idnits 2.17.00 (12 Aug 2021) /tmp/idnits31453/draft-ietf-keyprov-portable-symmetric-key-container-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 3001. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3012. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3019. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3025. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Too long document name: The document name (without revision number), 'draft-ietf-keyprov-portable-symmetric-key-container', is 51 characters long, but may be at most 50 characters Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Line 2254 has weird spacing: '...inition http:...' == Line 2270 has weird spacing: '...inition http:...' == Line 2287 has weird spacing: '...inition http:...' == Line 2304 has weird spacing: '...inition http:...' == Line 2322 has weird spacing: '...inition http:...' == (2 more instances...) == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the start date of the key, it MUST not be possible to use this key before this date. MUST be expressed in UTC form, with no time zone component. Implementations SHOULD NOT rely on time resolution finer than milliseconds and MUST NOT generate time instants that specify leap seconds. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the expiry date of the key, it MUST not be possible to use this key after this date. MUST be expressed in UTC form, with no time zone component. Implementations SHOULD NOT rely on time resolution finer than milliseconds and MUST NOT generate time instants that specify leap seconds. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the maximum number of times the PIN can be entered wrongly before it MUST not be possible to use the key anymore == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the minimum lenght of a PIN that can be set to protect this key. It MUST not be possible to set a PIN shorter than this value. If the Format element is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of digits/characters. If the Format attribute is 'BASE64' or 'BINARY', this value indicates the number of bytes of the unencoded value. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o (OPTIONAL), the maximum lenght of a PIN that can be set to protect this key. It MUST not be possible to set a PIN longer than this value. If the Format element is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of digits/characters. If the Format attribute is 'BASE64' or 'BINARY', this value indicates the number of bytes of the unencoded value. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 14, 2008) is 5058 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'PKCS1' is defined on line 2875, but no explicit reference was found in the text == Unused Reference: 'OATH' is defined on line 2938, but no explicit reference was found in the text == Unused Reference: 'OCRA' is defined on line 2941, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2437 (ref. 'PKCS1') (Obsoleted by RFC 3447) -- Possible downref: Non-RFC (?) normative reference: ref. 'PKCS5' ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLDSIG' -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC' == Outdated reference: draft-mraihi-mutual-oath-hotp-variants has been published as RFC 6287 Summary: 6 errors (**), 0 flaws (~~), 16 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 keyprov P. Hoyer 3 Internet-Draft ActivIdentity 4 Intended status: Standards Track M. Pei 5 Expires: January 15, 2009 VeriSign 6 S. Machani 7 Diversinet 8 July 14, 2008 10 Portable Symmetric Key Container 11 draft-ietf-keyprov-portable-symmetric-key-container-05.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on January 15, 2009. 38 Copyright Notice 40 Copyright (C) The IETF Trust (2008). 42 Abstract 44 This document specifies a symmetric key format for transport and 45 provisioning of symmetric keys (for example One Time Password (OTP) 46 shared secrets or symmetric cryptographic keys) to different types of 47 crypto modules such as a strong authentication device. The standard 48 key transport format enables enterprises to deploy best-of-breed 49 solutions combining components from different vendors into the same 50 infrastructure. 52 This work is a joint effort by the members of OATH (Initiative for 53 Open AuTHentication) to specify a format that can be freely 54 distributed to the technical community. The authors believe that a 55 common and shared specification will facilitate adoption of two- 56 factor authentication on the Internet by enabling interoperability 57 between commercial and open-source implementations. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 65 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 3.1. Online Use Cases . . . . . . . . . . . . . . . . . . . . . 8 67 3.1.1. Transport of keys from Server to Cryptomodule . . . . 8 68 3.1.2. Transport of keys from Cryptomodule to Cryptomodule . 8 69 3.1.3. Transport of keys from Cryptomodule to Server . . . . 9 70 3.1.4. Server to server Bulk import/export of keys . . . . . 9 71 3.2. Offline Use Cases . . . . . . . . . . . . . . . . . . . . 9 72 3.2.1. Server to server Bulk import/export of keys . . . . . 9 73 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 11 74 5. Portable Key container definition . . . . . . . . . . . . . . 13 75 5.1. KeyContainer . . . . . . . . . . . . . . . . . . . . . . . 14 76 5.2. KeyProperties . . . . . . . . . . . . . . . . . . . . . . 16 77 5.3. Device . . . . . . . . . . . . . . . . . . . . . . . . . . 17 78 5.3.1. DeviceInfo . . . . . . . . . . . . . . . . . . . . . . 18 79 5.4. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 80 5.4.1. KeyData . . . . . . . . . . . . . . . . . . . . . . . 23 81 5.4.2. Usage . . . . . . . . . . . . . . . . . . . . . . . . 25 82 5.4.3. ValueFormat . . . . . . . . . . . . . . . . . . . . . 29 83 5.4.4. PINPolicy . . . . . . . . . . . . . . . . . . . . . . 29 84 6. Usage and profile of algorithms for the portable symmetric 85 key container . . . . . . . . . . . . . . . . . . . . . . . . 33 86 6.1. Usage of EncryptionKey to protect keys in transit . . . . 33 87 6.1.1. Protecting keys using a pre-shared key via 88 symmetric algorithms . . . . . . . . . . . . . . . . . 33 89 6.1.2. Protecting keys using passphrase based encryption 90 keys . . . . . . . . . . . . . . . . . . . . . . . . . 34 91 6.2. Protecting keys using asymmetric algorithms . . . . . . . 36 92 6.3. Profile of Key Algorithm . . . . . . . . . . . . . . . . . 37 93 6.3.1. OTP Key Algorithm Identifiers . . . . . . . . . . . . 38 94 6.3.2. PIN key value compare algorithm identifier . . . . . . 38 95 7. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 39 96 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 97 8.1. Content-type registration for 'application/pskc+xml' . . . 46 98 8.2. XML Schema Registration . . . . . . . . . . . . . . . . . 47 99 8.3. URN Sub-Namespace Registration for 100 urn:ietf:params:xml:ns:keyprov:pskc:1.0 . . . . . . . . . 47 101 8.4. Symmetric Key Algorithm Identifier Registry . . . . . . . 48 102 8.4.1. Applicability . . . . . . . . . . . . . . . . . . . . 48 103 8.4.2. Registerable Algorithms . . . . . . . . . . . . . . . 49 104 8.4.3. Registration Procedures . . . . . . . . . . . . . . . 50 105 8.4.4. Initial Values . . . . . . . . . . . . . . . . . . . . 52 106 9. Security Considerations . . . . . . . . . . . . . . . . . . . 57 107 9.1. Payload confidentiality . . . . . . . . . . . . . . . . . 57 108 9.2. Payload integrity . . . . . . . . . . . . . . . . . . . . 58 109 9.3. Payload authenticity . . . . . . . . . . . . . . . . . . . 58 110 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 59 111 11. Appendix A - Example Symmetric Key Containers . . . . . . . . 60 112 11.1. Symmetric Key Container with a single Non-Encrypted 113 HOTP Secret Key . . . . . . . . . . . . . . . . . . . . . 60 114 11.2. Symmetric Key Container with a single PIN protected 115 Non-Encrypted HOTP Secret Key . . . . . . . . . . . . . . 60 116 11.3. Symmetric Key Container with a single AES-256-CBC 117 Encrypted HOTP Secret Key and non-encrypted counter 118 value . . . . . . . . . . . . . . . . . . . . . . . . . . 62 119 11.4. Symmetric Key Container with signature and a single 120 Password-based Encrypted HOTP Secret Key . . . . . . . . . 63 121 11.5. Symmetric Key Container with a single RSA 1.5 122 Encrypted HOTP Secret Key . . . . . . . . . . . . . . . . 65 123 11.6. Symmetric Key Container with a single AES-256-CBC 124 Encrypted OCRA Secret Key and non-encrypted counter 125 value . . . . . . . . . . . . . . . . . . . . . . . . . . 66 126 11.7. Symmetric Key Container with a single AES-256-CBC 127 Encrypted TOTP Secret Key and non-encrypted time values . 68 128 11.8. Symmetric Key Container with two devices containing a 129 Non-Encrypted HOTP Secret Key each sharing common 130 KeyProperties . . . . . . . . . . . . . . . . . . . . . . 69 131 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 71 132 12.1. Normative References . . . . . . . . . . . . . . . . . . . 71 133 12.2. Informative References . . . . . . . . . . . . . . . . . . 71 134 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 73 135 Intellectual Property and Copyright Statements . . . . . . . . . . 74 137 1. Introduction 139 With increasing use of symmetric key based authentication systems 140 such as systems based one time password (OTP) and challenge response 141 mechanisms, there is a need for vendor interoperability and a 142 standard format for importing, exporting or provisioning symmetric 143 keys from one system to another. Traditionally authentication server 144 vendors and service providers have used proprietary formats for 145 importing, exporting and provisioning these keys into their systems 146 making it hard to use tokens from vendor A with a server from vendor 147 B. 149 This Internet draft describes a standard format for serializing 150 symmetric keys such as OTP shared secrets for system import, export 151 or network/protocol transport. The goal is that the format will 152 facilitate dynamic provisioning and transfer of symmetric keys such 153 as OTP shared secrets or encryption keys of different types. In the 154 case of OTP shared secrets, the format will facilitate dynamic 155 provisioning using an online provisioning protocol to different 156 flavors of embedded tokens or allow customers to import new or 157 existing tokens in batch or single instances into a compliant system. 159 This draft also specifies the key attributes required for computation 160 such as the initial event counter used in the HOTP algorithm [HOTP]. 