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
1400	       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1401	       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1402	       Version="1.0">
1403	       <KeyPackage>
1404	           <DeviceInfo>
1405	               <Manufacturer>TokenVendorAcme</Manufacturer>
1406	               <SerialNo>0755225266</SerialNo>
1407	           </DeviceInfo>
1408	           <Key Id="123"
1409	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1410	               <Issuer>Example-Issuer</Issuer>
1411	               <AlgorithmParameters>
1412	                   <ResponseFormat Length="6" Encoding="DECIMAL"/>
1413	               </AlgorithmParameters>
1414	               <Data>
1415	                   <Secret>
1416	                       <PlainValue>
1417	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1418	                       </PlainValue>
1419	                   </Secret>
1420	                   <Counter>
1421	                       <PlainValue>0</PlainValue>
1422	                   </Counter>
1423	               </Data>
1424	           </Key>
1425	       </KeyPackage>
1426	       <Signature>
1427	           <ds:SignedInfo>
1428	               <ds:CanonicalizationMethod
1429	                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
1430	               <ds:SignatureMethod
1431	                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
1432	               <ds:Reference URI="#Device">
1433	                   <ds:DigestMethod
1434	                Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
1435	                   <ds:DigestValue>
1436	                       j6lwx3rvEPO0vKtMup4NbeVu8nk=
1437	                   </ds:DigestValue>

1439	               </ds:Reference>
1440	           </ds:SignedInfo>
1441	           <ds:SignatureValue>
1442	               j6lwx3rvEPO0vKtMup4NbeVu8nk=
1443	           </ds:SignatureValue>
1444	           <ds:KeyInfo>
1445	               <ds:X509Data>
1446	                   <ds:X509IssuerSerial>
1447	                       <ds:X509IssuerName>
1448	                           CN=Example.com,C=US
1449	                       </ds:X509IssuerName>
1450	                       <ds:X509SerialNumber>
1451	                           12345678
1452	                       </ds:X509SerialNumber>
1453	                   </ds:X509IssuerSerial>
1454	               </ds:X509Data>
1455	           </ds:KeyInfo>
1456	       </Signature>
1457	   </KeyContainer>

1459	                    Figure 9: Digital Signature Example

1461	8.  Bulk Provisioning

1463	   The functionality of bulk provisioning can be accomplished by
1464	   repeating the <KeyPackage> element multiple times within the
1465	   <KeyContainer> element indicating that multiple keys are provided to
1466	   different devices or cryptomodules.  The <EncryptionKey> element then
1467	   applies to all <KeyPackage> elements.  When provisioning multiple
1468	   keys to the same device the <KeyPackage> element is repeated but the
1469	   enclosed <DeviceInfo> element will contain the same sub-elements that
1470	   uniquely identify the single device (for example the keys for the
1471	   device identified by SerialNo='9999999' in the example below).

1473	   Figure 10 shows an example utilizing these capabilities.

1475	   <?xml version="1.0" encoding="UTF-8"?>
1476	   <KeyContainer Version="1.0"
1477	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
1478	       <KeyPackage>
1479	           <DeviceInfo>
1480	               <Manufacturer>TokenVendorAcme</Manufacturer>
1481	               <SerialNo>654321</SerialNo>
1482	           </DeviceInfo>
1483	           <Key Id="1"
1484	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1485	               <Issuer>Issuer</Issuer>
1486	               <AlgorithmParameters>
1487	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1488	               </AlgorithmParameters>
1489	               <Data>
1490	                   <Secret>
1491	                       <PlainValue>
1492	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1493	                       </PlainValue>
1494	                   </Secret>
1495	                   <Counter>
1496	                       <PlainValue>0</PlainValue>
1497	                   </Counter>
1498	               </Data>
1499	               <Policy>
1500	                   <StartDate>2006-05-01T00:00:00Z</StartDate>
1501	                   <ExpiryDate>2006-05-31T00:00:00Z</ExpiryDate>
1502	               </Policy>
1503	           </Key>
1504	       </KeyPackage>
1505	       <KeyPackage>
1506	           <DeviceInfo>
1507	               <Manufacturer>TokenVendorAcme</Manufacturer>
1508	               <SerialNo>123456</SerialNo>
1509	           </DeviceInfo>
1510	           <Key Id="2"
1511	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1512	               <Issuer>Issuer</Issuer>
1513	               <AlgorithmParameters>
1514	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1515	               </AlgorithmParameters>
1516	               <Data>
1517	                   <Secret>
1518	                       <PlainValue>
1519	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1520	                       </PlainValue>
1521	                   </Secret>
1522	                   <Counter>
1523	                       <PlainValue>0</PlainValue>
1524	                   </Counter>
1525	               </Data>
1526	               <Policy>
1527	                   <StartDate>2006-05-01T00:00:00Z</StartDate>
1528	                   <ExpiryDate>2006-05-31T00:00:00Z</ExpiryDate>
1529	               </Policy>
1530	           </Key>
1531	       </KeyPackage>
1532	       <KeyPackage>
1533	           <DeviceInfo>
1534	               <Manufacturer>TokenVendorAcme</Manufacturer>
1535	               <SerialNo>9999999</SerialNo>
1536	           </DeviceInfo>
1537	           <Key Id="3"
1538	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1539	               <Issuer>Issuer</Issuer>
1540	               <AlgorithmParameters>
1541	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1542	               </AlgorithmParameters>
1543	               <Data>
1544	                   <Secret>
1545	                       <PlainValue>
1546	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1547	                       </PlainValue>
1548	                   </Secret>
1549	                   <Counter>
1550	                       <PlainValue>0</PlainValue>
1551	                   </Counter>
1552	               </Data>
1553	               <Policy>
1554	                   <StartDate>2006-03-01T00:00:00Z</StartDate>
1555	                   <ExpiryDate>2006-03-31T00:00:00Z</ExpiryDate>

1557	               </Policy>
1558	           </Key>
1559	       </KeyPackage>
1560	       <KeyPackage>
1561	           <DeviceInfo>
1562	               <Manufacturer>TokenVendorAcme</Manufacturer>
1563	               <SerialNo>9999999</SerialNo>
1564	           </DeviceInfo>
1565	           <Key Id="4"
1566	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
1567	               <Issuer>Issuer</Issuer>
1568	               <AlgorithmParameters>
1569	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1570	               </AlgorithmParameters>
1571	               <Data>
1572	                   <Secret>
1573	                       <PlainValue>
1574	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1575	                       </PlainValue>
1576	                   </Secret>
1577	                   <Counter>
1578	                       <PlainValue>0</PlainValue>
1579	                   </Counter>
1580	               </Data>
1581	               <Policy>
1582	                   <StartDate>2006-04-01T00:00:00Z</StartDate>
1583	                   <ExpiryDate>2006-04-30T00:00:00Z</ExpiryDate>
1584	               </Policy>
1585	           </Key>
1586	       </KeyPackage>
1587	   </KeyContainer>

1589	                   Figure 10: Bulk Provisioning Example

1591	9.  Extensibility

1593	   This section lists a few common extension points provided by PSKC:

1595	   New PSKC Version:  Whenever it is necessary to define a new version
1596	      of this document then a new version number has to be allocated to
1597	      refer to the new specification version.  The version number is
1598	      carried inside the 'Version' attribute, as described in Section 4,
1599	      the numbering scheme MUST follow Section 1.2, and rules for
1600	      extensibililty are defined in Section 12.

