draft-ietf-keyprov-dskpp-07.txt   draft-ietf-keyprov-dskpp-08.txt 
KEYPROV Working Group A. Doherty KEYPROV Working Group A. Doherty
Internet-Draft RSA, The Security Division of EMC Internet-Draft RSA, The Security Division of EMC
Intended status: Standards Track M. Pei Intended status: Standards Track M. Pei
Expires: August 13, 2009 Verisign, Inc. Expires: January 29, 2010 Verisign, Inc.
S. Machani S. Machani
Diversinet Corp. Diversinet Corp.
M. Nystrom M. Nystrom
RSA, The Security Division of EMC RSA, The Security Division of EMC
February 9, 2009 July 28, 2009
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Dynamic Symmetric Key Provisioning Protocol (DSKPP)
draft-ietf-keyprov-dskpp-07.txt draft-ietf-keyprov-dskpp-08.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified, provisions of BCP 78 and BCP 79.
and derivative works of it may not be created, and it may not be
published except as an Internet-Draft.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 13, 2009. This Internet-Draft will expire on January 29, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents in effect on the date of
(http://trustee.ietf.org/license-info) in effect on the date of publication of this document (http://trustee.ietf.org/license-info).
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document.
to this document.
Abstract Abstract
DSKPP is a client-server protocol for initialization (and DSKPP is a client-server protocol for initialization (and
configuration) of symmetric keys to locally and remotely accessible configuration) of symmetric keys to locally and remotely accessible
cryptographic modules. The protocol can be run with or without cryptographic modules. The protocol can be run with or without
private-key capabilities in the cryptographic modules, and with or private-key capabilities in the cryptographic modules, and with or
without an established public-key infrastructure. without an established public-key infrastructure.
Two variations of the protocol support multiple usage scenarios. Two variations of the protocol support multiple usage scenarios.
skipping to change at page 3, line 16 skipping to change at page 3, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Versions . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Versions . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Namespace Identifiers . . . . . . . . . . . . . . . . . . 7 1.3. Namespace Identifiers . . . . . . . . . . . . . . . . . . 7
1.3.1. Defined Identifiers . . . . . . . . . . . . . . . . . 7 1.3.1. Defined Identifiers . . . . . . . . . . . . . . . . . 7
1.3.2. Identifiers Defined in Related Specifications . . . . 7 1.3.2. Identifiers Defined in Related Specifications . . . . 7
1.3.3. Referenced Identifiers . . . . . . . . . . . . . . . . 7 1.3.3. Referenced Identifiers . . . . . . . . . . . . . . . . 7
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 10 2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 10
3. DSKPP Overview . . . . . . . . . . . . . . . . . . . . . . . . 11 3. DSKPP Overview . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Protocol Entities . . . . . . . . . . . . . . . . . . . . 11 3.1. Protocol Entities . . . . . . . . . . . . . . . . . . . . 11
3.2. Basic DSKPP Exchange . . . . . . . . . . . . . . . . . . . 12 3.2. Basic DSKPP Exchange . . . . . . . . . . . . . . . . . . . 12
3.2.1. User Authentication . . . . . . . . . . . . . . . . . 12 3.2.1. User Authentication . . . . . . . . . . . . . . . . . 12
3.2.2. Protocol Initiated by the DSKPP Client . . . . . . . . 12 3.2.2. Protocol Initiated by the DSKPP Client . . . . . . . . 12
3.2.3. Protocol Triggered by the DSKPP Server . . . . . . . . 15 3.2.3. Protocol Triggered by the DSKPP Server . . . . . . . . 15
3.2.4. Variants . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.4. Variants . . . . . . . . . . . . . . . . . . . . . . . 16
3.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 17 3.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 17
3.4. Basic Constructs . . . . . . . . . . . . . . . . . . . . . 18 3.4. Basic Constructs . . . . . . . . . . . . . . . . . . . . . 18
3.4.1. User Authentication Data, AD . . . . . . . . . . . . . 18 3.4.1. User Authentication Data, AD . . . . . . . . . . . . . 19
3.4.2. The DSKPP One-Way Pseudorandom Function, DSKPP-PRF . . 20 3.4.2. The DSKPP One-Way Pseudorandom Function, DSKPP-PRF . . 21
3.4.3. The DSKPP Message Hash Algorithm . . . . . . . . . . . 21 3.4.3. The DSKPP Message Hash Algorithm . . . . . . . . . . . 22
4. Four-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 22 4. Four-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 22
4.1. The Key Agreement Mechanism . . . . . . . . . . . . . . . 22 4.1. The Key Agreement Mechanism . . . . . . . . . . . . . . . 22
4.1.1. Data Flow . . . . . . . . . . . . . . . . . . . . . . 22 4.1.1. Data Flow . . . . . . . . . . . . . . . . . . . . . . 22
4.1.2. Computation . . . . . . . . . . . . . . . . . . . . . 24 4.1.2. Computation . . . . . . . . . . . . . . . . . . . . . 24
4.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 25 4.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 25
4.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 25 4.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 25
4.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 26 4.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 26
4.2.3. KeyProvServerHello . . . . . . . . . . . . . . . . . . 27 4.2.3. KeyProvServerHello . . . . . . . . . . . . . . . . . . 27
4.2.4. KeyProvClientNonce . . . . . . . . . . . . . . . . . . 29 4.2.4. KeyProvClientNonce . . . . . . . . . . . . . . . . . . 29
4.2.5. KeyProvServerFinished . . . . . . . . . . . . . . . . 31 4.2.5. KeyProvServerFinished . . . . . . . . . . . . . . . . 31
5. Two-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 32 5. Two-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 32
5.1. Key Protection Methods . . . . . . . . . . . . . . . . . . 33 5.1. Key Protection Methods . . . . . . . . . . . . . . . . . . 33
5.1.1. Key Transport . . . . . . . . . . . . . . . . . . . . 33 5.1.1. Key Transport . . . . . . . . . . . . . . . . . . . . 33