161 It is also applicable for other time-based or proprietary algorithms. 163 To provide an analogy, in public key environments the PKCS#12 format 164 [PKCS12] is commonly used for importing and exporting private keys 165 and certificates between systems. In the environments outlined in 166 this document where OTP keys may be transported directly down to 167 smartcards or devices with limited computing capabilities, a format 168 with small (size in bytes) and explicit shared secret configuration 169 attribute information is desirable, avoiding complexity of PKCS#12. 170 For example, one would have to use opaque data within PKCS#12 to 171 carry shared secret attributes used for OTP calculations, whereas a 172 more explicit attribute schema definition is better for 173 interoperability and efficiency. 175 2. Terminology 177 2.1. Key Words 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 181 document are to be interpreted as described in [RFC2119]. 183 2.2. Definitions 185 This section defines terms used in this document. The same terms may 186 be defined differently in other documents. 188 Authentication Token: A physical device that an authorized user of 189 computer services is given to aid in authentication. The term may 190 also refer to software tokens. 192 Bulk Provisioning: Transferring multiple keys linked to multiple 193 devices in a single execution step within one single PSKC 194 KeyContainer 196 Cryptographic Module: A component of an application, which enables 197 symmetric key cryptographic functionality 199 Cryptographic Key: A parameter used in conjunction with a 200 cryptographic algorithm that determines its operation in such a 201 way that an entity with knowledge of the key can reproduce or 202 reverse the operation, while an entity without knowledge of the 203 key cannot (see [NIST-SP800-57]) 205 Cryptographic Token: See Authentication Token 207 Device: A physical piece of hardware, or a software framework, that 208 hosts symmetric keys 210 DeviceInfo: A set of elements whose values combined uniquely 211 identify a device e.g. Manufacture 'Manufacturer and Serialnumber 212 '12345678' 214 Dynamic Provisioning: Usage of a protocol, such as DSKPP, to make a 215 key container available to a recipient 217 Encryption Key: A key used to encrypt key 219 Key: See Cryptographic Key 220 Hardware Token: See Authentication Token 222 Key Algorithm: A well-defined computational procedure that takes 223 variable inputs including a cryptographic key and produces an 224 output. 226 Key Container: An object that encapsulates symmetric keys and their 227 attributes for set of devices 229 Key ID (KeyID): A unique identifier for the symmetric key 231 Key Issuer: An organization that issues symmetric keys to end-users 233 Key Type: The type of symmetric key cryptographic methods for which 234 the key will be used (e.g., OATH HOTP or RSA SecurID 235 authentication, AES encryption, etc.) 237 Secret Key: The symmetric key data 239 Software Token: A type of authentication token that is stored on a 240 general-purpose electronic device such as a desktop computer, 241 laptop, PDA, or mobile phone 243 Token: See Authentication Token 245 User: The person or client to whom devices are issued 247 User ID: A unique identifier for the user or client 249 3. Use Cases 251 This section describes a comprehensive list of use cases that 252 inspired the development of this specification. These requirements 253 were used to derive the primary requirement that drove the design. 254 These requirements are covered in the next section. 256 These use cases also help in understanding the applicability of this 257 specification to real world situations. 259 3.1. Online Use Cases 261 This section describes the use cases related to provisioning the keys 262 using an online provisioning protocol such as [DSKPP] 264 3.1.1. Transport of keys from Server to Cryptomodule 266 For example, a mobile device user wants to obtain a symmetric key for 267 use with a cryptomodule on the device. The cryptomodule client from 268 vendor A initiates the provisioning process against a provisioning 269 system from vendor B using a standards-based provisioning protocol 270 such as [DSKPP]. The provisioning entity delivers one or more keys 271 in a standard format that can be processed by the mobile device. 273 For example, in a variation of the above, instead of the user's 274 mobile phone, a key is provisioned in the user's soft token 275 application on a laptop using a network-based online protocol. As 276 before, the provisioning system delivers a key in a standard format 277 that can be processed by the soft token on the PC. 279 For example, the end-user or the key issuer wants to update or 280 configure an existing key in the cryptomodule and requests a 281 replacement key container. The container may or may not include a 282 new key and may include new or updated key attributes such as a new 283 counter value in HOTP key case, a modified response format or length, 284 a new friendly name, etc. 286 3.1.2. Transport of keys from Cryptomodule to Cryptomodule 288 For example, a user wants to transport a key from one cryptomodule to 289 another. There may be two cryptographic modules, one on a computer 290 one on a mobile phone, and the user wants to transport a key from the 291 computer to the mobile phone. The user can export the key and 292 related data in a standard format for input into the other 293 cryptomodule. 295 3.1.3. Transport of keys from Cryptomodule to Server 297 For example, a user wants to activate and use a new key and related 298 data against a validation system that is not aware of this key. This 299 key may be embedded in the cryptomodule (e.g. SD card, USB drive) 300 that the user has purchased at the local electronics retailer. Along 301 with the cryptomodule, the user may get the key on a CD or a floppy 302 in a standard format. The user can now upload via a secure online 303 channel or import this key and related data into the new validation 304 system and start using the key. 306 3.1.4. Server to server Bulk import/export of keys 308 From time to time, a key management system may be required to import 309 or export keys in bulk from one entity to another. 311 For example, instead of importing keys from a manufacturer using a 312 file, a validation server may download the keys using an online 313 protocol. The keys can be downloaded in a standard format that can 314 be processed by a validation system. 316 For example, in a variation of the above, an OTA key provisioning 317 gateway that provisions keys to mobile phones may obtain key material 318 from a key issuer using an online protocol. The keys are delivered 319 in a standard format that can be processed by the key provisioning 320 gateway and subsequently sent to the end-user's mobile phone. 322 3.2. Offline Use Cases 324 This section describes the use cases relating to offline transport of 325 keys from one system to another, using some form of export and import 326 model. 328 3.2.1. Server to server Bulk import/export of keys 330 For example, cryptomodules such as OTP authentication tokens, may 331 have their symmetric keys initialized during the manufacturing 332 process in bulk, requiring copies of the keys and algorithm data to 333 be loaded into the authentication system through a file on portable 334 media. The manufacturer provides the keys and related data in the 335 form of a file containing records in standard format, typically on a 336 CD. Note that the token manufacturer and the vendor for the 337 validation system may be the same or different. Some crypto modules 338 will allow local PIN management (the device will have a PIN pad) 339 hence random initial PINs set at manufacturing should be transmitted 340 together with the respective keys they protect. 342 For example, an enterprise wants to port keys and related data from 343 an existing validation system A into a different validation system B. 344 The existing validation system provides the enterprise with a 345 functionality that enables export of keys and related data (e.g. for 346 OTP authentication tokens) in a standard format. Since the OTP 347 tokens are in the standard format, the enterprise can import the 348 token records into the new validation system B and start using the 349 existing tokens. Note that the vendors for the two validation 350 systems may be the same or different. 352 4. Requirements 354 This section outlines the most relevant requirements that are the 355 basis of this work. Several of the requirements were derived from 356 use cases described above. 358 R1: The format MUST support transport of multiple types of 359 symmetric keys and related attributes for algorithms including 360 HOTP, other OTP, challenge-response, etc. 362 R2: The format MUST handle the symmetric key itself as well of 363 attributes that are typically associated with symmetric keys. 364 Some of these attributes may be 366 * Unique Key Identifier 368 * Issuer information 370 * Algorithm ID 372 * Algorithm mode 374 * Issuer Name 376 * Key friendly name 378 * Event counter value (moving factor for OTP algorithms) 380 * Time value 382 R3: The format SHOULD support both offline and online scenarios. 383 That is it should be serializable to a file as well as it 384 should be possible to use this format in online provisioning 385 protocols such as [DSKPP] 387 R4: The format SHOULD allow bulk representation of symmetric keys 389 R5: The format SHOULD allow bulk representation of PINs related to 390 specific keys 392 R6: The format SHOULD be portable to various platforms. 393 Furthermore, it SHOULD be computationally efficient to process. 395 R7: The format MUST provide appropriate level of security in terms 396 of data encryption and data integrity. 398 R8: For online scenarios the format SHOULD NOT rely on transport 399 level security (e.g., SSL/TLS) for core security requirements. 401 R9: The format SHOULD be extensible. It SHOULD enable extension 402 points allowing vendors to specify additional attributes in the 403 future. 405 R10: The format SHOULD allow for distribution of key derivation data 406 without the actual symmetric key itself. This is to support 407 symmetric key management schemes that rely on key derivation 408 algorithms based on a pre-placed master key. The key 409 derivation data typically consists of a reference to the key, 410 rather than the key value itself. 412 R11: The format SHOULD allow for additional lifecycle management 413 operations such as counter resynchronization. Such processes 414 require confidentiality between client and server, thus could 415 use a common secure container format, without the transfer of 416 key material. 