1602	   New XML Elements:  The usage of the XML schema and the available
1603	      extension points allows new XML elements to be added.  Depending
1604	      of type of XML elements different ways for extensibility are
1605	      offered.  In some places the <Extensions> element can be used and
1606	      elsewhere the "<xs:any namespace="##other" processContents="lax"
1607	      minOccurs="0" maxOccurs="unbounded"/>" XML extension point is
1608	      utilized.

1610	   New XML Attributes:  The XML schema allows new XML attributes to be
1611	      added where XML extension points have been defined (see "<xs:
1612	      anyAttribute namespace="##other"/>" in Section 11).

1614	   New PSKC Algorithm Profiles:  This document defines two PSKC
1615	      algorithm profiles, see Section 10.  The following informational
1616	      document describes additional profiles [PSKC-ALGORITHM-PROFILES].
1617	      Further PSKC algorithm profiles can be registered as described in
1618	      Section 12.4.

1620	   Algorithm URIs:  Section 6 defines how keys and related data can be
1621	      protected.  A number of algorithms can be used.  The use of new
1622	      algorithms can be used by pointing to a new algorithm URI.

1624	   Policy:  Section 5 defines policies that can be attached to a key and
1625	      keying related data.  The <Policy> element is one such item that
1626	      allows to restrict the use of the key to certain functions, such
1627	      as "OTP usage only".  Further values may be registered as
1628	      described in Section 12.

1630	10.  PSKC Algorithm Profile

1632	10.1.  HOTP

1634	   Common Name:  HOTP

1636	   Class:  OTP

1638	   URI:  urn:ietf:params:xml:ns:keyprov:pskc:hotp

1640	   Algorithm Definition:  [HOTP]

1642	   Identifier Definition:  (this RFC)

1644	   Registrant Contact:  IESG

1646	   Deprectaed:  FALSE

1648	   Profiling:

1650	         The <KeyPackage> element MUST be present and the
1651	         <ResponseFormat> element, which is a child element of the
1652	         <AlgorithmParameters> element, MUST be used to indicate the OTP
1653	         length and the value format.

1655	         The <Counter> element (see Section 4.1) MUST be provided as
1656	         meta-data for the key.

1658	         The following additional constraints apply:

1660	         +  The value of the <Secret> element MUST contain key material
1661	            with a length of at least 16 octets (128 bits), if it is
1662	            present.

1664	         +  The <ResponseFormat> element MUST have the 'Format'
1665	            attribute set to "DECIMAL", and the 'Length' attribute MUST
1666	            indicate a length value between 6 and 9 (inclusive).

1668	         +  The <PINPolicy> element MAY be present but the
1669	            'PINUsageMode' attribute cannot be set to "Algorithmic".

1671	         An example can be found in Figure 3.

1673	10.2.  PIN
1674	   Common Name:  PIN

1676	   Class:  Symmetric static credential comparison

1678	   URI:  urn:ietf:params:xml:ns:keyprov:pskc:pin

1680	   Algorithm Definition:  (this RFC) Section 5.1

1682	   Identifier Definition  (this RFC)

1684	   Registrant Contact:  IESG

1686	   Deprectaed:  FALSE

1688	   Profiling:

1690	         The <Usage> element MAY be present but no attribute of the
1691	         <Usage> element is required.  The <ResponseFormat> element MAY
1692	         be used to indicate the PIN value format.

