keyprov P. Hoyer
Internet-Draft ActivIdentity
Intended status: Informational M. Pei
Expires: November 3, 2010 VeriSign
S. Machani
Diversinet
A. Doherty
RSA, The Security Division of EMC
May 2, 2010
Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt
Abstract
The Portable Symmetric Key Container (PSKC) contains a number of XML
elements and XML attributes carrying keys and related information.
Not all algorithms, however, are able to use all elements and for
other algorithm certain information is mandatory. This lead to the
introduction of PSKC algorithm profiles that provide further
description about the mandatory and optional information elements and
their semantic, including extensions that may be needed. The main
PSKC specification defines two PSKC algorithm profiles, namely "HOTP"
and "PIN". This document extends the initial set and specifies nine
further algorithm profiles for PKSC.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 3, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
Hoyer, et al. Expires November 3, 2010 [Page 1]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. OCRA (OATH Challenge Response Algorithm) . . . . . . . . . . . 5
4. TOTP (OATH Time based OTP) . . . . . . . . . . . . . . . . . . 7
5. SecurID-AES . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. SecurID-AES-Counter . . . . . . . . . . . . . . . . . . . . . 11
7. SecurID-ALGOR . . . . . . . . . . . . . . . . . . . . . . . . 13
8. ActivIdentity-3DES . . . . . . . . . . . . . . . . . . . . . . 15
9. ActivIdentity-AES . . . . . . . . . . . . . . . . . . . . . . 18
10. ActivIdentity-DES . . . . . . . . . . . . . . . . . . . . . . 21
11. ActivIdentity-EVENT . . . . . . . . . . . . . . . . . . . . . 24
12. Security Considerations . . . . . . . . . . . . . . . . . . . 26
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
15.1. Normative References . . . . . . . . . . . . . . . . . . 29
15.2. Informative References . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
Hoyer, et al. Expires November 3, 2010 [Page 2]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
1. Introduction
This document specifies a set of algorithm profiles for PKSC, namely
OCRA (OATH Challenge Response Algorithm)
TOTP (OATH Time based OTP)
SecurID-AES
SecurID-AES-Counter
SecurID-ALGOR
ActivIdentity-3DES
ActivIdentity-AES
ActivIdentity-DES
ActivIdentity-EVENT
[Editor's Note: The content of this document was created by moving a
number of PSKC algorithm profiles from
draft-ietf-keyprov-portable-symmetric-key-container-06.txt into this
document. Since
draft-ietf-keyprov-portable-symmetric-key-container-07.txt had
experienced a number of changes the description and the examples in
this document are likely to be out-of-sync. Re-alignment will be
provided in a future version.]
Hoyer, et al. Expires November 3, 2010 [Page 3]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Hoyer, et al. Expires November 3, 2010 [Page 4]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
3. OCRA (OATH Challenge Response Algorithm)
Common Name: OCRA
Class: OTP
URI:
urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:(ocra_suite_parameters)
- e.g.
urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08
Algorithm Definition: http://tools.ietf.org/id/
draft-mraihi-mutual-oath-hotp-variants-11.txt
Identifier Definition (this RFC)
Registrant Contact: IESG
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "CR" attribute of the <Usage> MUST be set "true" and
it MUST be the only attribute set. The element <ChallengeFormat>
and <ResponseFormat> of the <Usage> MUST be present.
For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element.
* Counter
* Time
If the element <Time> is present, the following elements MUST be
also present.
* TimeInterval
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL", and the 'Length' attribute MUST be between 6
and 9.
Hoyer, et al. Expires November 3, 2010 [Page 5]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654322</SerialNo>
</DeviceInfo>
<Key KeyId="12345678"
KeyAlgorithm=
"urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08">
<Issuer>Issuer</Issuer>
<Usage CR="true">
<ChallengeFormat Min="8" Max="8" Format="DECIMAL"/>
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 6]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
4. TOTP (OATH Time based OTP)
Common Name: TOTP
Class: OTP
URI: urn:ietf:params:xml:ns:keyprov:pskc#totp
Algorithm Definition:
http://tools.ietf.org/id/draft-mraihi-totp-timebased-05.txt
Identifier Definition (this RFC)
Registrant Contact: IESG
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "OTP" attribute of the <Usage> MUST be set "true"
and it MUST be the only attribute set. The element
<ResponseFormat> of the <Usage> MUST be used to indicate the OTP
length and the value format.
For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element.
* Time
* TimeInterval
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL", and the 'Length' attribute MUST be between 6
and 9.
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 7]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654323</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp"
KeyId="987654323">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>30</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>4</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 8]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
5. SecurID-AES
Common Name: SecurID-AES
Class: OTP
URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
otps-wst#SecurID-AES
Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821
Identifier Definition: http://www.rsa.com/rsalabs/node.asp?id=2821
Registrant Contact: Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
<Usage> sub-elements MUST be present. The "OTP" attribute of
<Usage> MUST be set to "true" and it MUST be the only attribute
set. The <ResponseFormat> sub-element of <Usage> MUST be used to
indicate the OTP length and the value format.