418 R12: The format MUST support the use of pre-shared symmetric keys to 419 ensure confidentiality of sensitive data elements. 421 R13: The format MUST support a password-based encryption (PBE) 422 [PKCS5] scheme to ensure security of sensitive data elements. 423 This is a widely used method for various provisioning 424 scenarios. 426 R14: The format SHOULD support asymmetric encryption algorithms such 427 as RSA to ensure end-to-end security of sensitive data 428 elements. This is to support scenarios where a pre-set shared 429 encryption key is difficult to use. 431 5. Portable Key container definition 433 The portable key container is based on an XML schema definition and 434 contains the following main entities: 436 1. KeyContainer entity as defined in Section 5.1 438 2. KeyProperties entity as defined in Section 5.2 440 3. Device entity as defined in Section 5.3 442 4. Key entity as defined in Section 5.4 444 Additionally other XML schema types have been defined and are 445 detailed in the relevant subsections of this document 447 A KeyContainer MAY contain one or more Device entities. A Device MAY 448 contain one or more Key entities 450 The figure below indicates a possible relationship diagram of a 451 container. 453 -------------------------------------------- 454 | KeyContainer | 455 | | 456 | -------------------- | 457 | | Keyproperties 1 | | 458 | | | | 459 | -------------------- | 460 | ------------------ ----------------- | 461 | | Device 1 | | Device n | | 462 | | | | | | 463 | | ------------ | | ------------ | | 464 | | | Key 1 | | | | Key n | | | 465 | | ------------ | | ------------ | | 466 | | | | | | 467 | | | | | | 468 | | ------------ | | ------------ | | 469 | | | Key m | | | | Key p | | | 470 | | ------------ | | ------------ | | 471 | ------------------ ----------------- | 472 | | 473 -------------------------------------------- 475 The following sections describe in detail all the entities and 476 related XML schema elements and attributes: 478 5.1. KeyContainer 480 The KeyContainer represents the key container entity. A Container 481 MAY contain more than one Device entity; each Device entity MAY 482 contain more than one Key entity. 484 The KeyContainer is defined as follows: 486 487 488 490 492 495 498 500 503 504 506 508 510 The attributes of the KeyContainer have the following meanings: 512 o Version (MANDATORY), the version number for the portable key 513 container format (the XML schema defined in this document). 515 o ID (OPTIONAL), the unique ID for this container in case an XML 516 document contains more than one container and wants to refer to 517 them uniquely. 519 The elements of the KeyContainer have the following meanings: 521 o (OPTIONAL), Identifies the encryption key, 522 algorithm and possible parameters used to protect the Secret Key 523 data in the container. Please see Section 6.1 for detailed 524 description of how to protect key data in transit and the usage of 525 this element. 527 o (OPTIONAL), Identifies the algorithm used to 528 generate a keyed digest of the Secret Key data values when 529 protection algorithms are used that do not have integrity checks. 530 The digest guarantees the integrity and the authenticity of the 531 key data. for profile and usage please see Section 6.1.1 533 o (OPTIONAL), key property entities containing key 534 related properties that are common for keys within this container. 535 Please see Section 5.2 for detailed description of this 536 element.The KeyContainer MAY contain multiple KeyProperties 537 elements each containing a set of properties related to one or 538 more keys transported within the container. 540 o (MANDATORY), the host Device for one or more Keys as 541 defined in Section 5.3 The KeyContainer MAY contain multiple 542 Device data elements, allowing for bulk provisioning of multiple 543 devices each containing multiple keys. 545 o (OPTIONAL), the signature value of the Container. 546 When the signature is applied to the entire container, it MUST use 547 XML Signature methods as defined in [XMLDSIG]. It MAY be omitted 548 when application layer provisioning or transport layer 549 provisioning protocols provide the integrity and authenticity of 550 the payload between the sender and the recipient of the container. 551 When required, this specification recommends using a symmetric key 552 based signature with the same key used in the encryption of the 553 secret key data. The signature is enveloped. 555 o (OPTIONAL), is the extension point for this entity. 556 All extensions are grouped under this element and will be of type 557 pskc:ExtensionType, which contains an optional attribute 558 'defintion' that can have a URI pointing at the defintion of the 559 extension. In this way groups of extension can be bundled under a 560 subelement. For example: 562 563 blah 565 blahblah 566 568 5.2. KeyProperties 570 The KeyProperties represents common properties shared by more than 571 one key held in the container. If a value is set in the properties 572 the Key element can refer to it via ID attribute. Values that are 573 present in the Key element itself MUST take precedence over values 574 set in KeyProperties. The KeyProperties is defined as follows: 576 577 578 580 582 584 586 588 590 592 594 597 598 600 602 604 The attributes of the KeyProperties entity have the following 605 meanings: 607 o ID (MANDATORY), a unique and global identifier of set of 608 KeyProperties. The identifier is defined as a string of 609 alphanumeric characters. 611 o KeyAlgorithm (OPTIONAL), the unique URI of the type of algorithm 612 to use with a secret key for the profiles described in Section 6.3 614 Since KeyProperties are a method to group element values that are 615 common to multiple keys transported, please refer to Section 5.4 for 616 detailed description of all elements. 618 5.3. Device 620 The Device represents an extensible Device entity in the Container. 621 A Device MAY be bound to a user and MAY contain more than one key. A 622 key SHOULD be bound to only one Device. 624 The Device is defined as follows: 626 627 628 630 632 633 636 637 639 The elements of the Device have the following meanings: 641 o (OPTIONAL), a set of elements containing information 642 about the device, whose values uniquely identify the device, 643 defined in Section 5.3.1 645 o (MANDATORY), represents the key entity as defined in 646 Section 5.4 648 o (OPTIONAL), identifies the owner or the user of the Device, 649 a string representation of a Distinguished Name as defined in 650 [RFC4514]. For example UID=jsmith,DC=example,DC=net. In systems 651 where unique user Ids are used the string representation 652 'UID=[uniqueId]' SHOULD be used. 654 o (OPTIONAL), is the extension point for this entity. 655 All extensions are grouped under this element and will be of type 656 pskc:ExtensionType, which contains an optional attribute 657 'defintion' that can have a URI pointing at the defintion of the 658 extension. In this way groups of extension can be bundled under a 659 subelement. For example: 661 662 blah 664 blahblah 665 667 5.3.1. DeviceInfo 669 The DeviceInfo represents an extensible set of elements that form the 670 identifying criteria to uniquely identify the device that contains 671 the associated keys. Since devices can come in different form 672 factors such as hardware tokens, smart-cards, soft tokens in a mobile 673 phone or PC etc this element allows different criteria to be used. 674 Combined though the criteria MUST uniquely identify the device. For 675 example for hardware tokens the combination of SerialNo and 676 Manufacturer will uniquely identify a device but not SerialNo alone 677 since two different token manufacturers might issue devices with the 678 same serial number (similar to the IssuerDN and serial number of a 679 certificate). Symmetric Keys used in the payment industry are 680 usually stored on Integrated Circuit Smart Cards. These cards are 681 uniquely identified via the Primary Account Number (PAN, the long 682 number printed on the front of the card) and an expiry date of the 683 card. DeviceInfo is an extensible type that allows all these 684 different ways to uniquely identify a specific key containing device. 686 The DeviceInfo is defined as follows: 688 689 690 691 692 693 694 695 696 697 700 701 703 The elements of DeviceInfo have the following meanings: 705 o (MANDATORY), the manufacturer of the device. 707 o (MANDATORY), the serial number of the device or the PAN 708 (primary account number) in case of payment smart cards. 710 o (OPTIONAL), the model of the device (e.g. one-button-HOTP- 711 token-V1) 713 o (OPTIONAL), the issue number in case of smart cards with 714 the same PAN, equivalent to a PSN (PAN Sequence Number). 716 o (OPTIONAL), the identifier that can be used to 717 bind keys to the device or class of device. When loading keys 718 into a device, this identifier can be checked against information 719 obtained from the device to ensure that the correct device or 720 class of device is being used. 722 o (OPTIONAL), the start date of a device (such as the 723 one on a payment card, used when issue numbers are not printed on 724 cards). MUST be expressed in UTC form, with no time zone 725 component. Implementations SHOULD NOT rely on time resolution 726 finer than milliseconds and MUST NOT generate time instants that 727 specify leap seconds. 729 o (OPTIONAL), the expiry date of a device (such as the 730 one on a payment card, used when issue numbers are not printed on 731 cards). MUST be expressed in UTC form, with no time zone 732 component. Implementations SHOULD NOT rely on time resolution 733 finer than milliseconds and MUST NOT generate time instants that 734 specify leap seconds. 736 o (OPTIONAL), is the extension point for this entity. 737 All extensions are grouped under this element and will be of type 738 pskc:ExtensionType, which contains an optional attribute 739 'defintion' that can have a URI pointing at the defintion of the 740 extension. In this way groups of extension can be bundled under a 741 subelement. For example: 743 744 blah 746 blahblah 747 749 5.4. Key 751 The Key represents the key entity in the KeyContainer. The Key is 752 defined as follows: 754 755 756 758 760 762 764 766 768 770 772 774 776 779 780 782 784 786 788 The attributes of the Key entity have the following meanings: 790 o KeyId (MANDATORY), a unique and global identifier of the symmetric 791 key. The identifier is defined as a string of alphanumeric 792 characters. This identifier SHOULD be valid globally and outside 793 of the instance document of the container. 