1694	         The <Secret> element (see Section 4.1) MUST be provided.

1696	         See the example in Figure 5

1698	11.  XML Schema

1700	   This section defines the XML schema for PSKC.

1702	<?xml version="1.0" encoding="UTF-8"?>
1703	<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
1704	     xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
1705	     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1706	     xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1707	     targetNamespace="urn:ietf:params:xml:ns:keyprov:pskc"
1708	     elementFormDefault="qualified"
1709	     attributeFormDefault="unqualified">
1710	     <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
1711	          schemaLocation=
1712	"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
1713	          xmldsig-core-schema.xsd"/>
1714	     <xs:import namespace="http://www.w3.org/2001/04/xmlenc#"
1715	          schemaLocation=
1716	"http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
1717	     <xs:import namespace="http://www.w3.org/XML/1998/namespace"/>
1718	     <xs:complexType name="KeyContainerType">
1719	          <xs:sequence>
1720	               <xs:element name="EncryptionKey"
1721	                    type="ds:KeyInfoType" minOccurs="0"/>
1722	               <xs:element name="MACMethod"
1723	                    type="pskc:MACMethodType" minOccurs="0"/>
1724	               <xs:element name="KeyPackage"
1725	                    type="pskc:KeyPackageType" maxOccurs="unbounded"/>
1726	               <xs:element name="Signature"
1727	                    type="ds:SignatureType" minOccurs="0"/>
1728	               <xs:element name="Extensions"
1729	                    type="pskc:ExtensionsType"
1730	                    minOccurs="0" maxOccurs="unbounded"/>
1731	          </xs:sequence>
1732	          <xs:attribute name="Version"
1733	               type="pskc:VersionType" use="required"/>
1734	          <xs:attribute name="Id"
1735	               type="xs:ID" use="optional"/>
1736	     </xs:complexType>
1737	     <xs:simpleType name="VersionType" final="restriction">
1738	          <xs:restriction base="xs:string">
1739	               <xs:pattern value="\d{1,2}\.\d{1,3}"/>
1740	          </xs:restriction>
1741	     </xs:simpleType>
1742	     <xs:complexType name="KeyType">
1743	          <xs:sequence>
1744	               <xs:element name="Issuer"
1745	                    type="xs:string" minOccurs="0"/>
1746	               <xs:element name="AlgorithmParameters"
1747	                    type="pskc:AlgorithmParametersType"
1748	                    minOccurs="0"/>
1749	               <xs:element name="KeyProfileId"
1750	                    type="xs:string" minOccurs="0"/>
1751	               <xs:element name="KeyReference"
1752	                    type="xs:string" minOccurs="0"/>
1753	               <xs:element name="FriendlyName"
1754	                    type="xs:string" minOccurs="0"/>
1755	               <xs:element name="Data"
1756	                    type="pskc:KeyDataType" minOccurs="0"/>
1757	               <xs:element name="UserId"
1758	                    type="xs:string" minOccurs="0"/>
1759	               <xs:element name="Policy"
1760	                    type="pskc:PolicyType" minOccurs="0"/>
1761	               <xs:element name="Extensions"
1762	                    type="pskc:ExtensionsType" minOccurs="0"
1763	                    maxOccurs="unbounded"/>
1764	          </xs:sequence>
1765	          <xs:attribute name="Id"
1766	               type="xs:string" use="required"/>
1767	          <xs:attribute name="Algorithm"
1768	               type="pskc:KeyAlgorithmType" use="optional"/>
1769	     </xs:complexType>
1770	     <xs:complexType name="PolicyType">
1771	          <xs:sequence>
1772	               <xs:element name="StartDate"
1773	                    type="xs:dateTime" minOccurs="0"/>
1774	               <xs:element name="ExpiryDate"
1775	                    type="xs:dateTime" minOccurs="0"/>
1776	               <xs:element name="PINPolicy"
1777	                    type="pskc:PINPolicyType" minOccurs="0"/>
1778	               <xs:element name="KeyUsage"
1779	                    type="pskc:KeyUsageType"
1780	                    minOccurs="0" maxOccurs="unbounded"/>
1781	               <xs:element name="NumberOfTransactions"
1782	                    type="xs:nonNegativeInteger" minOccurs="0"/>
1783	               <xs:any namespace="##other"
1784	                    minOccurs="0" maxOccurs="unbounded"/>
1785	          </xs:sequence>
1786	     </xs:complexType>
1787	     <xs:complexType name="KeyDataType">
1788	          <xs:sequence>
1789	               <xs:element name="Secret"
1790	                    type="pskc:binaryDataType" minOccurs="0"/>
1791	               <xs:element name="Counter"
1792	                    type="pskc:longDataType" minOccurs="0"/>