5.1.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . . 33 5.1.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.3. Passphrase-Based Key Wrap . . . . . . . . . . . . . . 34 5.1.3. Passphrase-Based Key Wrap . . . . . . . . . . . . . . 34
5.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 34 5.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 35
5.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 35 5.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 35
5.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 35 5.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 35
5.2.3. KeyProvServerFinished . . . . . . . . . . . . . . . . 40 5.2.3. KeyProvServerFinished . . . . . . . . . . . . . . . . 39
6. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 41 6. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 40
6.1. The ClientInfoType Extension . . . . . . . . . . . . . . . 41 6.1. The ClientInfoType Extension . . . . . . . . . . . . . . . 40
6.2. The ServerInfoType Extension . . . . . . . . . . . . . . . 41 6.2. The ServerInfoType Extension . . . . . . . . . . . . . . . 41
7. Protocol Bindings . . . . . . . . . . . . . . . . . . . . . . 41 7. Protocol Bindings . . . . . . . . . . . . . . . . . . . . . . 41
7.1. General Requirements . . . . . . . . . . . . . . . . . . . 41 7.1. General Requirements . . . . . . . . . . . . . . . . . . . 41
7.2. HTTP/1.1 Binding for DSKPP . . . . . . . . . . . . . . . . 41 7.2. HTTP/1.1 Binding for DSKPP . . . . . . . . . . . . . . . . 41
7.2.1. Identification of DSKPP Messages . . . . . . . . . . . 42 7.2.1. Identification of DSKPP Messages . . . . . . . . . . . 41
7.2.2. HTTP Headers . . . . . . . . . . . . . . . . . . . . . 42 7.2.2. HTTP Headers . . . . . . . . . . . . . . . . . . . . . 41
7.2.3. HTTP Operations . . . . . . . . . . . . . . . . . . . 42 7.2.3. HTTP Operations . . . . . . . . . . . . . . . . . . . 42
7.2.4. HTTP Status Codes . . . . . . . . . . . . . . . . . . 43 7.2.4. HTTP Status Codes . . . . . . . . . . . . . . . . . . 42
7.2.5. HTTP Authentication . . . . . . . . . . . . . . . . . 43 7.2.5. HTTP Authentication . . . . . . . . . . . . . . . . . 43
7.2.6. Initialization of DSKPP . . . . . . . . . . . . . . . 43 7.2.6. Initialization of DSKPP . . . . . . . . . . . . . . . 43
7.2.7. Example Messages . . . . . . . . . . . . . . . . . . . 44 7.2.7. Example Messages . . . . . . . . . . . . . . . . . . . 43
8. DSKPP XML Schema . . . . . . . . . . . . . . . . . . . . . . . 44 8. DSKPP XML Schema . . . . . . . . . . . . . . . . . . . . . . . 44
8.1. General Processing Requirements . . . . . . . . . . . . . 44 8.1. General Processing Requirements . . . . . . . . . . . . . 44
8.2. Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 45 8.2. Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9. Conformance Requirements . . . . . . . . . . . . . . . . . . . 54 9. Conformance Requirements . . . . . . . . . . . . . . . . . . . 52
10. Security Considerations . . . . . . . . . . . . . . . . . . . 55 10. Security Considerations . . . . . . . . . . . . . . . . . . . 54
10.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 55 10.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.2. Active Attacks . . . . . . . . . . . . . . . . . . . . . . 55 10.2. Active Attacks . . . . . . . . . . . . . . . . . . . . . . 54
10.2.1. Introduction . . . . . . . . . . . . . . . . . . . . . 55 10.2.1. Introduction . . . . . . . . . . . . . . . . . . . . . 54
10.2.2. Message Modifications . . . . . . . . . . . . . . . . 55 10.2.2. Message Modifications . . . . . . . . . . . . . . . . 54
10.2.3. Message Deletion . . . . . . . . . . . . . . . . . . . 57 10.2.3. Message Deletion . . . . . . . . . . . . . . . . . . . 56
10.2.4. Message Insertion . . . . . . . . . . . . . . . . . . 57 10.2.4. Message Insertion . . . . . . . . . . . . . . . . . . 56
10.2.5. Message Replay . . . . . . . . . . . . . . . . . . . . 57 10.2.5. Message Replay . . . . . . . . . . . . . . . . . . . . 56
10.2.6. Message Reordering . . . . . . . . . . . . . . . . . . 58 10.2.6. Message Reordering . . . . . . . . . . . . . . . . . . 57
10.2.7. Man-in-the-Middle . . . . . . . . . . . . . . . . . . 58 10.2.7. Man-in-the-Middle . . . . . . . . . . . . . . . . . . 57
10.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 58 10.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 57
10.4. Cryptographic Attacks . . . . . . . . . . . . . . . . . . 59 10.4. Cryptographic Attacks . . . . . . . . . . . . . . . . . . 57
10.5. Attacks on the Interaction between DSKPP and User 10.5. Attacks on the Interaction between DSKPP and User
Authentication . . . . . . . . . . . . . . . . . . . . . . 59 Authentication . . . . . . . . . . . . . . . . . . . . . . 58
10.6. Miscellaneous Considerations . . . . . . . . . . . . . . . 60 10.6. Miscellaneous Considerations . . . . . . . . . . . . . . . 59
10.6.1. Client Contributions to K_TOKEN Entropy . . . . . . . 60 10.6.1. Client Contributions to K_TOKEN Entropy . . . . . . . 59
10.6.2. Key Confirmation . . . . . . . . . . . . . . . . . . . 60 10.6.2. Key Confirmation . . . . . . . . . . . . . . . . . . . 59
10.6.3. Server Authentication . . . . . . . . . . . . . . . . 60 10.6.3. Server Authentication . . . . . . . . . . . . . . . . 59
10.6.4. User Authentication . . . . . . . . . . . . . . . . . 60 10.6.4. User Authentication . . . . . . . . . . . . . . . . . 59
10.6.5. Key Protection in Two-Pass DSKPP . . . . . . . . . . . 61 10.6.5. Key Protection in Two-Pass DSKPP . . . . . . . . . . . 60
11. Internationalization Considerations . . . . . . . . . . . . . 62 11. Internationalization Considerations . . . . . . . . . . . . . 61
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61
12.1. URN Sub-Namespace Registration . . . . . . . . . . . . . . 62 12.1. URN Sub-Namespace Registration . . . . . . . . . . . . . . 61
12.2. XML Schema Registration . . . . . . . . . . . . . . . . . 63 12.2. XML Schema Registration . . . . . . . . . . . . . . . . . 62
12.3. MIME Media Type Registration . . . . . . . . . . . . . . . 63 12.3. MIME Media Type Registration . . . . . . . . . . . . . . . 62
12.4. Status Code Registry . . . . . . . . . . . . . . . . . . . 64 12.4. Status Code Registry . . . . . . . . . . . . . . . . . . . 63