795 o KeyAlgorithm (OPTIONAL), the unique URI of the type of algorithm 796 to use with the secret key, for profiles are described in 797 Section 6.3 799 o KeyProperties (OPTIONAL), the references to the unique id of the 800 KeyProperties whose value the instance of this key inherits. If 801 this value is set implementation MUST lookup the Keyproperties 802 element referred to by this unique Id and this instance of key 803 will inherit all values from the KeyProperties. Values held in 804 the key instance MUST take precedence over values inherited from 805 KeyProperties."/> 807 The elements of the Key entity have the following meanings: 809 o (OPTIONAL), The key issuer name, this is normally the 810 name of the organization that issues the key to the end user of 811 the key. For example MyBank issuing hardware tokens to their 812 retail banking users 'MyBank' would be the issuer. The Issuer is 813 defined as a String. 815 o (OPTIONAL), defines the intended usage of the key and 816 related metadata as defined in Section 5.4.2 818 o (OPTIONAL), A unique identifier used between the 819 sending and receiving party of the container to establish a set of 820 constant values related to a key that are not transmitted via the 821 container. For example a smart card application personalisation 822 profile id related to attributes present on a smart card 823 application that have influence when computing a response. An 824 example could be an EMV MasterCard CAP [CAP] application on a card 825 personalised with data for a specific batch of cards such as: 827 IAF Internet authentication flag 829 CVN Cryptogram version number, for example (MCHIP2, MCHIP4, 830 VISA 13, VISA14) 832 AIP (Application Interchange Profile), 2 bytes 834 TVR Terminal Verification Result, 5 bytes 836 CVR The card verification result 838 AmountOther 840 TransactionDate 842 TerminalCountryCode 844 TransactionCurrencyCode 845 AmountAuthorised 847 IIPB 849 These values are not contained within attributes in the container 850 but are shared between the manufacturing and the validation 851 service through this unique KeyProfileId. The KeyProfileId is 852 defined as a String. 854 o (OPTIONAL), The unique reference to an external 855 master key when key derivation schemes are used and no specific 856 key is transported but only the reference to the master key used 857 to derive a specific key and some derivation data (e.g. the 858 PKCS#11 key label in an HSM). 860 o (OPTIONAL), The user friendly name that is assigned 861 to the secret key for easy reference. The FriendlyName is defined 862 as a String. 864 o (OPTIONAL), the element carrying the data related to the 865 key as defined in Section 5.4.1 867 o (OPTIONAL), the policy of the PIN relating to the 868 usage of this key as defined in Section 5.4.4 870 o (OPTIONAL), the start date of the key, it MUST not be 871 possible to use this key before this date. MUST be expressed in 872 UTC form, with no time zone component. Implementations SHOULD NOT 873 rely on time resolution finer than milliseconds and MUST NOT 874 generate time instants that specify leap seconds. 876 o (OPTIONAL), the expiry date of the key, it MUST not 877 be possible to use this key after this date. MUST be expressed in 878 UTC form, with no time zone component. Implementations SHOULD NOT 879 rely on time resolution finer than milliseconds and MUST NOT 880 generate time instants that specify leap seconds. 882 o (OPTIONAL), identifies the user account (e.g. username or 883 user id) to which the key is assigned. The value MAY be a string 884 representation of a Distinguished Name as defined in [RFC4514]. 885 For example "UID=jsmith,DC=example,DC=net". In systems where 886 unique user Ids are used the string representation 887 'UID=[uniqueId]' SHOULD be used. 889 o (OPTIONAL), is the extension point for this entity. 890 All extensions are grouped under this element and will be of type 891 pskc:ExtensionType, which contains an optional attribute 892 'defintion' that can have a URI pointing at the defintion of the 893 extension. In this way groups of extension can be bundled under a 894 subelement. For example: 896 897 blah 899 blahblah 900 902 5.4.1. KeyData 904 Defines an extensible set of data elements relating to a key 905 including the key value itself (secret). After considerable 906 discussions in forums and at IETF the authors needed a mean to convey 907 data related to a key in an extensible form. The requirements were 908 that the data elements could be encrypted but not via XML encryption 909 which was deemed to complex because of canonicalization. Hence 910 earlier drafts made use of a list of name value pairs. This was not 911 considered to be very XML like and also lacked inbuilt support for 912 typing. Hence the current apporach is to have within KeyData a set 913 of elements that have both typing and can be encrypted. 915 All elements within Data hence obey a simple structure in that they 916 MUST have: 918 a choice between: 920 A element that is typed to the specific type (e.g. 921 xs:integer) 923 An element that is of type xenc:EncryptedDataType 924 where the value of the specific element is placed in case it is 925 encrypted 927 an optional element that is populated with a MAC in case 928 the encryption algorithm does not support integrity checks 930 For example the pskc:intDataType is defined as follows: 932 933 934 935 937 939 940 942 943 945 The following typed base types have been defined within the current 946 schema of the PSKC spec with the naming convention DataType 947 (e.g. intDataType) to be able to cater transmission of key data 948 elements: 950 pskc:intDataType - to carry data elements of type integer, 951 PlainValue sub element is of type xs:integer. When encrypted the 952 binary value MUST be 4 bytes unsigned integer in big endian (i.e. 953 network byte order) form 955 pskc:longDataType - to carry data elements of type long, 956 PlainValue sub element is of type xs:long. When encrypted the 957 binary value MUST be 8 bytes unsigned integer in big endian (i.e. 958 network byte order) form 960 pskc:binaryDataType - to carry data elements of type binary, 961 PlainValue sub element is of type xs:Base64Binary 963 pskc:stringDataType - to carry data elements of type string, 964 PlainValue sub element is of type xs:string. When encrypted the 965 binary value MUST UTF-8 encoded string in binary form 967 Therefore the KeyData element is defined as follows and contains sub 968 ements to convey the values required by algorithms considered during 969 the definition of this specification: 971 972 973 975 977 979 981 983 985 986 988 The elements of the Data element have the following meanings: 990 o (OPTIONAL), the value of the key itself in binary. 992 o (OPTIONAL), the event counter for event based OTP 993 algorithms. 995 o (OPTIONAL), the time for time based OTP algorithms. (If 996 time interval is used, this element carries the number of time 997 intervals passed from a specific start point, normally algorithm 998 dependent) 1000 o (OPTIONAL), the time interval value for time based 1001 OTP algorithms. 1003 o (OPTIONAL), the device clock drift value for time 1004 based OTP algorithms. The value indicates number of seconds that 1005 the device clock may drift each day. 1007 o the extension point for carrying future elements. 1008 Please note that all elements added MUST carry PlainValue and 1009 EncryptedValue sub eleemnts as described above. 1011 5.4.2. Usage 1013 The Usage element defines the usage attribute(s) of the key entity. 1014 Usage is defined as follows: 1016 1017 1018 1019 1020 1023 1025 1027 1029 1030 1031 1032 1033 1036 1038 1040 1041 1042 1045 1046 1048 1050 1052 1054 1056 1057 1059 The attributes of the Usage element define the intended usage of the 1060 key. This list of attributes is extensible for future needs. They 1061 are a combination of one or more of the following (set to true): 1063 o OTP, the key will be used for OTP generation 1065 o CR, the key will be used for Challenge/Response purposes 1067 o Encrypt, the key will be used for data encryption purposes 1069 o Integrity, the key will be used to generate a keyed message digest 1070 for data integrity or authentication purposes. 1072 o Unlock, the key will be used for an inverse challenge response in 1073 the case a user has locked the device by entering a wrong PIN too 1074 many times (for devices with PIN-input capability) 1076 The (OPTIONAL) element, is the extension point for the 1077 Usage entity. All extensions are grouped under this element and will 1078 be of type pskc:ExtensionType, which contains an optional attribute 1079 'defintion' that can have a URI pointing at the defintion of the 1080 extension. In this way groups of extension can be bundled under a 1081 subelement. For example: 1083 1084 blah 1086 blahblah 1087 1089 5.4.2.1. OTP and CR specific Usage elements 1091 When the intended usage of a key usage is OTP and/or CR, the 1092 following additional elements MUST be provided within the Usage 1093 element to support the OTP and/or the response computation as 1094 required by the underlying algorithm. These elements also allow 1095 customizing or configuring the result of the computation (e.g. 1096 format, length). 1098 5.4.2.1.1. ChallengeFormat element (OPTIONAL) 1100 The ChallengeFormat element defines the characteristics of the 1101 challenge in a CR usage scenario. The Challenge element is defined 1102 by the following attributes: 1104 o Format (MANDATORY), defines the format of the challenge accepted 1105 by the device and MUST be one of the values defined in 1106 Section 5.4.3 1108 o CheckDigit (OPTIONAL), defines if the device needs to check the 1109 appended Luhn check digit contained in a provided challenge. This 1110 is only valid if the Format attribute is 'DECIMAL'. Value MUST 1111 be: 1113 TRUE device will check the appended Luhn check digit in a 1114 provided challenge 1116 FALSE device will not check appended Luhn check digit in 1117 challenge 1119 o Min (MANDATORY), defines the minimum size of the challenge 1120 accepted by the device for CR mode. If the Format attribute is 1121 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates 1122 the minimum number of digits/characters. If the Format attribute 1123 is 'BASE64' or 'BINARY', this value indicates the minimum number 1124 of bytes of the unencoded value. Value MUST be Unsigned integer. 