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL", and the 'Length' attribute MUST be set to a
minimum value of 6.
- The <StartDate> and <ExpiryDate> elements MUST be of type
<xs:dateTime>.
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 9]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/2005
/09/otps-wst#SecurID-AES
KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 10]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
6. SecurID-AES-Counter
Common Name: SecurID-AES-Counter
Class: OTP
URI: http://www.rsa.com/names/2008/04/algorithms/SecurID/
SecurID-AES128-Counter
Algorithm Definition: http://www.rsa.com/names/2008/04/algorithms/
SecurID/SecurID-AES128-Counter
Identifier Definition http://www.rsa.com/names/2008/04/algorithms/
SecurID/SecurID-AES128-Counter
Registrant Contact: Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
<Usage> sub-elements MUST be present. The "OTP" attribute of
<Usage> MUST be set to "true" and it MUST be the only attribute
set. The <ResponseFormat> sub-element of <Usage> MUST be used to
indicate the OTP length and the value format.
For the Data elements of a <Key> of this algorithm, the following
subelements MUST be present in either the <Key> element itself or
an commonly shared <KeyProperties> element.
* Counter
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL", and the 'Length' attribute MUST be set to a
minimum value of 6.
- The <StartDate> and <ExpiryDate> elements MUST be of type
<xs:dateTime>.
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
Hoyer, et al. Expires November 3, 2010 [Page 11]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
An example of a <Key> of this algorithm is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsa.com/names/2008/04/algorithms/
SecurID/SecurID-AES128-Counter
KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 12]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
7. SecurID-ALGOR
Common Name: SecurID-ALGOR
Class: OTP
URI: http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
otps-wst#SecurID-ALGOR
Algorithm Definition: http://www.rsa.com/rsalabs/node.asp?id=2821
Identifier Definition: http://www.rsa.com/rsalabs/node.asp?id=2821
Registrant Contact: Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
<Usage> sub-elements MUST be present. The "OTP" attribute of
<Usage> MUST be set to "true" and it MUST be the only attribute
set. The <ResponseFormat> sub-element of <Usage> MUST be used to
indicate the OTP length and the value format.
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a lengthy of at least 8 octets (64 bits) if it is present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL", and the 'Length' attribute MUST be set to a
value of 6 through 8.
- The <StartDate> and <ExpiryDate> elements MUST be of type
<xs:dateTime>.
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 13]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/
2005/09/otps-wst#SecurID-ALGOR KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 14]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
8. ActivIdentity-3DES
Common Name: ActivIdentity-3DES
Class: OTP
URI: http://www.actividentity.com/2008/04/algorithms/
algorithms#ActivIdentity-3DES
Algorithm Definition: http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-3DES
Identifier Definition http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-3DES
Registrant Contact: Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response,
parameter based MACing (integrity) and to generate a device unlock
code (n case of devices where there is local PIN management and
the devce has been locked after a specific amount of wrong PIN
entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock"
attribute of the <Usage> can be set to "true", but at least one of
the above MUST be set to true. The element <ResponseFormat> of
the <Usage> MUST be used to indicate the OTP length, the value
format and optionally if a check digit is being used. If the use
is challenge-response then the <ChallengeFormat> of the <Usage>
MUST be used to indicate the challenge minimum and maximum length,
its format and optionally if a check digit is being used.
For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element.
* Secret
* Counter
* Time
* TimeInterval
Hoyer, et al. Expires November 3, 2010 [Page 15]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a length of at least 16 octets (Double DES keys 128 bits
including parity) if it is present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
MUST be between 6 and 16.
- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
be between 4 and 16 (The Min attribute MUST be equal or less
than the Max).
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a Key of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 16]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-3DES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 17]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
9. ActivIdentity-AES
Common Name: ActivIdentity-AES
Class: OTP
URI: http://www.actividentity.com/2008/04/algorithms/
algorithms#ActivIdentity-AES
Algorithm Definition: http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-AES
Identifier Definition http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-AES
Registrant Contact: Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response,
parameter based MACing (integrity) and to generate a device unlock
code (n case of devices where there is local PIN management and
the devce has been locked after a specific amount of wrong PIN
entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock"
attribute of the <Usage> can be set to "true", but at least one of
the above MUST be set to true. The element <ResponseFormat> of
the <Usage> MUST be used to indicate the OTP length, the value
format and optionally if a check digit is being used. If the use
is challenge-response then the <ChallengeFormat> of the <Usage>
MUST be used to indicate the challenge minimum and maximum length,
its format and optionally if a check digit is being used.
For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or
an commonly shared <KeyProperties> element.