13. Intellectual Property Considerations . . . . . . . . . . . . . 65 13. Intellectual Property Considerations . . . . . . . . . . . . . 64
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 65 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 64
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 65 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 64
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 66 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65
16.1. Normative references . . . . . . . . . . . . . . . . . . . 66 16.1. Normative references . . . . . . . . . . . . . . . . . . . 65
16.2. Informative references . . . . . . . . . . . . . . . . . . 67 16.2. Informative references . . . . . . . . . . . . . . . . . . 66
Appendix A. Usage Scenarios . . . . . . . . . . . . . . . . . . . 69 Appendix A. Usage Scenarios . . . . . . . . . . . . . . . . . . . 68
A.1. Single Key Request . . . . . . . . . . . . . . . . . . . . 69 A.1. Single Key Request . . . . . . . . . . . . . . . . . . . . 68
A.2. Multiple Key Requests . . . . . . . . . . . . . . . . . . 69 A.2. Multiple Key Requests . . . . . . . . . . . . . . . . . . 68
A.3. User Authentication . . . . . . . . . . . . . . . . . . . 69 A.3. User Authentication . . . . . . . . . . . . . . . . . . . 69
A.4. Provisioning Time-Out Policy . . . . . . . . . . . . . . . 70 A.4. Provisioning Time-Out Policy . . . . . . . . . . . . . . . 69
A.5. Key Renewal . . . . . . . . . . . . . . . . . . . . . . . 70 A.5. Key Renewal . . . . . . . . . . . . . . . . . . . . . . . 69
A.6. Pre-Loaded Key Replacement . . . . . . . . . . . . . . . . 70 A.6. Pre-Loaded Key Replacement . . . . . . . . . . . . . . . . 69
A.7. Pre-Shared Manufacturing Key . . . . . . . . . . . . . . . 70 A.7. Pre-Shared Manufacturing Key . . . . . . . . . . . . . . . 70
A.8. End-to-End Protection of Key Material . . . . . . . . . . 71 A.8. End-to-End Protection of Key Material . . . . . . . . . . 70
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 71 Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 70
B.1. Trigger Message . . . . . . . . . . . . . . . . . . . . . 72 B.1. Trigger Message . . . . . . . . . . . . . . . . . . . . . 71
B.2. Four-Pass Protocol . . . . . . . . . . . . . . . . . . . . 72 B.2. Four-Pass Protocol . . . . . . . . . . . . . . . . . . . . 71
B.2.1. <KeyProvClientHello> Without a Preceding Trigger . . . 73 B.2.1. <KeyProvClientHello> Without a Preceding Trigger . . . 72
B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger . . 74 B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger . . 73
B.2.3. <KeyProvServerHello> Without a Preceding Trigger . . . 75 B.2.3. <KeyProvServerHello> Without a Preceding Trigger . . . 74
B.2.4. <KeyProvServerHello> Assuming Key Renewal . . . . . . 76 B.2.4. <KeyProvServerHello> Assuming Key Renewal . . . . . . 75
B.2.5. <KeyProvClientNonce> Using Default Encryption . . . . 76 B.2.5. <KeyProvClientNonce> Using Default Encryption . . . . 75
B.2.6. <KeyProvServerFinished> Using Default Encryption . . . 78 B.2.6. <KeyProvServerFinished> Using Default Encryption . . . 77
B.3. Two-Pass Protocol . . . . . . . . . . . . . . . . . . . . 78 B.3. Two-Pass Protocol . . . . . . . . . . . . . . . . . . . . 77
B.3.1. Example Using the Key Transport Method . . . . . . . . 78 B.3.1. Example Using the Key Transport Method . . . . . . . . 78
B.3.2. Example Using the Key Wrap Method . . . . . . . . . . 81 B.3.2. Example Using the Key Wrap Method . . . . . . . . . . 81
B.3.3. Example Using the Passphrase-Based Key Wrap Method . . 84 B.3.3. Example Using the Passphrase-Based Key Wrap Method . . 84
Appendix C. Integration with PKCS #11 . . . . . . . . . . . . . . 88 Appendix C. Integration with PKCS #11 . . . . . . . . . . . . . . 87
C.1. The 4-pass Variant . . . . . . . . . . . . . . . . . . . . 88 C.1. The 4-pass Variant . . . . . . . . . . . . . . . . . . . . 87
C.2. The 2-pass Variant . . . . . . . . . . . . . . . . . . . . 88 C.2. The 2-pass Variant . . . . . . . . . . . . . . . . . . . . 88
Appendix D. Example of DSKPP-PRF Realizations . . . . . . . . . . 90 Appendix D. Example of DSKPP-PRF Realizations . . . . . . . . . . 90
D.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 91 D.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 90
D.2. DSKPP-PRF-AES . . . . . . . . . . . . . . . . . . . . . . 91 D.2. DSKPP-PRF-AES . . . . . . . . . . . . . . . . . . . . . . 90
D.2.1. Identification . . . . . . . . . . . . . . . . . . . . 91 D.2.1. Identification . . . . . . . . . . . . . . . . . . . . 90
D.2.2. Definition . . . . . . . . . . . . . . . . . . . . . . 91 D.2.2. Definition . . . . . . . . . . . . . . . . . . . . . . 90
D.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 92 D.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 92
D.3. DSKPP-PRF-SHA256 . . . . . . . . . . . . . . . . . . . . . 92 D.3. DSKPP-PRF-SHA256 . . . . . . . . . . . . . . . . . . . . . 92
D.3.1. Identification . . . . . . . . . . . . . . . . . . . . 92 D.3.1. Identification . . . . . . . . . . . . . . . . . . . . 92
D.3.2. Definition . . . . . . . . . . . . . . . . . . . . . . 93 D.3.2. Definition . . . . . . . . . . . . . . . . . . . . . . 92
D.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 94 D.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 94
1. Introduction 1. Introduction
Symmetric key based cryptographic systems (e.g., those providing Symmetric key based cryptographic systems (e.g., those providing
authentication mechanisms such as one-time passwords and challenge- authentication mechanisms such as one-time passwords and challenge-
response) offer performance and operational advantages over public response) offer performance and operational advantages over public
key schemes. Such use requires a mechanism for provisioning of key schemes. Such use requires a mechanism for provisioning of
symmetric keys providing equivalent functionality to mechanisms such symmetric keys providing equivalent functionality to mechanisms such
as CMP [RFC4210] and CMMC [RFC5272] in a Public Key Infrastructure. as CMP [RFC4210] and CMMC [RFC5272] in a Public Key Infrastructure.