1794	               <xs:element name="Time"
1795	                    type="pskc:intDataType" minOccurs="0"/>
1796	               <xs:element name="TimeInterval"
1797	                    type="pskc:intDataType" minOccurs="0"/>
1798	               <xs:element name="TimeDrift"
1799	                    type="pskc:intDataType" minOccurs="0"/>
1800	               <xs:any namespace="##other"
1801	                    processContents="lax"
1802	                    minOccurs="0" maxOccurs="unbounded"/>
1803	          </xs:sequence>
1804	     </xs:complexType>
1805	     <xs:complexType name="binaryDataType">
1806	          <xs:sequence>
1807	               <xs:choice>
1808	                    <xs:element name="PlainValue"
1809	                         type="xs:base64Binary"/>
1810	                    <xs:element name="EncryptedValue"
1811	                         type="xenc:EncryptedDataType"/>
1812	               </xs:choice>
1813	               <xs:element name="ValueMAC"
1814	                    type="xs:base64Binary" minOccurs="0"/>
1815	          </xs:sequence>
1816	     </xs:complexType>
1817	     <xs:complexType name="intDataType">
1818	          <xs:sequence>
1819	               <xs:choice>
1820	                    <xs:element name="PlainValue" type="xs:int"/>
1821	                    <xs:element name="EncryptedValue"
1822	                         type="xenc:EncryptedDataType"/>
1823	               </xs:choice>
1824	               <xs:element name="ValueMAC"
1825	                    type="xs:base64Binary" minOccurs="0"/>
1826	          </xs:sequence>
1827	     </xs:complexType>
1828	     <xs:complexType name="stringDataType">
1829	          <xs:sequence>
1830	               <xs:choice>
1831	                    <xs:element name="PlainValue" type="xs:string"/>
1832	                    <xs:element name="EncryptedValue"
1833	                         type="xenc:EncryptedDataType"/>
1834	               </xs:choice>
1835	               <xs:element name="ValueMAC"
1836	                    type="xs:base64Binary" minOccurs="0"/>
1837	          </xs:sequence>
1838	     </xs:complexType>
1839	     <xs:complexType name="longDataType">
1840	          <xs:sequence>
1841	               <xs:choice>
1842	                    <xs:element name="PlainValue" type="xs:long"/>
1843	                    <xs:element name="EncryptedValue"
1844	                         type="xenc:EncryptedDataType"/>
1845	               </xs:choice>
1846	               <xs:element name="ValueMAC"
1847	                    type="xs:base64Binary" minOccurs="0"/>
1848	          </xs:sequence>
1849	     </xs:complexType>
1850	     <xs:complexType name="PINPolicyType">
1851	          <xs:attribute name="PINKeyId"
1852	               type="xs:string" use="optional"/>
1853	          <xs:attribute name="PINUsageMode"
1854	               type="pskc:PINUsageModeType"/>
1855	          <xs:attribute name="MaxFailedAttempts"
1856	               type="xs:unsignedInt" use="optional"/>
1857	          <xs:attribute name="MinLength"
1858	               type="xs:unsignedInt" use="optional"/>
1859	          <xs:attribute name="MaxLength"
1860	               type="xs:unsignedInt" use="optional"/>
1861	          <xs:attribute name="PINEncoding"
1862	               type="pskc:ValueFormatType" use="optional"/>
1863	          <xs:anyAttribute namespace="##other"/>
1864	     </xs:complexType>
1865	     <xs:simpleType name="PINUsageModeType">
1866	          <xs:restriction base="xs:string">
1867	               <xs:enumeration value="Local"/>
1868	               <xs:enumeration value="Prepend"/>
1869	               <xs:enumeration value="Append"/>
1870	               <xs:enumeration value="Algorithmic"/>
1871	          </xs:restriction>
1872	     </xs:simpleType>
1873	     <xs:simpleType name="KeyUsageType">
1874	          <xs:restriction base="xs:string">
1875	               <xs:enumeration value="OTP"/>
1876	               <xs:enumeration value="CR"/>
1877	               <xs:enumeration value="Encrypt"/>
1878	               <xs:enumeration value="Integrity"/>
1879	               <xs:enumeration value="Verify"/>
1880	               <xs:enumeration value="Unlock"/>
1881	               <xs:enumeration value="Decrypt"/>
1882	               <xs:enumeration value="KeyWrap"/>
1883	               <xs:enumeration value="Unwrap"/>
1884	               <xs:enumeration value="Derive"/>
1885	               <xs:enumeration value="Generate"/>
1886	          </xs:restriction>
1887	     </xs:simpleType>
1888	     <xs:complexType name="DeviceInfoType">
1889	          <xs:sequence>
1890	               <xs:element name="Manufacturer"
1891	                    type="xs:string" minOccurs="0"/>
1892	               <xs:element name="SerialNo"
1893	                    type="xs:string" minOccurs="0"/>
1894	               <xs:element name="Model"
1895	                    type="xs:string" minOccurs="0"/>
1896	               <xs:element name="IssueNo"
1897	                    type="xs:string" minOccurs="0"/>
1898	               <xs:element name="DeviceBinding"
1899	                    type="xs:string" minOccurs="0"/>
1900	               <xs:element name="StartDate"
1901	                    type="xs:dateTime" minOccurs="0"/>
1902	               <xs:element name="ExpiryDate"
1903	                    type="xs:dateTime" minOccurs="0"/>
1904	               <xs:element name="UserId"
1905	                    type="xs:string" minOccurs="0"/>
1906	               <xs:element name="Extensions"
1907	                    type="pskc:ExtensionsType" minOccurs="0"
1908	                    maxOccurs="unbounded"/>
1909	          </xs:sequence>
1910	     </xs:complexType>
1911	     <xs:complexType name="CryptoModuleInfoType">
1912	          <xs:sequence>
1913	               <xs:element name="Id" type="xs:string"/>
1914	               <xs:element name="Extensions"
1915	                    type="pskc:ExtensionsType" minOccurs="0"
1916	                    maxOccurs="unbounded"/>
1917	          </xs:sequence>
1918	     </xs:complexType>
1919	     <xs:complexType name="KeyPackageType">
1920	          <xs:sequence>
1921	               <xs:element name="DeviceInfo"
1922	                    type="pskc:DeviceInfoType" minOccurs="0"/>
1923	               <xs:element name="CryptoModuleInfo"
1924	                    type="pskc:CryptoModuleInfoType" minOccurs="0"/>
1925	               <xs:element name="Key"
1926	                    type="pskc:KeyType" minOccurs="0"/>
1927	               <xs:element name="Extensions"
1928	                    type="pskc:ExtensionsType" minOccurs="0"
1929	                    maxOccurs="unbounded"/>
1930	          </xs:sequence>
1931	     </xs:complexType>
1932	     <xs:complexType name="AlgorithmParametersType">
1933	          <xs:choice>
1934	               <xs:element name="Suite" type="xs:string" minOccurs="0"/>
1935	               <xs:element name="ChallengeFormat" minOccurs="0">
1936	                    <xs:complexType>
1937	                         <xs:attribute name="Encoding"
1938	                              type="pskc:ValueFormatType"
1939	                                                      use="required"/>
1940	                         <xs:attribute name="Min"
1941	                              type="xs:unsignedInt" use="required"/>
1942	                         <xs:attribute name="Max"
1943	                              type="xs:unsignedInt" use="required"/>
1944	                         <xs:attribute name="CheckDigits"
1945	                              type="xs:boolean" default="false"/>
1946	                    </xs:complexType>
1947	               </xs:element>
1948	               <xs:element name="ResponseFormat" minOccurs="0">
1949	                    <xs:complexType>
1950	                         <xs:attribute name="Encoding"
1951	                              type="pskc:ValueFormatType"
1952	                                                      use="required"/>
1953	                         <xs:attribute name="Length"
1954	                              type="xs:unsignedInt" use="required"/>
1955	                         <xs:attribute name="CheckDigits"
1956	                              type="xs:boolean" default="false"/>
1957	                    </xs:complexType>
1958	               </xs:element>
1959	               <xs:element name="Extensions"
1960	                    type="pskc:ExtensionsType" minOccurs="0"
1961	                    maxOccurs="unbounded"/>
1962	          </xs:choice>
1963	     </xs:complexType>
1964	     <xs:complexType name="ExtensionsType">
1965	          <xs:sequence>
1966	               <xs:any namespace="##other"
1967	                    processContents="lax" maxOccurs="unbounded"/>
1968	          </xs:sequence>
1969	          <xs:attribute name="definition"
1970	               type="xs:anyURI" use="optional"/>
1971	     </xs:complexType>
1972	     <xs:simpleType name="KeyAlgorithmType">
1973	          <xs:restriction base="xs:anyURI"/>
1974	     </xs:simpleType>
1975	     <xs:simpleType name="ValueFormatType">
1976	          <xs:restriction base="xs:string">
1977	               <xs:enumeration value="DECIMAL"/>
1978	               <xs:enumeration value="HEXADECIMAL"/>
1979	               <xs:enumeration value="ALPHANUMERIC"/>
1980	               <xs:enumeration value="BASE64"/>
1981	               <xs:enumeration value="BINARY"/>
1982	          </xs:restriction>
1983	     </xs:simpleType>
1984	     <xs:complexType name="MACMethodType">
1985	           <xs:sequence>
1986	                  <xs:choice>
1987	                        <xs:element name="MACKey"
1988	              type="xenc:EncryptedDataType" minOccurs="0"/>
1989	                        <xs:element name="MACKeyReference"
1990	                                type="xs:string" minOccurs="0"/>
1991	                        </xs:choice>
1992	                        <xs:any namespace="##other"
1993	           processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
1994	       </xs:sequence>
1995	       <xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
1996	        </xs:complexType>
1997	     <xs:element name="KeyContainer"
1998	          type="pskc:KeyContainerType"/>
1999	</xs:schema>
2000	12.  IANA Considerations

2002	12.1.  Content-type registration for 'application/pskc+xml'

2004	   This specification requests the registration of a new MIME type
2005	   according to the procedures of RFC 4288 [RFC4288] and guidelines in
2006	   RFC 3023 [RFC3023].

2008	   MIME media type name:  application

2010	   MIME subtype name:  pskc+xml

2012	   Required parameters:  There is no required parameter.

2014	   Optional parameters:  charset

2016	      Indicates the character encoding of enclosed XML.

2018	   Encoding considerations:  Uses XML, which can employ 8-bit
2019	      characters, depending on the character encoding used.  See RFC
2020	      3023 [RFC3023], Section 3.2.