* Secret
* Counter
* Time
* TimeInterval
Hoyer, et al. Expires November 3, 2010 [Page 18]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a length of at least 16 octets (128 bits) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
MUST be between 6 and 16.
- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
be between 4 and 16 (The Min attribute MUST be equal or less
than the Max).
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 19]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-AES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 20]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
10. ActivIdentity-DES
Common Name: ActivIdentity-DES
Class: OTP
URI: http://www.actividentity.com/2008/04/algorithms/
algorithms#ActivIdentity-DES
Algorithm Definition: http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-DES
Identifier Definition http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-DES
Registrant Contact: Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response,
parameter based MACing (integrity) and to generate a device unlock
code (n case of devices where there is local PIN management and
the devce has been locked after a specific amount of wrong PIN
entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock"
attribute of the <Usage> can be set to "true", but at least one of
the above MUST be set to true. The element <ResponseFormat> of
the <Usage> MUST be used to indicate the OTP length, the value
format and optionally if a check digit is being used. If the use
is challenge-response then the <ChallengeFormat> of the <Usage>
MUST be used to indicate the challenge minimum and maximum length,
its format and optionally if a check digit is being used.
For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or
an commonly shared <KeyProperties> element.
* Counter
* Time
* TimeInterval
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a length of at least 8 octets (56 bits + parity) if it is
Hoyer, et al. Expires November 3, 2010 [Page 21]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
MUST be between 6 and 16.
- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
be between 4 and 16 (The Min attribute MUST be equal or less
than the Max).
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
Hoyer, et al. Expires November 3, 2010 [Page 22]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-DES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 23]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
11. ActivIdentity-EVENT
Common Name: ActivIdentity-EVENT
Class: OTP
URI: http://www.actividentity.com/2008/04/algorithms/
algorithms#ActivIdentity-EVENT
Algorithm Definition: http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-EVENT
Identifier Definition http://www.actividentity.com/2008/04/
algorithms/algorithms#ActivIdentity-EVENT
Registrant Contact: Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com>
Profile of XML attributes and subelements of the <Key> entity:
For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response,
parameter based MACing (integrity) and to generate a device unlock
code (n case of devices where there is local PIN management and
the device has been locked after a specific amount of wrong PIN
entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock"
attribute of the <Usage> can be set to "true", but at least one of
the above MUST be set to true. The element <ResponseFormat> of
the <Usage> MUST be used to indicate the OTP length, the value
format and optionally if a check digit is being used. If the use
is challenge-response then the <ChallengeFormat> of the <Usage>
MUST be used to indicate the challenge minimum and maximum length,
its format and optionally if a check digit is being used.
For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or
an commonly shared <KeyProperties> element.
* Counter
The following additional constraints apply:
- The value of the <Secret> element MUST contain key material
with a length of at least 8 octets (56 bits + parity) if it is
present.
- The <ResponseFormat> element MUST have the 'Format' attribute
set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
Hoyer, et al. Expires November 3, 2010 [Page 24]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
MUST be between 6 and 16.
- The <PINPolicy> element MAY be present but the <Format> child
element of the <PINPolicy> element cannot be set to
"Algorithmic".
An example of a <Key> of this algorithm is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-EVENT"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
Hoyer, et al. Expires November 3, 2010 [Page 25]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
12. Security Considerations
[Editor's Note: Security considerations regarding the algorithms go
in here.]
Hoyer, et al. Expires November 3, 2010 [Page 26]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
13. IANA Considerations
[Editor's Note: The registration of the algorithm profiles goes in
here.]
Hoyer, et al. Expires November 3, 2010 [Page 27]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
14. Acknowledgements
Add your name here.
Hoyer, et al. Expires November 3, 2010 [Page 28]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
15. References
15.1. Normative References
[RFC2119] "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
15.2. Informative References
[PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container", Internet Draft Informational,
URL: http://tools.ietf.org/html/
draft-ietf-keyprov-pskc-05, January 2010.
Hoyer, et al. Expires November 3, 2010 [Page 29]
Internet-Draft Additional PSKC Algorithm Profiles May 2010
Authors' Addresses
Philip Hoyer
ActivIdentity, Inc.
117 Waterloo Road
London, SE1 8UL
UK
Phone: +44 (0) 20 7744 6455
Email: Philip.Hoyer@actividentity.com
Mingliang Pei
VeriSign, Inc.
487 E. Middlefield Road
Mountain View, CA 94043
USA
Phone: +1 650 426 5173
Email: mpei@verisign.com
Salah Machani
Diversinet, Inc.
2225 Sheppard Avenue East
Suite 1801
Toronto, Ontario M2J 5C2
Canada
Phone: +1 416 756 2324 Ext. 321
Email: smachani@diversinet.com
Andrea Doherty
RSA, The Security Division of EMC
174 Middlesex Tpk.
Bedford, MA 01730
USA
Email: adoherty@rsa.com
Hoyer, et al. Expires November 3, 2010 [Page 30]