skipping to change at page 7, line 14 skipping to change at page 7, line 14
1.3. Namespace Identifiers 1.3. Namespace Identifiers
This document uses Uniform Resource Identifiers [RFC2396] to identify This document uses Uniform Resource Identifiers [RFC2396] to identify
resources, algorithms, and semantics. resources, algorithms, and semantics.
1.3.1. Defined Identifiers 1.3.1. Defined Identifiers
The XML namespace [XMLNS] URI for Version 1.0 of DSKPP protocol is: The XML namespace [XMLNS] URI for Version 1.0 of DSKPP protocol is:
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
References to qualified elements in the DSKPP schema defined herein References to qualified elements in the DSKPP schema defined herein
use the prefix "dskpp". use the prefix "dskpp".
1.3.2. Identifiers Defined in Related Specifications 1.3.2. Identifiers Defined in Related Specifications
This document relies on qualified elements already defined in the This document relies on qualified elements already defined in the
Portable Symmetric Key Container [PSKC] namespace, which is Portable Symmetric Key Container [PSKC] namespace, which is
represented by the prefix "pskc" and declared as: represented by the prefix "pskc" and declared as:
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
1.3.3. Referenced Identifiers 1.3.3. Referenced Identifiers
Finally, the DSKPP syntax presented in this document relies on Finally, the DSKPP syntax presented in this document relies on
algorithm identifiers defined in the XML Signature [XMLDSIG] algorithm identifiers defined in the XML Signature [XMLDSIG]
namespace: namespace:
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
References to algorithm identifiers in the XML Signature namespace References to algorithm identifiers in the XML Signature namespace
skipping to change at page 8, line 29 skipping to change at page 8, line 29
the cryptographic module, e.g., a mobile phone the cryptographic module, e.g., a mobile phone
DSKPP Client: Manages communication between the symmetric key DSKPP Client: Manages communication between the symmetric key
cryptographic module and the DSKPP server cryptographic module and the DSKPP server
DSKPP Server: The symmetric key provisioning server that DSKPP Server: The symmetric key provisioning server that
participates in the DSKPP protocol run participates in the DSKPP protocol run
DSKPP Server ID (ServerID): The unique identifier of a DSKPP server DSKPP Server ID (ServerID): The unique identifier of a DSKPP server
Key Agreement: A key establishment protocol whereby two or more
parties can agree on a key in such a way that both influence the
outcome
Key Confirmation: The assurance of the rightful participants in a
key-establishment protocol that the intended recipient of the
shared key actually possesses the shared key
Key Issuer: An organization that issues symmetric keys to end-users Key Issuer: An organization that issues symmetric keys to end-users
Key Package (KP): An object that encapsulates a symmetric key and Key Package (KP): An object that encapsulates a symmetric key and
its configuration data its configuration data
Key ID (KeyID): A unique identifier for the symmetric key Key ID (KeyID): A unique identifier for the symmetric key
Key Protection Method (KPM): The key transport method used during Key Protection Method (KPM): The key transport method used during
two-pass DSKPP two-pass DSKPP
skipping to change at page 9, line 28 skipping to change at page 9, line 36
Keying Material: The data necessary (e.g., keys and key Keying Material: The data necessary (e.g., keys and key
configuration data) necessary to establish and maintain configuration data) necessary to establish and maintain
cryptographic keying relationships [NIST-SP800-57] cryptographic keying relationships [NIST-SP800-57]
Manufacturer's Key A unique master key pre-issued to a hardware Manufacturer's Key A unique master key pre-issued to a hardware
device, e.g., a smart card, during the manufacturing process. If device, e.g., a smart card, during the manufacturing process. If
present, this key may be used by a cryptographic module to derive present, this key may be used by a cryptographic module to derive
secret keys secret keys
Protocol Run: Complete execution of the DSKPP that involves one
exchange (2-pass) or two exchanges (4-pass)
Security Attribute List (SAL): A payload that contains the DSKPP Security Attribute List (SAL): A payload that contains the DSKPP
version, DSKPP variant (four- or two-pass), key package formats, version, DSKPP variant (four- or two-pass), key package formats,
key types, and cryptographic algorithms that the cryptographic key types, and cryptographic algorithms that the cryptographic
module is capable of supporting module is capable of supporting
Security Context (SC): A payload that contains the DSKPP version, Security Context (SC): A payload that contains the DSKPP version,
DSKPP variant (four- or two-pass), key package format, key type, DSKPP variant (four- or two-pass), key package format, key type,
and cryptographic algorithms relevant to the current protocol run and cryptographic algorithms relevant to the current protocol run
2.2. Notation 2.2. Notation
skipping to change at page 11, line 27 skipping to change at page 11, line 37
Server: The DSKPP provisioning server. Server: The DSKPP provisioning server.