2022	   Security considerations:  Please refer to Section 13 of RFCXXXX [NOTE
2023	      TO IANA/RFC-EDITOR: Please replace XXXX with the RFC number of
2024	      this specification.]

2026	   Interoperability considerations:  None

2028	   Published specification:  RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please
2029	      replace XXXX with the RFC number of this specification.]

2031	   Applications which use this media type:  This MIME type is being used
2032	      as a symmetric key container format for transport and provisioning
2033	      of symmetric keys (One Time Password (OTP) shared secrets or
2034	      symmetric cryptographic keys) to different types of strong
2035	      authentication devices.  As such, it is used for key provisioning
2036	      systems.

2038	   Additional information:

2040	      Magic Number:  None

2042	      File Extension:  .pskcxml

2044	      Macintosh file type code:  'TEXT'

2046	   Personal and email address to contact for further information:
2047	      Philip Hoyer, Philip.Hoyer@actividentity.com

2049	   Intended usage:  LIMITED USE

2051	   Restrictions on usage:  None

2053	   Author:  This specification is a work item of the IETF KEYPROV
2054	      working group, with mailing list address <keyprov@ietf.org>.

2056	   Change controller:  The IESG <iesg@ietf.org>

2058	12.2.  XML Schema Registration

2060	   This section registers an XML schema as per the guidelines in
2061	   [RFC3688].

2063	   URI:  urn:ietf:params:xml:schema:keyprov:pskc

2065	   Registrant Contact:  IETF KEYPROV Working Group, Philip Hoyer
2066	      (Philip.Hoyer@actividentity.com).

2068	   XML Schema:  The XML schema to be registered is contained in
2069	      Section 11.  Its first line is

2071	   <?xml version="1.0" encoding="UTF-8"?>

2073	      and its last line is

2075	   </xs:schema>

2077	12.3.  URN Sub-Namespace Registration

2079	   This section registers a new XML namespace,
2080	   "urn:ietf:params:xml:ns:keyprov:pskc", per the guidelines in
2081	   [RFC3688].

2083	   URI:  urn:ietf:params:xml:ns:keyprov:pskc

2085	   Registrant Contact:  IETF KEYPROV Working Group, Philip Hoyer
2086	      (Philip.Hoyer@actividentity.com).

2088	   XML:

2090	   BEGIN
2091	   <?xml version="1.0"?>
2092	   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
2093	     "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
2094	   <html xmlns="http://www.w3.org/1999/xhtml">
2095	   <head>
2096	     <meta http-equiv="content-type"
2097	           content="text/html;charset=iso-8859-1"/>
2098	     <title>PSKC Namespace</title>
2099	   </head>
2100	   <body>
2101	     <h1>Namespace for PSKC</h1>
2102	     <h2>urn:ietf:params:xml:ns:keyprov:pskc</h2>
2103	   <p>See <a href="[URL of published RFC]">RFCXXXX
2104	       [NOTE TO IANA/RFC-EDITOR:
2105	        Please replace XXXX with the RFC number of this
2106	       specification.]</a>.</p>
2107	   </body>
2108	   </html>
2109	   END

2111	12.4.  PSKC Algorithm Profile Registry

2113	   This specification requests the creation of a new IANA registry for
2114	   PSKC algorithm profiles in accordance with the principles set out in
2115	   RFC 5226 [RFC5226].

2117	   As part of this registry IANA will maintain the following
2118	   information:

2120	   Common Name:  The name by which the PSKC algorithm profile is
2121	      generally referred.

2123	   Class:  The type of PSKC algorithm profile registry entry being
2124	      created, such as encryption, Message Authentication Code (MAC),
2125	      One Time Password (OTP), Digest.

2127	   URI:  The URI to be used to identify the profile.

2129	   Identifier Definition:  IANA will be asked to add a pointer to the
2130	      specification containing information about the PSKC algorithm
2131	      profile registration.

2133	   Algorithm Definition:  A reference to the stable document in which
2134	      the algorithm being used with the PSKC is defined.

2136	   Registrant Contact:  Contact information about the party submitting
2137	      the registration request.

2139	   Deprecated:  TRUE if based on expert approval this entry has been
2140	      deprecated and SHOULD not be used in any new implementations.
2141	      Otherwise FALSE.

2143	   PSKC Profiling:  Information about PSKC XML elements and attributes
2144	      being used (or not used) with this specific profile of PSKC.

2146	   PSKC algorithm profile identifier registrations are to be subject to
2147	   Specification Required as per RFC 5226 [RFC5226].  Updates can be
2148	   provided based on expert approval only.  Based on expert approval, it
2149	   is possible to mark entries as "deprecated".  A designated expert
2150	   will be appointed by the IESG.

2152	   IANA is asked to add two initial values to the registry based on the
2153	   algorithm profiles described in Section 10.

2155	12.5.  PSKC Version Registry

2157	   IANA is requested to create a registry for PSKC version numbers.  The
2158	   registry has the following structure:

2160	     PSKC Version              | Specification
2161	   +---------------------------+----------------
2162	   | 1.0                       | [This document]

2164	   Standards action is required to define new versions of PSKC.  It is
2165	   not envisioned to deprecate, delete, or modify existing PSKC
2166	   versions.

2168	12.6.  Key Usage Registry

2170	   IANA is requested to create a registry for key usage.  A description
2171	   of the 'KeyUsage' element can be found in Section 5.

2173	   As part of this registry IANA will maintain the following
2174	   information:

2176	    Key Usage:  The identifier of the Key Usage.

2178	   Specification:  IANA will be asked to add a pointer to the
2179	      specification containing information about the semantics of a new
2180	      Key Usage registration.

2182	   Deprecated:  TRUE if based on expert approval this entry has been
2183	      deprecated and SHOULD not be used in any new implementations.
2184	      Otherwise FALSE.