1126 o Max (MANDATORY), defines the maximum size of the challenge 1127 accepted by the device for CR mode. If the Format attribute is 1128 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates 1129 the maximum number of digits/characters. If the Format attribute 1130 is 'BASE64' or 'BINARY', this value indicates the maximum number 1131 of bytes of the unencoded value. Value MUST be Unsigned integer. 1133 5.4.2.1.2. ResponseFormat element (MANDATORY) 1135 The ResponseFormat element defines the characteristics of the result 1136 of a computation. This defines the format of the OTP or of the 1137 response to a challenge. For cases where the key is a PIN value, 1138 this element contains the format of the PIN itself (e.g. DECIMAL, 1139 length 4 for a 4 digit PIN). The Response attribute is defined by 1140 the following attributes: 1142 o Format (MANDATORY), defines the format of the response generated 1143 by the device and MUST be one of the values defined in 1144 Section 5.4.3 1146 o CheckDigit (OPTIONAL), defines if the device needs to append a 1147 Luhn check digit to the response. This is only valid if the 1148 Format attribute is 'DECIMAL'. Value MUST be: 1150 TRUE device will append a Luhn check digit to the response. 1152 FALSE device will not append a Luhn check digit to the 1153 response. 1155 o Length (MANDATORY), defines the length of the response generated 1156 by the device. If the Format attribute is 'DECIMAL', 1157 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1158 digits/characters. If the Format attribute is 'BASE64' or 1159 'BINARY', this value indicates the number of bytes of the 1160 unencoded value. Value MUST be Unsigned integer. 1162 5.4.3. ValueFormat 1164 The ValueFormat element defines allowed formats for challenges or 1165 responses in OTP algorithms. 1167 ValueFormat is defined as follows: 1169 1170 1171 1172 1173 1174 1175 1176 1177 1179 DECIMAL, Only numerical digits 1181 HEXADECIMAL, Hexadecimal response 1183 ALPHANUMERIC, All letters and numbers (case sensitive) 1185 BASE64, Base 64 encoded 1187 BINARY, Binary data, this is mainly used in case of connected 1188 devices 1190 5.4.4. PINPolicy 1192 The PINPolicy element provides an extensible mean to define how the 1193 usage of a specific key is protected by a PIN. The PIN itself can be 1194 transmitted as a key using the container. 1196 If the PINPolicy element is present in the Key element then the key 1197 is protected with a PIN as defined within the PINPolicy element. The 1198 PINPolicy element also has an extension point defined as xs:any to 1199 allow future extensibility 1201 PINPolicy is defined as follows: 1203 1204 1205 1206 1208 1210 1212 1214 1217 1218 1219 1221 The attributes of PINPolicy have the following meaning 1223 o PINKeyId (OPTIONAL), the unique key Id of the key held within this 1224 container that contains the value of the PIN that protects the key 1226 The elements of PINPolicy have the following meaning 1228 o (MANDATORY) , the way the PIN is used during the 1229 usage of the key as defined in Section 5.4.4.1 1231 o (OPTIONAL), the maximum number of times the 1232 PIN can be entered wrongly before it MUST not be possible to use 1233 the key anymore 1235 o (OPTIONAL), the minimum lenght of a PIN that can be 1236 set to protect this key. It MUST not be possible to set a PIN 1237 shorter than this value. If the Format element is 'DECIMAL', 1238 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1239 digits/characters. If the Format attribute is 'BASE64' or 1240 'BINARY', this value indicates the number of bytes of the 1241 unencoded value. 1243 o (OPTIONAL), the maximum lenght of a PIN that can be 1244 set to protect this key. It MUST not be possible to set a PIN 1245 longer than this value. If the Format element is 'DECIMAL', 1246 'HEXADECIMAL' or 'ALPHANUMERIC' this value indicates the number of 1247 digits/characters. If the Format attribute is 'BASE64' or 1248 'BINARY', this value indicates the number of bytes of the 1249 unencoded value. 1251 o (OPTIONAL), defines the format of the PIN and MUST be one 1252 of the values defined in Section 5.4.3 1254 o (OPTIONAL) element, is the extension point for the 1255 entity. All extensions are grouped under this element and will be 1256 of type pskc:ExtensionType, which contains an optional attribute 1257 'defintion' that can have a URI pointing at the defintion of the 1258 extension. In this way groups of extension can be bundled under a 1259 subelement. For example: 1261 1262 blah 1264 blahblah 1265 1267 5.4.4.1. PINUsageMode 1269 The PINUsageMode element defines how the PIN is used with a specific 1270 key. The PINUsageMode element also has an extension point defined as 1271 xs:any to allow future extensibility 1273 PINUsageMode is defined as follows: 1275 1276 1277 1278 1279 1280 1281 1283 1284 1286 The elements of PINPolicy have the following meaning 1288 o , the PIN is checked locally on the device before allowing 1289 the key to be used in executing the algorithm 1291 o , the PIN is prepended to the OTP or response hence it 1292 MUST be checked by the validation server 1294 o , the PIN is appended to the OTP or response hence it MUST 1295 be checked by the validation server 1297 o , the PIN is used as part of the algorithm 1298 computation 1300 6. Usage and profile of algorithms for the portable symmetric key 1301 container 1303 This section details the use of the XML encryption and XML signature 1304 elements to protect the keys transported in the container. It also 1305 profiles the number of algorithms supported by XML encryption and XML 1306 signature to a mandatory subset for interoperability. 1308 When no algorithm is provided the values within the container are 1309 unencrypted, implementations SHALL ensure the privacy of the key data 1310 through other standard mechanisms e.g. transport level encryption. 1312 6.1. Usage of EncryptionKey to protect keys in transit 1314 The EncryptionKey element in the KeyContainer defines the key, 1315 algorithm and parameters used to encrypt the Secret Key data 1316 attributes in the Container. The standard schema [XMLENC] is adopted 1317 in carry such information and an encrypted value. The encryption is 1318 applied on each individual Secret Key data in the Container. The 1319 encryption method MUST be the same for all Secret Key data in the 1320 container. 1322 The following sections define specifically the different supported 1323 means to protect the keys: 1325 6.1.1. Protecting keys using a pre-shared key via symmetric algorithms 1327 When protecting the payload with pre-shared keys implementations 1328 SHOULD set the name of the specific pre-shared key in the KeyName 1329 element of the EncryptionKey of the KeyContainer. For example: 1331 1335 1336 PRE_SHARED_KEY 1337 1338 .... 1340 The following is the list of symmetric key encryption algorithm and 1341 possible parameters used to protect the Secret Key data in the 1342 container. Systems implementing PSKC MUST support the MANDATORY 1343 algorithms detailed below. 1345 The encryption algorithm URI can be one of the following. 1347 o http://www.w3.org/2001/04/xmlenc#tripledes-cbc - MANDATORY 1349 o http://www.w3.org/2001/04/xmlenc#aes128-cbc - MANDATORY 1351 o http://www.w3.org/2001/04/xmlenc#aes192-cbc - OPTIONAL 1353 o http://www.w3.org/2001/04/xmlenc#aes256-cbc - MANDATORY 1355 o http://www.w3.org/2001/04/xmlenc#kw-tripledes - MANDATORY 1357 o http://www.w3.org/2001/04/xmlenc#kw-aes128 - MANDATORY 1359 o http://www.w3.org/2001/04/xmlenc#kw-aes256 - MANDATORY 1361 o http://www.w3.org/2001/04/xmlenc#kw-aes512 - OPTIONAL 1363 When algorithms without integrity checks are used (e.g. 1364 http://www.w3.org/2001/04/xmlenc#aes256-cbc) a keyed MAC value using 1365 the same key as the encryption key SHOULD be placed in the ValueMAC 1366 element of the Data element. In this case the MAC algorithm type 1367 MUST be set in the MACAlgorithm element in the key container entity 1368 as defined in Section 5.1. Implementations of PSKC MUST support the 1369 MANDATORY MAC algorithms detailed below. The MACAlgorithm URI can be 1370 one of the following: 1372 o http://www.w3.org/2000/09/xmldsig#hmac-sha1 - MANDATORY 1374 For example: 1376 1380 1381 PRE_SHARED_KEY 1382 1383 http://www.w3.org/2000/09/xmldsig#hmac-sha1 1384 1385 ..... 1387 6.1.2. Protecting keys using passphrase based encryption keys 1389 To be able to support passphrase based encryption keys as defined in 1390 PKCS#5 the following XML representation of the PBE relates parameters 1391 have been introduced in the schema. Although the approach is 1392 extensible implementations of PSKC MUST support the 1393 KeyDerivationMethod algorithm URI of 1394 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2. 1396 1397 1398 1400 1401 1403 1404 1405 1406 1407 1408 1409 1411 1412 1414 1416 The attributes of the DerivedKey have the following meanings: 1418 o ID (OPTIONAL), the unique ID for this key 1420 o Type (OPTIONAL), This attribute was included for conformance with 1421 xml encryption, it is an optional attribute identifying type 1422 information about the plaintext form of the encrypted content. 1423 Please see [XMLENC] section 3.1 Type for more details. 1425 The elements of the DerivedKey have the following meanings: 1427 o : URI of the algorithms used to derive the 1428 key e.g. 1429 (http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2) 1431 o (OPTIONAL): a list of IDs of the elements that 1432 have been encrypted by this key 1434 o (OPTIONAL): friendly name of the key 1436 When using the PKCS5 PBE algorithm 1437 (URI=http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2) 1438 and related parameters, the DerivedKey element MUST be used within 1439 the EncryptionKey element of the KeyContainer in exactly the form as 1440 shown below: 1442 1443 1451 1452 1453 Passphrase1 1454 1457 1458 1459 Df3dRAhjGh8= 1460 1461 2000 1462 16 1463 1464 1465 1466 1467 1468 .... 1470 6.2. Protecting keys using asymmetric algorithms 1472 The following is the list of asymmetric key encryption algorithm and 1473 possible parameters used to protect the Secret Key data in the 1474 container. Systems implementing PSKC MUST support the MANDATORY 1475 algorithms detailed below. The encryption algorithm URI can be one 1476 of the following. 