Cryptographic Module: The cryptographic module to which the Cryptographic Module: The cryptographic module to which the
symmetric keys are to be provisioned, e.g., an authentication symmetric keys are to be provisioned, e.g., an authentication
token. token.
Client: The DSKPP client which manages communication between the Client: The DSKPP client which manages communication between the
cryptographic module and the key provisioning server. cryptographic module and the key provisioning server.
While it is highly desirable for the entire communication between the The principal syntax is XML and it is layered on a transport
DSKPP client and server to be protected by means of a transport mechanism such as HTTP. While it is highly desirable for the entire
providing confidentiality and integrity protection such as HTTP over communication between the DSKPP client and server to be protected by
Transport Layer Security (TLS), such protection is not sufficient to means of a transport providing confidentiality and integrity
protect the exchange of the symmetric key data between the server and protection such as HTTP over Transport Layer Security (TLS), such
the cryptographic module and the DSKPP protocol is designed to permit protection is not sufficient to protect the exchange of the symmetric
implementations that satisfy this requirement. key data between the server and the cryptographic module and the
DSKPP protocol is designed to permit implementations that satisfy
this requirement.
The server only communicates to the client. As far as the server is The server only communicates to the client. As far as the server is
concerned, the client and cryptographic module may be considered to concerned, the client and cryptographic module may be considered to
be a single entity. be a single entity.
From a client-side security perspective, however, the client and the From a client-side security perspective, however, the client and the
cryptographic module are separate logical entities and may in some cryptographic module are separate logical entities and may in some
implementations be separate physical entities as well. implementations be separate physical entities as well.
It is assumed that a device will host an application layered above It is assumed that a device will host an application layered above
skipping to change at page 14, line 9 skipping to change at page 14, line 9
digits). However, the DSKPP Server is free to generate them in digits). However, the DSKPP Server is free to generate them in
any way it wishes. any way it wishes.
o The DSKPP client needs the URL of the DSKPP server (which is not o The DSKPP client needs the URL of the DSKPP server (which is not
user-specific or secret, and may be pre-configured somehow), and a user-specific or secret, and may be pre-configured somehow), and a
set of trust anchors for verifying the server certificate. set of trust anchors for verifying the server certificate.
o There must be an account for the user that has an identifier and o There must be an account for the user that has an identifier and
long-term user name (or other account identifier) to which the long-term user name (or other account identifier) to which the
token will be associated. The DSKPP server will use the Client ID token will be associated. The DSKPP server will use the Client ID
to find the corresponding Authentication Code for user to find the corresponding Authentication Code for user
authentication authentication.
In Step 1, the client establishes a TLS connection, and authenticates In Step 1, the client establishes a TLS connection, and authenticates
the server (that is, validates the certificate, and compares the host the server (that is, validates the certificate, and compares the host
name in the URL with the certificate). name in the URL with the certificate).
Next, the DSKPP Client and DSKPP Server exchange DSKPP messages Next, the DSKPP Client and DSKPP Server exchange DSKPP messages
(which are sent over HTTPS). In these messages: (which are sent over HTTPS). In these messages:
o The client and server negotiate which cryptographic algorithms o The client and server negotiate which cryptographic algorithms
they want to use; which algorithms are supported for protecting they want to use; which algorithms are supported for protecting
DSKPP messages, and other DSKPP protocol details. DSKPP messages, and other DSKPP protocol details.
skipping to change at page 15, line 8 skipping to change at page 15, line 8
perform symmetric-key based operations. perform symmetric-key based operations.
The exact division of work between the cryptographic module and the The exact division of work between the cryptographic module and the
DSKPP client -- and key Provisioning server and DSKPP server -- are DSKPP client -- and key Provisioning server and DSKPP server -- are
not specified in this document. The figure above shows one possible not specified in this document. The figure above shows one possible
case, but this is intended for illustrative purposes only. case, but this is intended for illustrative purposes only.
3.2.3. Protocol Triggered by the DSKPP Server 3.2.3. Protocol Triggered by the DSKPP Server
In the first message flow (previous section), the Client ID and In the first message flow (previous section), the Client ID and
Authentication Code were delivered to the user by some out-of-band Authentication Code were delivered to the client by some out-of-band
means (such as paper). means (such as paper sent to the user).
Web DSKPP DSKPP Web Web DSKPP DSKPP Web
Browser Client Server Server Browser Client Server Server
| | | | | | | |
|<-------- HTTPS browsing + some kind of user auth. --------->| |<-------- HTTPS browsing + some kind of user auth. --------->|
| | | | | | | |
| some HTTP request ----------------------------------------->| | some HTTP request ----------------------------------------->|
| | | | | |
| | |<------------->| | | |<------------->|
| | | | | | | |
skipping to change at page 16, line 27 skipping to change at page 16, line 27
3.2.4.1. Criteria for Using the Four-Pass Variant 3.2.4.1. Criteria for Using the Four-Pass Variant
The four-pass protocol is needed under one or more of the following The four-pass protocol is needed under one or more of the following
conditions: conditions:
o Policy requires that both parties engaged in the protocol jointly o Policy requires that both parties engaged in the protocol jointly
contribute entropy to the key. Enforcing this policy mitigates contribute entropy to the key. Enforcing this policy mitigates
the risk of exposing a key during the provisioning process as the the risk of exposing a key during the provisioning process as the
key is generated through mutual agreement without being key is generated through mutual agreement without being
transferred over-the-air or over-the-wire. It also mitigates risk transferred over-the-air or over-the-wire. It also mitigates risk
of exposure after the key is provisioned, as the key will be not of exposure after the key is provisioned, as the key will not be
be vulnerable to a single point of attack in the system. vulnerable to a single point of attack in the system.
o A cryptographic module does not have private-key capabilities. o A cryptographic module does not have private-key capabilities.
o The cryptographic module is hosted by a device that was neither o The cryptographic module is hosted by a device that was neither
pre-issued with a manufacturer's key or other form of pre-shared pre-issued with a manufacturer's key or other form of pre-shared
key (as might be the case with a smart card or SIM card) nor has a key (as might be the case with a smart card or SIM card) nor has a
keypad that can be used for entering a passphrase (such as present keypad that can be used for entering a passphrase (such as present
on a mobile phone). on a mobile phone).