2186	   ANA is asked to add an initial value to the registry:

2188	     Key Usage     | Specification                | Deprecated
2189	   +---------------+------------------------------+-----------
2190	   | OTP           | [Section 5 of this document] | FALSE
2191	   | CR            | [Section 5 of this document] | FALSE
2192	   | Encrypt       | [Section 5 of this document] | FALSE
2193	   | Integrity     | [Section 5 of this document] | FALSE
2194	   | Verify        | [Section 5 of this document] | FALSE
2195	   | Unlock        | [Section 5 of this document] | FALSE
2196	   | Decrypt       | [Section 5 of this document] | FALSE
2197	   | KeyWrap       | [Section 5 of this document] | FALSE
2198	   | Unwrap        | [Section 5 of this document] | FALSE
2199	   | Derive        | [Section 5 of this document] | FALSE
2200	   | Generate      | [Section 5 of this document] | FALSE
2201	   +---------------+------------------------------+-----------

2203	   Key Usage Registry registrations are to be subject to Specification
2204	   Required as per RFC 5226 [RFC5226].  Expert Review is required to
2205	   define new Key Usage values.  Updates can be provided based on expert
2206	   approval only.  Based on expert approval, it is possible to mark
2207	   entries as "deprecated".  A designated expert will be appointed by
2208	   the IESG.

2210	13.  Security Considerations

2212	   The portable symmetric key container (PSKC) carries sensitive
2213	   information (e.g., cryptographic keys) and may be transported across
2214	   the boundaries of one secure perimeter to another.  For example, a
2215	   container residing within the secure perimeter of a back-end
2216	   provisioning server in a secure room may be transported across the
2217	   internet to an end-user device attached to a personal computer.  This
2218	   means that special care MUST be taken to ensure the confidentiality,
2219	   integrity, and authenticity of the information contained within.

2221	13.1.  PSKC Confidentiality

2223	   By design, the container allows two main approaches to guaranteeing
2224	   the confidentiality of the information it contains while transported.

2226	   First, the container key data payload may be encrypted.

2228	   In this case no transport layer security is required.  However,
2229	   standard security best practices apply when selecting the strength of
2230	   the cryptographic algorithm for key data payload encryption.
2231	   Symmetric cryptographic cipher SHOULD be used - the longer the
2232	   cryptographic key, the stronger the protection.  Please see
2233	   Section 6.1 for recommendations of key data payload protection using
2234	   symmetric cryptographic ciphers.  In cases where the exchange of key
2235	   encryption keys between the sender and the receiver is not possible,
2236	   asymmetric encryption of the key data payload may be employed, see
2237	   Section 6.3 .  Similarly to symmetric key cryptography, the stronger
2238	   the asymmetric key, the more secure the protection is.

2240	   If the key data payload is encrypted with a method that uses one of
2241	   the password-based encryption methods (PBE methods) detailed in
2242	   Section 6.2, the key data payload may be subjected to password
2243	   dictionary attacks to break the encryption password and recover the
2244	   information.  Standard security best practices for selection of
2245	   strong encryption passwords apply.

2247	   Additionally, it is strongly RECOMMENDED that practical
2248	   implementations use PBESalt and PBEIterationCount when PBE encryption
2249	   is used.  A different PBESalt value per PSKC SHOULD be used for best
2250	   protection.

2252	   The second approach to protecting the confidentiality of the key data
2253	   is based on using lower layer security mechanisms (e.g., [TLS],
2254	   [IPSec]).  The secure connection established between the source
2255	   secure perimeter (the provisioning server from the example above) and
2256	   the target perimeter (the device attached to the end-user computer)
2257	   utilizes encryption to protect the messages that travel across that
2258	   connection.  No key data payload encryption is required in this mode.
2259	   Secure connections that encrypt and digest each message provide an
2260	   extra measure of security.

2262	   Because of the fact that the plain text PSKC is protected only by the
2263	   transport layer security, practical implementation MUST ensure
2264	   protection against man-in-the-middle attacks.  Authenticating the
2265	   secure channel end-points is critically important for eliminating
2266	   intruders that may compromise the confidentiality of the PSKC.

2268	13.2.  PSKC Integrity

2270	   The PSKC provides a mean to guarantee the integrity of the
2271	   information it contains through digital signatures.  It is
2272	   RECOMMENDED that for best security practices, the digital signature
2273	   of the container encompasses the entire PSKC.This provides assurances
2274	   for the integrity of all attributes.  It also allows verification of
2275	   the integrity of a given PSKC even after the container is delivered
2276	   through the communication channel to the target perimeter and channel
2277	   message integrity check is no longer possible.

2279	13.3.  PSKC Authenticity

2281	   The digital signature of the PSKC is the primary way of showing its
2282	   authenticity.  The recipient of the container SHOULD use the public
2283	   key associated with the signature to assert the authenticity of the
2284	   sender by tracing it back to a preloaded public key or certificate.
2285	   Note that the digital signature of the PSKC can be checked even after
2286	   the container has been delivered through the secure channel of
2287	   communication.

2289	   Authenticity guarantee may be provided by [TLS] or [IPSec].  However,
2290	   no authenticity verification is possible once the container is
2291	   delivered at the recipient end.  Since the TLS endpoints could differ
2292	   from the key provisioning endpoints, this solution is weaker than the
2293	   previous solution that relies on a digital signature of the PSKC.

2295	14.  Contributors

2297	   We would like Hannes Tschofenig for his text contributions to this
2298	   document.

2300	15.  Acknowledgements

2302	   The authors of this draft would like to thank the following people
2303	   for their feedback: Apostol Vassilev, Shuh Chang, Jon Martinson,
2304	   Siddhart Bajaj, Stu Vaeth, Kevin Lewis, Philip Hallam-Baker, Andrea
2305	   Doherty, Magnus Nystrom, Tim Moses, Anders Rundgren, Sean Turner and
2306	   especially Robert Philpott.

2308	   We would like to thank Sean Turner for his draft review in January
2309	   2009.  We would also like to thank Anders Rundgren for triggering the
2310	   discussion regarding to the selection of encryption algorithms (KW-
2311	   AES-128 vs. AES-128-CBC) and his input on the keyed message digest
2312	   computation.

2314	   This work is based on earlier work by the members of OATH (Initiative
2315	   for Open AuTHentication), see [OATH], to specify a format that can be
2316	   freely distributed to the technical community.

2318	16.  References

2320	16.1.  Normative References

2322	   [AESKWPAD]
2323	              Housley, R. and M. Dworkin, "Advanced Encryption Standard
2324	              (AES) Key Wrap with Padding Algorithm", March 2009, <http:
2325	              //www.ietf.org/internet-drafts/
2326	              draft-housley-aes-key-wrap-with-pad-02.txt>.

2328	   [FIPS197]  National Institute of Standards, "FIPS Pub 197: Advanced
2329	              Encryption Standard (AES)", November 2001.

2331	   [HOTP]     MRaihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
2332	              O. Ranen, "HOTP: An HMAC-Based One Time Password
2333	              Algorithm", RFC 4226, December 2005.