1478 o http://www.w3.org/2001/04/xmlenc#rsa-1_5 - MANDATORY 1480 o http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p - OPTIONAL 1482 For example: 1484 1486 1490 1491 1492 miib 1493 1494 1495 1496 1497 Manufacturer 1498 0755225266 1499 1500 1503 AnIssuer 1504 1505 1507 1508 1509 1510 1511 1513 1514 rf4dx3rvEPO0vKtKL14NbeVu8nk= 1515 1516 1517 1518 1519 1520 0 1521 1522 1523 1524 1525 1527 6.3. Profile of Key Algorithm 1529 This section profiles the type(s) of algorithm of that can be used by 1530 the key(s) transported in the container. The following algorithm 1531 URIs are among the default support list. 1533 o http://www.w3.org/2001/04/xmlenc#tripledes-cbc 1535 o http://www.w3.org/2001/04/xmlenc#aes128-cbc 1537 o http://www.w3.org/2001/04/xmlenc#aes192-cbc 1539 o http://www.w3.org/2001/04/xmlenc#aes256-cbc 1541 o http://www.ietf.org/keyprov/pskc#hotp 1543 o http://www.ietf.org/keyprov/pskc#pin 1545 6.3.1. OTP Key Algorithm Identifiers 1547 OTP key algorithm URIs have not been defined in a commonly available 1548 standard specification. This document requests from IANA the 1549 creation of a registry (see Section 8.4) and defines URIs for the 1550 standard OTP algorithms in Section 8.4.4. 1552 6.3.2. PIN key value compare algorithm identifier 1554 PIN key algorithm URIs have not been defined in a commonly available 1555 standard specification. This document defines the following URIs for 1556 a straight value comparison of the transported secret key data as 1557 when required to compare a PIN. 1559 Identifier: http://www.ietf.org/keyprov/pskc#pin 1561 Note that the actual URL will be finalized once a URL for this 1562 document is determined. 1564 7. Formal Syntax 1566 The following syntax specification uses the widely adopted XML schema 1567 format as defined by a W3C recommendation 1568 (http://www.w3.org/TR/xmlschema-0/). It is a complete syntax 1569 definition in the XML Schema Definition format (XSD) 1571 All implementations of this standard must comply with the schema 1572 below. 1574 1575 1582 1586 1590 1591 1592 1594 1596 1599 1601 1603 1606 1607 1609 1611 1612 1613 1614 1615 1616 1617 1618 1619 1621 1623 1625 1627 1629 1631 1633 1635 1638 1639 1641 1644 1645 1646 1647 1649 1651 1653 1655 1657 1659 1661 1663 1665 1667 1670 1671 1673 1676 1678 1679 1680 1681 1684 1687 1690 1693 1696 1698 1699 1700 1701 1702 1703 1705 1708 1709 1711 1712 1713 1714 1715 1716 1718 1720 1721 1723 1724 1725 1726 1727 1728 1730 1732 1733 1735 1736 1737 1738 1739 1740 1742 1744 1745 1747 1748 1749 1750 1751 1753 1754 1757 1758 1759 1760 1761 1762 1763 1765 1766 1768 1769 1770 1771 1773 1775 1777 1779 1781 1784 1785 1787 1788 1789 1790 1791 1792 1793 1794 1797 1798 1799 1800 1801 1802 1803 1805 1807 1809 1811 1813 1816 1817 1818 1819 1820 1822 1824 1826 1829 1830 1831 1832 1833 1834 1835 1837 1839 1841 1843 1844 1845 1846 1847 1849 1851 1854 1855 1856 1859 1860 1861 1862 1864 1866 1868 1869 1870 1871 1872 1874 1875 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 8. IANA Considerations 1894 8.1. Content-type registration for 'application/pskc+xml' 1896 This specification requests the registration of a new MIME type 1897 according to the procedures of RFC 4288 [RFC4288] and guidelines in 1898 RFC 3023 [RFC3023]. 1900 MIME media type name: application 1902 MIME subtype name: pskc+xml 1904 Mandatory parameters: none 1906 Optional parameters: charset 1908 Indicates the character encoding of enclosed XML. 1910 Encoding considerations: Uses XML, which can employ 8-bit 1911 characters, depending on the character encoding used. See RFC 1912 3023 [RFC3023], Section 3.2. 1914 Security considerations: This content type is designed to carry PSKC 1915 protocol payloads. 1917 Interoperability considerations: None 1919 Published specification: RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please 1920 replace XXXX with the RFC number of this specification.] 1922 Applications which use this media type: This MIME type is being used 1923 as a symmetric key container format for transport and provisioning 1924 of symmetric keys (One Time Password (OTP) shared secrets or 1925 symmetric cryptographic keys) to different types of strong 1926 authentication devices. As such, it is used for key provisioning 1927 systems. 1929 Additional information: 1931 Magic Number: None 1933 File Extension: .pskcxml 1935 Macintosh file type code: 'TEXT' 1937 Personal and email address for further information: Philip Hoyer, 1938 Philip.Hoyer@actividentity.com 1940 Intended usage: LIMITED USE 1942 Author: This specification is a work item of the IETF KEYPROV 1943 working group, with mailing list address . 1945 Change controller: The IESG 1947 8.2. XML Schema Registration 1949 This section registers an XML schema as per the guidelines in 1950 [RFC3688]. 1952 URI: urn:ietf:params:xml:ns:keyprov:pskc:1.0 1954 Registrant Contact: IETF KEYPROV Working Group, Philip Hoyer 1955 (Philip.Hoyer@actividentity.com). 1957 XML Schema: The XML schema to be registered is contained in 1958 Section 7. Its first line is 1960 1962 and its last line is 1964 1966 8.3. URN Sub-Namespace Registration for 1967 urn:ietf:params:xml:ns:keyprov:pskc:1.0 1969 This section registers a new XML namespace, 1970 "urn:ietf:params:xml:ns:keyprov:pskc:1.0", per the guidelines in 1971 [RFC3688]. 1973 URI: urn:ietf:params:xml:ns:keyprov:pskc:1.0 1975 Registrant Contact: IETF KEYPROV Working Group, Philip Hoyer 1976 (Philip.Hoyer@actividentity.com). 1978 XML: 1980 BEGIN 1981 1982 1984 1985 1986 1988 PSKC Namespace 1989 1990 1991

Namespace for PSKC

1992

urn:ietf:params:xml:ns:keyprov:pskc:1.0

1993

See RFCXXXX 1994 [NOTE TO IANA/RFC-EDITOR: 1995 Please replace XXXX with the RFC number of this 1996 specification.].

1997 1998 1999 END 2001 8.4. Symmetric Key Algorithm Identifier Registry 2003 This specification requests the creation of a new IANA registry for 2004 symmetric key cryptographic algorithm identifiers in accordance with 2005 the principles set out in RFC 2434 [RFC2434]as follows: 2007 8.4.1. Applicability 2009 The use of URIs as algorithm identifiers provides an effectively 2010 unlimited namespace. While this eliminates the possibility of 2011 namespace exhaustion it creates a new concern, that divergent 2012 identifiers will be employed for the same purpose in different 2013 contexts. 2015 The key algorithm registry is intended to provide a means of 2016 specifying the canonical identifier to be used for a given algorithm. 2017 If an algorithm has an identifier specified in the registry an 2018 application that is conformant to a protocol specification that 2019 specifies use of that registry to define identifiers SHOULD always 2020 use that particular form of the identifier when originating data. A 2021 conformant application MAY accept other identifiers in data that is 2022 received. 2024 For the sake of expediency, the initial registry only defines 2025 algorithm classes for symmetric algorithms plus cryptographic message 2026 digest functions (one-way hash). While the same principles may be 2027 extended to asymmetric algorithms, doing so would require much 2028 greater consideration of issues such as key length and treatment of 2029 parameters, particularly where elliptic curve cryptography algorithms 2030 are concerned. 2032 As part of this registry the IANA will maintain the following 2033 information: 2035 Common Name The name by which the algorithm is generally referred. 2037 Class The type of algorithm, encryption, Message Authentication Code 2038 (MAC), One Time Password (OTP), Digest, etc. 2040 Canonical URI The canonical URI to be used to identify the 2041 algorithm. 2043 Algorithm Definition A reference to the document in which the 2044 algorithm described by the identifier is defined. 2046 Identifier Definition A reference to the document in which the use 2047 of the identifier to refer to the algorithm is described. This 2048 would ideally be the document in which the algorithm is defined. 2050 In the case where the registrant does not request a particular 2051 URI, the IANA will assign it a Uniform Resource Name (URN) that 2052 follows RFC 3553 [RFC3553]. 2054 Note that where a single algorithm has different forms distinguished 2055 by parameters such as key length, the algorithm class and each 2056 combination of algorithm parameters may be considered a distinct 2057 algorithm for the purpose of assigning identifiers. 2059 8.4.2. Registerable Algorithms 2061 8.4.2.1. Assigned URIs 2063 If the registrant wishes to have a URI assigned, then a URN of the 2064 form 2066 urn:ietf:params:xml:: 2068 will be assigned where is the type of the algorithm being 2069 identified (see below). is a unique id specified by the party 2070 making the request and will normally be either the common name of the 2071 algorithm or an abbreviation thereof. 2073 NOTE: in order for a URN of this type to be assigned, the item being 2074 registered MUST have been through the IETF consensus process. 2075 Basically, this means that it must be documented in a RFC. 2077 NOTE: Expert Review is sufficient in cases where the request does not 2078 require a URN assignment in the IETF namespace. IETF consensus is 2079 not required. 2081 8.4.2.2. Assigned Classes 2083 Each algorithm MUST belong to an assigned algorithm class. In the 2084 case that additional classes are required these are to be specified 2085 by IETF Consensus action. 2087 The initial assigned classes are: 2089 Digest A cryptographic Digest algorithm. 2091 MAC A Message Authentication Code algorithm. 2093 Symmetric A symmetric encryption algorithm. 2095 OTP A one time password (OTP) algorithm. 2097 8.4.3. Registration Procedures 2099 8.4.3.1. Review 2101 Algorithm identifier registrations are to be subject to Expert Review 2102 as per RFC 2434 [RFC2434]. 2104 The need for supporting documentation for the registration depends on 2105 the nature of the request. In the case of a cryptographic algorithm 2106 that is being described for publication as an RFC, the request for a 2107 URI allocation would normally appear within the RFC itself. In the 2108 case of a cryptographic algorithm that is fully and comprehensively 2109 defined in another form, it would not be necessary to duplicate the 2110 information for the sake of issuing the information in the RFC 2111 series. In other cases an RFC may be required in order to ensure 2112 that certain algorithm parameters are sufficiently and unambiguously 2113 defined. 2115 The scope of such expert review is to be strictly limited to 2116 identifying possible ambiguity and/or duplication of existing 2117 identifiers. The expert review MUST NOT consider the cryptographic 2118 properties, intellectual property considerations or any other factor 2119 not related to the use of the identifier. 2121 In reviewing a request, the expert should consider whether other URI 2122 identifiers are already defined for a given algorithm. In such cases 2123 it is the duty of the expert to bring the potential duplication to 2124 the notice of the proposers of the registration and the Security Area 2125 Directors. If the proposers are not willing to accept registration 2126 of the existing identifier the IETF Consensus policy is to apply. 