3.2.4.2. Criteria for Using the Two-Pass Variant 3.2.4.2. Criteria for Using the Two-Pass Variant
The two-pass protocol is needed under one or more of the following The two-pass protocol is needed under one or more of the following
skipping to change at page 17, line 22 skipping to change at page 17, line 22
secret values generated as a result of failed runs of the DSKPP secret values generated as a result of failed runs of the DSKPP
protocol. Session identifiers MAY be retained from successful or protocol. Session identifiers MAY be retained from successful or
failed protocol runs for replay detection purposes, but such retained failed protocol runs for replay detection purposes, but such retained
identifiers MUST NOT be reused for subsequent runs of the protocol. identifiers MUST NOT be reused for subsequent runs of the protocol.
When possible, the DSKPP client SHOULD present an appropriate error When possible, the DSKPP client SHOULD present an appropriate error
message to the user. message to the user.
These status codes are valid in all DSKPP Response messages unless These status codes are valid in all DSKPP Response messages unless
explicitly stated otherwise: explicitly stated otherwise:
o "Continue" indicates that the DSKPP server is ready for a
subsequent request from the DSKPP client. It cannot be sent in Continue: The DSKPP server is ready for a subsequent request from
the server's final message. the DSKPP client. It cannot be sent in the server's final
o "Success" indicates successful completion of the DSKPP session. message
It can only be sent in the server's final message.
o "Abort" indicates that the DSKPP server rejected the DSKPP Success: Successful completion of the DSKPP session. It can only be
client's request for unspecified reasons. sent in the server's final message
o "AccessDenied" indicates that the DSKPP client is not authorized
to contact this DSKPP server. Abort: The DSKPP server rejected the DSKPP client's request for
o "MalformedRequest" indicates that the DSKPP server failed to parse unspecified reasons
the DSKPP client's request.
o "UnknownRequest" indicates that the DSKPP client made a request AccessDenied: The DSKPP client is not authorized to contact this
that is unknown to the DSKPP server. DSKPP server
o "UnknownCriticalExtension" indicates that a critical DSKPP
extension (see below) used by the DSKPP client was not supported MalformedRequest: The DSKPP server failed to parse the DSKPP
or recognized by the DSKPP server. client's request
o "UnsupportedVersion" indicates that the DSKPP client used a DSKPP
protocol version not supported by the DSKPP server. This error is UnknownRequest: The DSKPP client made a request that is unknown to
only valid in the DSKPP server's first response message. the DSKPP server
o "NoSupportedKeyTypes" indicates that the DSKPP client only
suggested key types that are not supported by the DSKPP server. UnknownCriticalExtension: In order to assure that all
implementations of DSKPP can interoperate, the DSKPP server:A
critical DSKPP extension (see below) used by the DSKPP client was
not supported or recognized by the DSKPP server
UnsupportedVersion: The DSKPP client used a DSKPP protocol version
not supported by the DSKPP server. This error is only valid in
the DSKPP server's first response message
NoSupportedKeyTypes: "NoSupportedKeyTypes" indicates that the DSKPP
client only suggested key types that are not supported by the
DSKPP server. This error is only valid in the DSKPP server's
first response message
NoSupportedEncryptionAlgorithms: The DSKPP client only suggested
encryption algorithms that are not supported by the DSKPP server.
This error is only valid in the DSKPP server's first response This error is only valid in the DSKPP server's first response
message. message
o "NoSupportedEncryptionAlgorithms" indicates that the DSKPP client
only suggested encryption algorithms that are not supported by the NoSupportedMacAlgorithms: The DSKPP client only suggested MAC
algorithms that are not supported by the DSKPP server. This
error is only valid in the DSKPP server's first response message
NoProtocolVariants: The DSKPP client only suggested a protocol
variant (either 2-pass or 4-pass) that is not supported by the
DSKPP server. This error is only valid in the DSKPP server's DSKPP server. This error is only valid in the DSKPP server's
first response message. first response message
o "NoSupportedMacAlgorithms" indicates that the DSKPP client only
suggested MAC algorithms that are not supported by the DSKPP
server. This error is only valid in the DSKPP server's first
response message.
o "NoProtocolVariants" indicates that the DSKPP client only NoSupportedKeyPackages: The DSKPP client only suggested key package
suggested a protocol variant (either 2-pass or 4-pass) that is not formats that are not supported by the DSKPP server. This error
supported by the DSKPP server. This error is only valid in the is only valid in the DSKPP server's first response message
DSKPP server's first response message.
o "NoSupportedKeyPackages" indicates that the DSKPP client only AuthenticationDataMissing: The DSKPP client didn't provide
suggested key package formats that are not supported by the DSKPP authentication data that the DSKPP server required
server. This error is only valid in the DSKPP server's first
response message. AuthenticationDataInvalid: The DSKPP client supplied user
o "AuthenticationDataMissing" indicates that the DSKPP client didn't authentication data that the DSKPP server failed to validate
provide authentication data that the DSKPP server required.
o "AuthenticationDataInvalid" indicates that the DSKPP client InitializationFailed: The DSKPP server could not generate a valid
supplied user authentication data that the DSKPP server failed to key given the provided data. When this status code is received,
validate. the DSKPP client SHOULD try to restart DSKPP, as it is possible
o "InitializationFailed" indicates that the DSKPP server could not that a new run will succeed
generate a valid key given the provided data. When this status
code is received, the DSKPP client SHOULD try to restart DSKPP, as ProvisioningPeriodExpired: The provisioning period set by the DSKPP
it is possible that a new run will succeed. server has expired. When the status code is received, the DSKPP
o "ProvisioningPeriodExpired" indicates that the provisioning period client SHOULD report the reason for key initialization failure to
set by the DSKPP server has expired. When the status code is the user and the user MUST register with the DSKPP server to
received, the DSKPP client SHOULD report the reason for key initialize a new key
initialization failure to the user and the user MUST register with
the DSKPP server to initialize a new key.