2335	   [IANAPENREG]
2336	              IANA, "IANA Private Enterprise Number Registry",
2337	              April 2009,
2338	              <http://www.iana.org/assignments/enterprise-numbers/>.

2340	   [ISOIEC7812]
2341	              ISO, "ISO/IEC 7812-1:2006 Identification cards --
2342	              Identification of issuers -- Part 1: Numbering system",
2343	              October 2006, <http://www.iso.org/iso/iso_catalogue/
2344	              catalogue_tc/catalogue_detail.htm?csnumber=39698>.

2346	   [OATHMAN]  OATH, "List of OATH Manufacturer Prefixes (omp)",
2347	              April 2009,
2348	              <http://www.openauthentication.org/oath-id/prefixes/>.

2350	   [PKCS5]    RSA Laboratories, "PKCS #5: Password-Based Cryptography
2351	              Standard", Version 2.0,
2352	              URL: http://www.rsasecurity.com/rsalabs/pkcs/, March 1999.

2354	   [RFC2119]  "Key words for use in RFCs to Indicate Requirement
2355	              Levels", BCP 14, RFC 2119, March 1997.

2357	   [RFC3023]  Murata, M., St. Laurent, S., and D. Kohn, "XML Media
2358	              Types", RFC 3023, January 2001.

2360	   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2361	              January 2004.

2363	   [RFC4288]  Freed, N. and J. Klensin, "Media Type Specifications and
2364	              Registration Procedures", BCP 13, RFC 4288, December 2005.

2366	   [RFC4514]  Zeilenga, K., "Lightweight Directory Access Protocol
2367	              (LDAP): String Representation of Distinguished Names",
2368	              RFC 4514, June 2006.

2370	   [RFC4646]  Phillips, A. and M. Davis, "Tags for Identifying
2371	              Languages", RFC 4646, September 2006.

2373	   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
2374	              Encodings", RFC 4648, October 2006.

2376	   [SP800-67]
2377	              National Institute of Standards, "NIST Special Publication
2378	              800-67 Version 1.1: Recommendation for the Triple Data
2379	              Encryption Algorithm (TDEA) Block Cipher", NIST Special
2380	              Publication 800-67, May 2008.

2382	   [XMLDSIG]  Eastlake, D., "XML-Signature Syntax and Processing",
2383	              URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/,
2384	              W3C Recommendation, February 2002.

2386	   [XMLENC]   Eastlake, D., "XML Encryption Syntax and Processing.",
2387	              URL: http://www.w3.org/TR/xmlenc-core/,
2388	              W3C Recommendation, December 2002.

2390	   [XMLENC11]
2391	              Eastlake, D., "XML Encryption Syntax and Processing
2392	              Version 1.1.",
2393	              URL: http://www.w3.org/TR/2009/WD-xmlenc-core1-20090730,
2394	              W3C Recommendation, July 2009.

2396	16.2.  Informative References

2398	   [CAP]      MasterCard International, "Chip Authentication Program
2399	              Functional Architecture", September 2004.

2401	   [DSKPP]    Doherty, A., Pei, M., Machani, S., and M. Nystrom,
2402	              "Dynamic Symmetric Key Provisioning Protocol", Internet
2403	              Draft Informational, URL: http://www.ietf.org/
2404	              internet-drafts/draft-ietf-keyprov-dskpp-07.txt,
2405	              February 2009.

2407	   [IPSec]    Kent, S. and K. Seo, "Security Architecture for the
2408	              Internet Protocol", RFC 4301, December 2005.

2410	   [NIST800-57]
2411	              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
2412	              "NIST Special Publication 800-57, Recommendation for Key
2413	              Management - Part 1: General (Revised)", NIST Special
2414	              Publication 800-57, March 2007.

2416	   [OATH]     "Initiative for Open AuTHentication",
2417	              URL: http://www.openauthentication.org.

2419	   [PSKC-ALGORITHM-PROFILES]
2420	              Hoyer, P., Pei, M., Machani, S., and A. Doherty,
2421	              "Additional Portable Symmetric Key Container (PSKC)
2422	              Algorithm Profiles", Internet Draft Informational, URL:
2423	               http://www.ietf.org/id/
2424	              draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt,
2425	              May 2010.

2427	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2428	              Resource Identifiers (URI): Generic Syntax", RFC 3986,
2429	              January 2005.

2431	   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
2432	              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
2433	              May 2008.

2435	   [TLS]      Dierks, T. and E. Rescorla, "The Transport Layer Security
2436	              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

2438	   [XMLNS]    "Namespaces in XML", W3C Recommendation ,
2439	              URL: http://www.w3.org/TR/1999/REC-xml-names-19990114,
2440	              January 1999.

2442	Appendix A.  Use Cases

2444	   This section describes a comprehensive list of use cases that
2445	   inspired the development of this specification.  These requirements
2446	   were used to derive the primary requirement that drove the design.
2447	   These requirements are covered in the next section.

2449	   These use cases also help in understanding the applicability of this
2450	   specification to real world situations.

2452	A.1.  Online Use Cases

2454	   This section describes the use cases related to provisioning the keys
2455	   using an online provisioning protocol such as [DSKPP].

2457	A.1.1.  Transport of keys from Server to Cryptographic Module

2459	   For example, a mobile device user wants to obtain a symmetric key for
2460	   use with a Cryptographic Module on the device.  The Cryptographic
2461	   Module from vendor A initiates the provisioning process against a
2462	   provisioning system from vendor B using a standards-based
2463	   provisioning protocol such as [DSKPP].  The provisioning entity
2464	   delivers one or more keys in a standard format that can be processed
2465	   by the mobile device.

2467	   For example, in a variation of the above, instead of the user's
2468	   mobile phone, a key is provisioned in the user's soft token
2469	   application on a laptop using a network-based online protocol.  As
2470	   before, the provisioning system delivers a key in a standard format
2471	   that can be processed by the soft token on the PC.

2473	   For example, the end-user or the key issuer wants to update or
2474	   configure an existing key in the Cryptographic Module and requests a
2475	   replacement key container.  The container may or may not include a
2476	   new key and may include new or updated key attributes such as a new
2477	   counter value in HOTP key case, a modified response format or length,
2478	   a new friendly name, etc.

2480	A.1.2.  Transport of keys from Cryptographic Module to Cryptographic
2481	        Module

2483	   For example, a user wants to transport a key from one Cryptographic
2484	   Module to another.  There may be two cryptographic modules, one on a
2485	   computer one on a mobile phone, and the user wants to transport a key
2486	   from the computer to the mobile phone.  The user can export the key
2487	   and related data in a standard format for input into the other
2488	   Cryptographic Module.