2128 In reviewing a request, the expert should consider whether the 2129 algorithm is sufficiently defined to allow successful interoperation. 2130 In particular the expert should consider whether issues such as key 2131 sizes and byte order are sufficiently defined to allow for 2132 interoperation. 2134 While the definition requirement MAY be satisfed by a comprehensive 2135 specification of the algorithm, disclosure of the algorithm is not 2136 mandatory. 2138 8.4.3.2. Canonical URI 2140 Until the IANA requests or implements an automated process for the 2141 registration of these elements, any specifications must make that 2142 request part of the IANA considerations section of their respective 2143 documents. That request must be in the form of the following 2144 template: 2146 Common Name The name by which the algorithm is generally referred. 2148 Class The type of algorithm, encryption, Message Authentication Code 2149 (MAC), One Time Password (OTP), Digest, etc. As specified by a 2150 defined algorithm class. 2152 URI The canonical URI to be used to identify the algorithm. 2154 Algorithm Definition A reference to the document in which the 2155 algorithm described by the identifier is defined. 2157 Identifier Definition A reference to the document in which the use 2158 of the identifier to refer to the algorithm is described. This 2159 would ideally be the document in which the algorithm is defined. 2161 Registrant Contact A reference to the document in which the use of 2162 the identifier to refer to the algorithm is described. This would 2163 ideally be the document in which the algorithm is defined. 2165 8.4.3.3. Alias URI 2167 In the case that multiple identifiers have been assigned to the same 2168 identifiers, additional identifiers MAY be registered as aliases. An 2169 entry for an alias contains all the entries for a canonical URI with 2170 the addition of a reference to the canonical URI to be used: 2172 Alias for URI The canonical URI that identifies the algorithm. The 2173 URI referenced MUST be a canonical URI. 2175 In the case of dispute as to which URI is to be considered canonical 2176 the matter is to be settled by IESG action. 2178 8.4.4. Initial Values 2180 The following initial values are defined. Note that these values are 2181 limited to identifiers that are required by KEYPROV but not specified 2182 elsewhere: 2184 8.4.4.1. HOTP 2186 Common Name: HOTP 2188 Class: OTP 2190 URI: http://www.ietf.org/keyprov/pskc#hotp 2192 Algorithm Definition: http://www.ietf.org/rfc/rfc4226.txt 2194 Identifier Definition (this RFC) 2196 Registrant Contact: IESG 2198 8.4.4.2. OCRA (OATH Chellenge Response Algorithm) 2200 Common Name: OCRA 2202 Class: OTP 2204 URI: http://www.ietf.org/keyprov/pskc#OCRA-1:(ocra_suite_parameters) 2205 - e.g. 2206 http://www.ietf.org/keyprov/pskc#OCRA-1:HOTP-SHA512-8:C-QN08 2208 Algorithm Definition: http://www.ietf.org/internet-drafts/ 2209 draft-mraihi-mutual-oath-hotp-variants-07.txt 2211 Identifier Definition (this RFC) 2213 Registrant Contact: IESG 2215 8.4.4.3. TOTP (OATH Time based OTP) 2216 Common Name: TOTP 2218 Class: OTP 2220 URI: http://www.ietf.org/keyprov/pskc#totp 2222 Algorithm Definition: http://www.ietf.org/internet-drafts/ 2223 draft-mraihi-totp-timebased-00.txt 2225 Identifier Definition (this RFC) 2227 Registrant Contact: IESG 2229 8.4.4.4. KEYPROV-PIN 2231 Common Name: KEYPROV-PIN 2233 Class: Symmetric static credential comparison 2235 URI: http://www.ietf.org/keyprov/pskc#pin 2237 Algorithm Definition: (this document) 2239 Identifier Definition (this document) 2241 Registrant Contact: IESG 2243 8.4.4.5. SecurID-AES 2245 Common Name: SecurID-AES 2247 Class: OTP 2249 URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/ 2250 otps-wst#SecurID-AES 2252 Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2254 Identifier Definition http://www.rsa.com/rsalabs/node.asp?id=2821 2256 Registrant Contact: Andrea Doherty, RSA the Security Division of 2257 EMC, 2259 8.4.4.6. SecurID-AES-Counter 2260 Common Name: SecurID-AES-Counter 2262 Class: OTP 2264 URI: http://www.rsa.com/names/2008/04/algorithms/ 2265 SecurID#SecurID-AES128-Counter 2267 Algorithm Definition: http://www.rsa.com/names/2008/04/algorithms/ 2268 SecurID#SecurID-AES128-Counter 2270 Identifier Definition http://www.rsa.com/names/2008/04/algorithms/ 2271 SecurID#SecurID-AES128-Counter 2273 Registrant Contact: Andrea Doherty, RSA the Security Division of 2274 EMC, 2276 8.4.4.7. SecurID-ALGOR 2278 Common Name: SecurID-ALGOR 2280 Class: OTP 2282 URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/ 2283 otps-wst#SecurID-ALGOR 2285 Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821 2287 Identifier Definition http://www.rsa.com/rsalabs/node.asp?id=2821 2289 Registrant Contact: Andrea Doherty, RSA the Security Division of 2290 EMC, 2292 8.4.4.8. ActivIdentity-3DES 2294 Common Name: ActivIdentity-3DES 2296 Class: OTP 2298 URI: http://www.actividentity.com/2008/04/algorithms/ 2299 algorithms#ActivIdentity-3DES 2301 Algorithm Definition: http://www.actividentity.com/2008/04/ 2302 algorithms/algorithms#ActivIdentity-3DES 2304 Identifier Definition http://www.actividentity.com/2008/04/ 2305 algorithms/algorithms#ActivIdentity-3DES 2307 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2308 2310 8.4.4.9. ActivIdentity-AES 2312 Common Name: ActivIdentity-AES 2314 Class: OTP 2316 URI: http://www.actividentity.com/2008/04/algorithms/ 2317 algorithms#ActivIdentity-AES 2319 Algorithm Definition: http://www.actividentity.com/2008/04/ 2320 algorithms/algorithms#ActivIdentity-AES 2322 Identifier Definition http://www.actividentity.com/2008/04/ 2323 algorithms/algorithms#ActivIdentity-AES 2325 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2326 2328 8.4.4.10. ActivIdentity-DES 2330 Common Name: ActivIdentity-DES 2332 Class: OTP 2334 URI: http://www.actividentity.com/2008/04/algorithms/ 2335 algorithms#ActivIdentity-DES 2337 Algorithm Definition: http://www.actividentity.com/2008/04/ 2338 algorithms/algorithms#ActivIdentity-DES 2340 Identifier Definition http://www.actividentity.com/2008/04/ 2341 algorithms/algorithms#ActivIdentity-DES 2343 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2344 2346 8.4.4.11. ActivIdentity-EVENT 2348 Common Name: ActivIdentity-EVENT 2350 Class: OTP 2351 URI: http://www.actividentity.com/2008/04/algorithms/ 2352 algorithms#ActivIdentity-EVENT 2354 Algorithm Definition: http://www.actividentity.com/2008/04/ 2355 algorithms/algorithms#ActivIdentity-EVENT 2357 Identifier Definition http://www.actividentity.com/2008/04/ 2358 algorithms/algorithms#ActivIdentity-EVENT 2360 Registrant Contact: Philip Hoyer, ActivIdentity Inc, 2361 2363 9. Security Considerations 2365 The portable key container carries sensitive information (e.g., 2366 cryptographic keys) and may be transported across the boundaries of 2367 one secure perimeter to another. For example, a container residing 2368 within the secure perimeter of a back-end provisioning server in a 2369 secure room may be transported across the internet to an end-user 2370 device attached to a personal computer. This means that special care 2371 must be taken to ensure the confidentiality, integrity, and 2372 authenticity of the information contained within. 2374 9.1. Payload confidentiality 2376 By design, the container allows two main approaches to guaranteeing 2377 the confidentiality of the information it contains while transported. 2379 First, the container key data payload may be encrypted. 2381 In this case no transport layer security is required. However, 2382 standard security best practices apply when selecting the strength of 2383 the cryptographic algorithm for payload encryption. Symmetric 2384 cryptographic cipher should be used - the longer the cryptographic 2385 key, the stronger the protection. At the time of this writing both 2386 3DES and AES are mandatory algorithms but 3DES may be dropped in the 2387 relatively near future. Applications concerned with algorithm 2388 longevity are advised to use AES-256-CBC. In cases where the 2389 exchange of encryption keys between the sender and the receiver is 2390 not possible, asymmetric encryption of the secret key payload may be 2391 employed. Similarly to symmetric key cryptography, the stronger the 2392 asymmetric key, the more secure the protection is. 2394 If the payload is encrypted with a method that uses one of the 2395 password-based encryption methods provided above, the payload may be 2396 subjected to password dictionary attacks to break the encryption 2397 password and recover the information. Standard security best 2398 practices for selection of strong encryption passwords apply 2399 [Schneier]. 2401 Practical implementations should use PBESalt and PBEIterationCount 2402 when PBE encryption is used. Different PBESalt value per key 2403 container should be used for best protection. 2405 The second approach to protecting the confidentiality of the payload 2406 is based on using transport layer security. The secure channel 2407 established between the source secure perimeter (the provisioning 2408 server from the example above) and the target perimeter (the device 2409 attached to the end-user computer) utilizes encryption to transport 2410 the messages that travel across. No payload encryption is required 2411 in this mode. Secure channels that encrypt and digest each message 2412 provide an extra measure of security, especially when the signature 2413 of the payload does not encompass the entire payload. 2415 Because of the fact that the plain text payload is protected only by 2416 the transport layer security, practical implementation must ensure 2417 protection against man-in-the-middle attacks [Schneier]. Validating 2418 the secure channel end-points is critically important for eliminating 2419 intruders that may compromise the confidentiality of the payload. 2421 9.2. Payload integrity 2423 The portable symmetric key container provides a mean to guarantee the 2424 integrity of the information it contains through digital signatures. 2425 For best security practices, the digital signature of the container 2426 should encompass the entire payload. This provides assurances for 2427 the integrity of all attributes. It also allows verification of the 2428 integrity of a given payload even after the container is delivered 2429 through the communication channel to the target perimeter and channel 2430 message integrity check is no longer possible. 