3.4. Basic Constructs 3.4. Basic Constructs
The following calculations are used in both DSKPP protocol variants. The following calculations are used in both DSKPP protocol variants.
3.4.1. User Authentication Data, AD 3.4.1. User Authentication Data, AD
User authentication data (AD) is derived from a Client ID and User authentication data (AD) is derived from a Client ID and
Authentication Code that the user enters before the first DSKPP Authentication Code that the user enters before the first DSKPP
message is sent. message is sent.
skipping to change at page 20, line 25 skipping to change at page 20, line 52
Section 3.4.2 for a description of DSKPP-PRF in general and Section 3.4.2 for a description of DSKPP-PRF in general and
Appendix D for a description of DSKPP-PRF-AES): Appendix D for a description of DSKPP-PRF-AES):
MAC = DSKPP-PRF(K_AC, AC->clientID||URL_S||R_C||[R_S], 16) MAC = DSKPP-PRF(K_AC, AC->clientID||URL_S||R_C||[R_S], 16)
In four-pass DSKPP, the cryptographic module uses R_C, R_S, and URL_S In four-pass DSKPP, the cryptographic module uses R_C, R_S, and URL_S
to calculate the MAC, where URL_S is the URL the DSKPP client uses to calculate the MAC, where URL_S is the URL the DSKPP client uses
when contacting the DSKPP server. In two-pass DSKPP, the when contacting the DSKPP server. In two-pass DSKPP, the
cryptographic module does not have access to R_S, therefore only R_C cryptographic module does not have access to R_S, therefore only R_C
is used in combination with URL_S to produce the MAC. In either is used in combination with URL_S to produce the MAC. In either
case, K_AC MUST be derived from AC>password as follows [PKCS-5]: case, K_AC MUST be derived from AC->password as follows [PKCS-5]:
K_AC = PBKDF2(AC->password, R_C || K, iter_count, 16) K_AC = PBKDF2(AC->password, R_C || K, iter_count, 16)
One of the following values for K MUST be used: One of the following values for K MUST be used:
a. In four-pass: a. In four-pass:
* The public key of the DSKPP server (K_SERVER), or (in the pre- * The public key of the DSKPP server (K_SERVER), or (in the pre-
shared key variant) the pre-shared key between the client and shared key variant) the pre-shared key between the client and
the server (K_SHARED) the server (K_SHARED)
skipping to change at page 23, line 5 skipping to change at page 23, line 5
With 4-pass DSKPP, the symmetric key that is the target of With 4-pass DSKPP, the symmetric key that is the target of
provisioning, is generated on-the-fly without being transferred provisioning, is generated on-the-fly without being transferred
between the DSKPP client and DSKPP server. The data flow and between the DSKPP client and DSKPP server. The data flow and
computation are described below. computation are described below.
4.1.1. Data Flow 4.1.1. Data Flow
A sample data flow showing key generation during the 4-pass protocol A sample data flow showing key generation during the 4-pass protocol
is shown in Figure 3. is shown in Figure 3.
+----------------------+ +-------+ +----------------------+ +----------------------+ +----------------------+
| +------------+ | | | | | | +------------+ | | |
| | Server key | | | | | | | | Server key | | | |
| +<-| Public |------>------------->-------------+---------+ | | +<-| Public |------>------------->-------------+---------+ |
| | | Private | | | | | | | | | | | Private | | | | | |
| | +------------+ | | | | | | | | | +------------+ | | | | |
| | | | | | | | | | | | | | | | | |
| V V | | | | V V | | V V | | V V |
| | +---------+ | | | | +---------+ | | | | +---------+ | | +---------+ | |
| | | Decrypt |<-------<-------------<-----------| Encrypt | | | | | | Decrypt |<-------<-------------<-----------| Encrypt | | |
| | +---------+ | | | | +---------+ | | | | +---------+ | | +---------+ | |
| | | +--------+ | | | | ^ | | | | | +--------+ | | ^ | |
| | | | Server | | | | | | | | | | | | Server | | | | | |
| | | | Random |--->------------->------+ +----------+ | | | | | | Random |--->------------->------+ +----------+ | |
| | | +--------+ | | | | | | Client | | | | | | +--------+ | | | | Client | | |
| | | | | | | | | | Random | | | | | | | | | | | Random | | |
| | | | | | | | | +----------+ | | | | | | | | | +----------+ | |
| | | | | | | | | | | | | | | | | | | | | |
| | V V | | | | V V | | | | V V | | V V | |
| | +------------+ | | | | +------------+ | | | | +------------+ | | +------------+ | |
| +-->| DSKPP PRF | | | | | | DSKPP PRF |<----+ | | +-->| DSKPP PRF | | | | DSKPP PRF |<----+ |
| +------------+ | | | | +------------+ | | +------------+ | | +------------+ |
| | | | | | | | | | | | | |
| V | | | | V | | V | | V |
| +-------+ | | | | +-------+ | | +-------+ | | +-------+ |
| | Key | | | | | | Key | | | | Key | | | | Key | |
| +-------+ | | | | +-------+ | | +-------+ | | +-------+ |
| +-------+ | | | | +-------+ | | +-------+ | | +-------+ |
| |Key Id |-------->------------->------|Key Id | | | |Key Id |-------->------------->------|Key Id | |
| +-------+ | | | | +-------+ | | +-------+ | | +-------+ |
+----------------------+ +-------+ +----------------------+ +----------------------+ +----------------------+
DSKPP Server DSKPP Client Cryptographic Module DSKPP Server DSKPP Client
Figure 3: Principal data flow for DSKPP key generation - Figure 3: Principal data flow for DSKPP key generation -
using public server key using public server key
The inclusion of the two random nonces (R_S and R_C) in the key The inclusion of the two random nonces (R_S and R_C) in the key
generation provides assurance to both sides (the cryptographic module generation provides assurance to both sides (the cryptographic module
and the DSKPP server) that they have contributed to the key's and the DSKPP server) that they have contributed to the key's
randomness and that the key is unique. The inclusion of the randomness and that the key is unique. The inclusion of the
encryption key (K) ensures that no man-in-the-middle may be present, encryption key (K) ensures that no man-in-the-middle may be present,
or else the cryptographic module will end up with a key different or else the cryptographic module will end up with a key different
from the one stored by the legitimate DSKPP server. from the one stored by the legitimate DSKPP server.