2490	A.1.3.  Transport of keys from Cryptographic Module to Server

2492	   For example, a user wants to activate and use a new key and related
2493	   data against a validation system that is not aware of this key.  This
2494	   key may be embedded in the Cryptographic Module (e.g.  SD card, USB
2495	   drive) that the user has purchased at the local electronics retailer.
2496	   Along with the Cryptographic Module, the user may get the key on a CD
2497	   or a floppy in a standard format.  The user can now upload via a
2498	   secure online channel or import this key and related data into the
2499	   new validation system and start using the key.

2501	A.1.4.  Server to server Bulk import/export of keys

2503	   From time to time, a key management system may be required to import
2504	   or export keys in bulk from one entity to another.

2506	   For example, instead of importing keys from a manufacturer using a
2507	   file, a validation server may download the keys using an online
2508	   protocol.  The keys can be downloaded in a standard format that can
2509	   be processed by a validation system.

2511	   For example, in a variation of the above, an Over-The-Air (OTA) key
2512	   provisioning gateway that provisions keys to mobile phones may obtain
2513	   key material from a key issuer using an online protocol.  The keys
2514	   are delivered in a standard format that can be processed by the key
2515	   provisioning gateway and subsequently sent to the end-user's mobile
2516	   phone.

2518	A.2.  Offline Use Cases

2520	   This section describes the use cases relating to offline transport of
2521	   keys from one system to another, using some form of export and import
2522	   model.

2524	A.2.1.  Server to server Bulk import/export of keys

2526	   For example, Cryptographic Modules such as OTP authentication tokens,
2527	   may have their symmetric keys initialized during the manufacturing
2528	   process in bulk, requiring copies of the keys and algorithm data to
2529	   be loaded into the authentication system through a file on portable
2530	   media.  The manufacturer provides the keys and related data in the
2531	   form of a file containing records in standard format, typically on a
2532	   CD.  Note that the token manufacturer and the vendor for the
2533	   validation system may be the same or different.  Some crypto modules
2534	   will allow local PIN management (the device will have a PIN pad)
2535	   hence random initial PINs set at manufacturing should be transmitted
2536	   together with the respective keys they protect.

2538	   For example, an enterprise wants to port keys and related data from
2539	   an existing validation system A into a different validation system B.
2540	   The existing validation system provides the enterprise with a
2541	   functionality that enables export of keys and related data (e.g. for
2542	   OTP authentication tokens) in a standard format.  Since the OTP
2543	   tokens are in the standard format, the enterprise can import the
2544	   token records into the new validation system B and start using the
2545	   existing tokens.  Note that the vendors for the two validation
2546	   systems may be the same or different.

2548	Appendix B.  Requirements

2550	   This section outlines the most relevant requirements that are the
2551	   basis of this work.  Several of the requirements were derived from
2552	   use cases described above.

2554	   R1:   The format MUST support transport of multiple types of
2555	         symmetric keys and related attributes for algorithms including
2556	         HOTP, other OTP, challenge-response, etc.

2558	   R2:   The format MUST handle the symmetric key itself as well of
2559	         attributes that are typically associated with symmetric keys.
2560	         Some of these attributes may be

2562	         *  Unique Key Identifier

2564	         *  Issuer information

2566	         *  Algorithm ID

2568	         *  Algorithm mode

2570	         *  Issuer Name

2572	         *  Key friendly name

2574	         *  Event counter value (moving factor for OTP algorithms)

2576	         *  Time value

2578	   R3:   The format SHOULD support both offline and online scenarios.
2579	         That is it should be serializable to a file as well as it
2580	         should be possible to use this format in online provisioning
2581	         protocols such as [DSKPP]

2583	   R4:   The format SHOULD allow bulk representation of symmetric keys

2585	   R5:   The format SHOULD allow bulk representation of PINs related to
2586	         specific keys

2588	   R6:   The format SHOULD be portable to various platforms.
2589	         Furthermore, it SHOULD be computationally efficient to process.

2591	   R7:   The format MUST provide appropriate level of security in terms
2592	         of data encryption and data integrity.

2594	   R8:   For online scenarios the format SHOULD NOT rely on transport
2595	         level security (e.g., SSL/TLS) for core security requirements.

2597	   R9:   The format SHOULD be extensible.  It SHOULD enable extension
2598	         points allowing vendors to specify additional attributes in the
2599	         future.

2601	   R10:  The format SHOULD allow for distribution of key derivation data
2602	         without the actual symmetric key itself.  This is to support
2603	         symmetric key management schemes that rely on key derivation
2604	         algorithms based on a pre-placed master key.  The key
2605	         derivation data typically consists of a reference to the key,
2606	         rather than the key value itself.

2608	   R11:  The format SHOULD allow for additional lifecycle management
2609	         operations such as counter resynchronization.  Such processes
2610	         require confidentiality between client and server, thus could
2611	         use a common secure container format, without the transfer of
2612	         key material.

2614	   R12:  The format MUST support the use of pre-shared symmetric keys to
2615	         ensure confidentiality of sensitive data elements.

2617	   R13:  The format MUST support a password-based encryption (PBE)
2618	         [PKCS5] scheme to ensure security of sensitive data elements.
2619	         This is a widely used method for various provisioning
2620	         scenarios.

2622	   R14:  The format SHOULD support asymmetric encryption algorithms such
2623	         as RSA to ensure end-to-end security of sensitive data
2624	         elements.  This is to support scenarios where a pre-set shared
2625	         key encryption key is difficult to use.

2627	Authors' Addresses

2629	   Philip Hoyer
2630	   ActivIdentity, Inc.
2631	   117 Waterloo Road
2632	   London, SE1  8UL
2633	   UK

2635	   Phone: +44 (0) 20 7960 0220
2636	   Email: phoyer@actividentity.com

2638	   Mingliang Pei
2639	   VeriSign, Inc.
2640	   487 E. Middlefield Road
2641	   Mountain View, CA  94043
2642	   USA

2644	   Phone: +1 650 426 5173
2645	   Email: mpei@verisign.com

2647	   Salah Machani
2648	   Diversinet, Inc.
2649	   2225 Sheppard Avenue East
2650	   Suite 1801
2651	   Toronto, Ontario  M2J 5C2
2652	   Canada

2654	   Phone: +1 416 756 2324 Ext. 321
2655	   Email: smachani@diversinet.com