2432 9.3. Payload authenticity 2434 The digital signature of the payload is the primary way of showing 2435 its authenticity. The recipient of the container may use the public 2436 key associated with the signature to assert the authenticity of the 2437 sender by tracing it back to a preloaded public key or certificate. 2438 Note that the digital signature of the payload can be checked even 2439 after the container has been delivered through the secure channel of 2440 communication. 2442 A weaker payload authenticity guarantee may be provided by the 2443 transport layer if it is configured to digest each message it 2444 transports. However, no authenticity verification is possible once 2445 the container is delivered at the recipient end. This approach may 2446 be useful in cases where the digital signature of the container does 2447 not encompass the entire payload. 2449 10. Acknowledgements 2451 The authors of this draft would like to thank the following people 2452 for their contributions and support to make this a better 2453 specification: Apostol Vassilev, Shuh Chang, Jon Martinson, Siddhart 2454 Bajaj, Stu Veath, Kevin Lewis, Philip Hallam-Baker, Hannes 2455 Tschofenig, Andrea Doherty, Magnus Nystrom, Tim Moses, Anders 2456 Rundgren, Sean Turner and especially Robert Philpott. 2458 11. Appendix A - Example Symmetric Key Containers 2460 All examples are syntactically correct and compatible with the XML 2461 schema in section 7. 2463 11.1. Symmetric Key Container with a single Non-Encrypted HOTP Secret 2464 Key 2466 2467 2469 2470 2471 Manufacturer 2472 987654321 2473 2474 2476 Issuer 2477 2478 2480 2481 2482 2483 2484 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2485 2486 2487 2488 0 2489 2490 2491 2492 2493 2495 11.2. Symmetric Key Container with a single PIN protected Non-Encrypted 2496 HOTP Secret Key 2498 2499 2501 2502 2503 Manufacturer 2504 0755225266 2505 2506 2508 AnIssuer 2509 2510 2511 2512 2513 2514 2515 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2516 2517 2518 2519 0 2520 2521 2522 2523 2524 2525 2526 2527 2528 2530 2531 2532 2533 2534 2535 2536 MTIzNA== 2537 2538 2539 2540 2541 2542 2544 11.3. Symmetric Key Container with a single AES-256-CBC Encrypted HOTP 2545 Secret Key and non-encrypted counter value 2547 2548 2552 2553 PRE_SHARED_KEY 2554 2555 http://www.w3.org/2000/09/xmldsig#hmac-sha1 2556 2557 2558 2559 Manufacturer 2560 0755225266 2561 2562 2564 AnIssuer 2565 2566 2567 2568 2569 2570 2571 2573 2574 2575 gVc5jCsntSD1rhIgwWxmWNvEIkpTgn0E6+OH5mDPAok= 2576 2577 2578 2579 JIOeKMISfMTy7og7Saq0CZrLdfE= 2580 2581 2582 0 2583 2584 2585 2586 2587 2589 11.4. Symmetric Key Container with signature and a single Password- 2590 based Encrypted HOTP Secret Key 2592 2593 2601 2602 2603 Passphrase1 2604 2607 2608 2609 Df3dRAhjGh8= 2610 2611 2000 2612 16 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 Manufacturer 2624 0755225266 2625 2626 2628 AnIssuer 2629 2630 2631 2632 2633 2634 2635 2637 2638 rf4dx3rvEPO0vKtKL14NbeVu8nk= 2639 2640 2641 2643 2644 2645 0 2646 2647 2648 2649 2650 2651 2652 2654 2656 2657 2659 j6lwx3rvEPO0vKtMup4NbeVu8nk= 2660 2661 2662 j6lwx3rvEPO0vKtMup4NbeVu8nk= 2663 2664 2665 2666 CN=KeyProvisioning'R'Us.com,C=US 2667 2668 12345678 2669 2670 2671 2672 2673 2675 11.5. Symmetric Key Container with a single RSA 1.5 Encrypted HOTP 2676 Secret Key 2678 2679 2683 2684 2685 miib 2686 2687 2688 2689 2690 Manufacturer 2691 0755225266 2692 2693 2695 AnIssuer 2696 2697 2698 2699 2700 2701 2702 2704 2705 rf4dx3rvEPO0vKtKL14NbeVu8nk= 2706 2707 2708 2709 2710 2711 0 2712 2713 2714 2715 2716 2718 11.6. Symmetric Key Container with a single AES-256-CBC Encrypted OCRA 2719 Secret Key and non-encrypted counter value 2721 2722 2726 2727 Pre-shared-key 2728 2729 2730 http://www.w3.org/2000/09/xmldsig#hmac-sha1 2731 2732 2733 2734 Manufacturer 2735 987654321 2736 2737 2740 Issuer 2741 2742 2744 2746 2747 2748 2749 2750 2752 2753 2754 gVc5jCsntSD1rhIgwWxmWNvEIkpTgn0E6+OH5mDPAok= 2755 2756 2757 2758 JIOeKMISfMTy7og7Saq0CZrLdfE= 2759 2760 2761 0 2762 2763 2764 2765 2766 2768 11.7. Symmetric Key Container with a single AES-256-CBC Encrypted TOTP 2769 Secret Key and non-encrypted time values 2771 2772 2776 2777 PRE_SHARED_KEY 2778 2779 http://www.w3.org/2000/09/xmldsig#hmac-sha1 2780 2781 2782 2783 Manufacturer 2784 0755225266 2785 2786 2789 AnIssuer 2790 2791 2792 2793 2794 2795 2796 2798 2799 2800 gVc5jCsntSD1rhIgwWxmWNvEIkpTgn0E6+OH5mDPAok= 2801 2802 2803 2804 JIOeKMISfMTy7og7Saq0CZrLdfE= 2805 2806 2807 0 2808 2809 2810 30 2811 2812 2813 2814 2816 2818 11.8. Symmetric Key Container with two devices containing a Non- 2819 Encrypted HOTP Secret Key each sharing common KeyProperties 2821 2822 2824 2826 Issuer 2827 2828 2830 2831 2832 2833 0 2834 2835 2836 2837 2838 2839 Manufacturer 2840 987654321 2841 2842 2844 2845 2846 2847 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2848 2849 2850 2851 2852 2853 2854 2855 Manufacturer 2856 987654322 2857 2858 2860 2861 2862 2863 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 2864 2865 2866 2867 2868 2869 2871 12. References 2873 12.1. Normative References 2875 [PKCS1] Kaliski, B., "RFC 2437: PKCS #1: RSA Cryptography 2876 Specifications Version 2.0.", 2877 URL: http://www.ietf.org/rfc/rfc2437.txt, Version: 2.0, 2878 October 1998. 2880 [PKCS5] RSA Laboratories, "PKCS #5: Password-Based Cryptography 2881 Standard", Version 2.0, 2882 URL: http://www.rsasecurity.com/rsalabs/pkcs/, March 1999. 2884 [RFC2119] "Key words for use in RFCs to Indicate Requirement 2885 Levels", BCP 14, RFC 2119, March 1997, 2886 . 2888 [RFC2434] Narten, T., "Guidelines for Writing an IANA Considerations 2889 Section in RFCs", RFC 2434, October 1998. 2891 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 2892 Types", RFC 3023, January 2001. 2894 [RFC3553] Mealling, M., "An IETF URN Sub-namespace for Registered 2895 Protocol Parameters", RFC 3553, June 2003. 2897 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2898 January 2004. 2900 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 2901 Registration Procedures", BCP 13, RFC 4288, December 2005. 2903 [RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol 2904 (LDAP): String Representation of Distinguished Names", 2905 RFC 4514, June 2006. 2907 [XMLDSIG] Eastlake, D., "XML-Signature Syntax and Processing", 2908 URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/, 2909 W3C Recommendation, February 2002. 2911 [XMLENC] Eastlake, D., "XML Encryption Syntax and Processing.", 2912 URL: http://www.w3.org/TR/xmlenc-core/, December 2002. 2914 12.2. Informative References 2916 [CAP] MasterCard International, "Chip Authentication Program 2917 Functional Architecture", September 2004. 2919 [DSKPP] Doherty, A., Pei, M., Machani, S., and M. Nystrom, 2920 "Dynamic Symmetric Key Provisioning Protocol", Internet 2921 Draft Informational, URL: http://www.ietf.org/ 2922 internet-drafts/draft-ietf-keyprov-dskpp-03.txt, 2923 February 2008. 2925 [HOTP] MRaihi, D., Bellare, M., Hoornaert, F., Naccache, D., and 2926 O. Ranen, "HOTP: An HMAC-Based One Time Password 2927 Algorithm", RFC 4226, 2928 URL: http://rfc.sunsite.dk/rfc/rfc4226.html, 2929 December 2005. 2931 [NIST-SP800-57] 2932 National Institute of Standards and Technology, 2933 "Recommendation for Key Management - Part I: General 2934 (Revised)", NIST 800-57, URL: http://csrc.nist.gov/ 2935 publications/nistpubs/800-57/ 2936 sp800-57-Part1-revised2_Mar08-2007.pdf, March 2007. 2938 [OATH] "Initiative for Open AuTHentication", 2939 URL: http://www.openauthentication.org. 2941 [OCRA] MRaihi, D., Rydell, J., Naccache, D., Machani, S., and S. 2942 Bajaj, "OCRA: OATH Challenge Response Algorithm", Internet 2943 Draft Informational, URL: http://www.ietf.org/ 2944 internet-drafts/ 2945 draft-mraihi-mutual-oath-hotp-variants-06.txt, 2946 December 2007. 2948 [PKCS12] RSA Laboratories, "PKCS #12: Personal Information Exchange 2949 Syntax Standard", Version 1.0, 2950 URL: http://www.rsasecurity.com/rsalabs/pkcs/. 2952 [Schneier] 2953 Schneier, B., "Secrets and Lies: Digitial Security in a 2954 Networked World", Wiley Computer Publishing, ISBN 0-8493- 2955 8253-7, 2000. 2957 Authors' Addresses 2959 Philip Hoyer 2960 ActivIdentity, Inc. 2961 117 Waterloo Road 2962 London, SE1 8UL 2963 UK 2965 Phone: +44 (0) 20 7744 6455 2966 Email: Philip.Hoyer@actividentity.com 2968 Mingliang Pei 2969 VeriSign, Inc. 2970 487 E. Middlefield Road 2971 Mountain View, CA 94043 2972 USA 2974 Phone: +1 650 426 5173 2975 Email: mpei@verisign.com 2977 Salah Machani 2978 Diversinet, Inc. 2979 2225 Sheppard Avenue East 2980 Suite 1801 2981 Toronto, Ontario M2J 5C2 2982 Canada 2984 Phone: +1 416 756 2324 Ext. 321 2985 Email: smachani@diversinet.com 2987 Full Copyright Statement 2989 Copyright (C) The IETF Trust (2008). 2991 This document is subject to the rights, licenses and restrictions 2992 contained in BCP 78, and except as set forth therein, the authors 2993 retain all their rights. 2995 This document and the information contained herein are provided on an 2996 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2997 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 2998 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 2999 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 3000 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3001 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3003 Intellectual Property 3005 The IETF takes no position regarding the validity or scope of any 3006 Intellectual Property Rights or other rights that might be claimed to 3007 pertain to the implementation or use of the technology described in 3008 this document or the extent to which any license under such rights 3009 might or might not be available; nor does it represent that it has 3010 made any independent effort to identify any such rights. Information 3011 on the procedures with respect to rights in RFC documents can be 3012 found in BCP 78 and BCP 79. 3014 Copies of IPR disclosures made to the IETF Secretariat and any 3015 assurances of licenses to be made available, or the result of an 3016 attempt made to obtain a general license or permission for the use of 3017 such proprietary rights by implementers or users of this 3018 specification can be obtained from the IETF on-line IPR repository at 3019 http://www.ietf.org/ipr. 3021 The IETF invites any interested party to bring to its attention any 3022 copyrights, patents or patent applications, or other proprietary 3023 rights that may cover technology that may be required to implement 3024 this standard. Please address the information to the IETF at 3025 ietf-ipr@ietf.org. 3027 Acknowledgment 3029 Funding for the RFC Editor function is provided by the IETF 3030 Administrative Support Activity (IASA).