Notes:
Conceptually, although R_C is one pseudorandom string, it may be Conceptually, although R_C is one pseudorandom string, it may be
viewed as consisting of two components, R_C1 and R_C2, where R_C1 viewed as consisting of two components, R_C1 and R_C2, where R_C1 is
is generated during the protocol run, and R_C2 can be pre- generated during the protocol run, and R_C2 can be pre-generated and
generated and loaded on the cryptographic module before the device loaded on the cryptographic module before the device is issued to the
is issued to the user. In that case, the latter string, R_C2, user. In that case, the latter string, R_C2, SHOULD be unique for
SHOULD be unique for each cryptographic module. each cryptographic module.
A man-in-the-middle (in the form of corrupt client software or a A man-in-the-middle (in the form of corrupt client software or a
mistakenly contacted server) may present his own public key to the mistakenly contacted server) may present his own public key to the
cryptographic module. This will enable the attacker to learn the cryptographic module. This will enable the attacker to learn the
client's version of K_TOKEN. However, the attacker is not able to client's version of K_TOKEN. However, the attacker is not able to
persuade the legitimate server to derive the same value for persuade the legitimate server to derive the same value for K_TOKEN,
K_TOKEN, since K_TOKEN is a function of the public key involved, since K_TOKEN is a function of the public key involved, and the
and the attacker's public key must be different than the correct attacker's public key must be different than the correct server's (or
server's (or else the attacker would not be able to decrypt the else the attacker would not be able to decrypt the information
information received from the client). Therefore, once the received from the client). Therefore, once the attacker is no longer
attacker is no longer "in the middle," the client and server will "in the middle," the client and server will detect that they are "out
detect that they are "out of sync" when they try to use their of sync" when they try to use their keys. In the case of encrypting
keys. In the case of encrypting R_C with K_SERVER, it is R_C with K_SERVER, it is therefore important to verify that K_SERVER
therefore important to verify that K_SERVER really is the really is the legitimate server's key. One way to do this is to
legitimate server's key. One way to do this is to independently independently validate a newly generated K_TOKEN against some
validate a newly generated K_TOKEN against some validation service validation service at the server (e.g. using a connection independent
at the server (e.g. using a connection independent from the one from the one used for the key generation).
used for the key generation).
4.1.2. Computation 4.1.2. Computation
In DSKPP, the client and server both generate K_TOKEN and K_MAC by In DSKPP, the client and server both generate K_TOKEN and K_MAC by
deriving them from a provisioning key (K_PROV) using the DSKPP-PRF deriving them from a provisioning key (K_PROV) using the DSKPP-PRF
function (refer to Section 3.4.2) as follows: function (refer to Section 3.4.2) as follows:
K_PROV = DSKPP-PRF(k,s,dsLen), where K_PROV = DSKPP-PRF(k,s,dsLen), where
k = R_C (i.e., the secret random value chosen by the DSKPP k = R_C (i.e., the secret random value chosen by the DSKPP
skipping to change at page 30, line 22 skipping to change at page 30, line 22
If user authentication passes, the DSKPP server decrypts R_C using If user authentication passes, the DSKPP server decrypts R_C using
its key (K). The decryption method is based on whether K that was its key (K). The decryption method is based on whether K that was
transmitted to the client in <KeyProvServerHello> was equal to the transmitted to the client in <KeyProvServerHello> was equal to the
server's public key (K_SERVER) or a pre-shared key (K_SHARED) server's public key (K_SERVER) or a pre-shared key (K_SHARED)
(refer to Section 4.2.3 for a description of how the DSKPP client (refer to Section 4.2.3 for a description of how the DSKPP client
encrypts R_C). encrypts R_C).
After extracting R_C, the DSKPP server computes K_TOKEN using a After extracting R_C, the DSKPP server computes K_TOKEN using a
combination of the two random nonces R_S and R_C and its combination of the two random nonces R_S and R_C and its
encryption key, K, as described in Section 4.1.2. The DSKPP encryption key, K, as described in Section 4.1.2. The particular
server then generates a key package that contains key usage realization of DSKPP-PRF (e.g., those defined in Appendix D
attributes such as expiry date and length. The key package MUST depends on the MAC algorithm contained in the <KeyProvServerHello>
NOT include K_TOKEN since in the four-pass variant K_TOKEN is message. The DSKPP server then generates a key package that
never transmitted between the DSKPP server and client. The server contains key usage attributes such as expiry date and length. The
stores K_TOKEN and the key package with the user's account on the key package MUST NOT include K_TOKEN since in the four-pass
cryptographic server. variant K_TOKEN is never transmitted between the DSKPP server and
client. The server stores K_TOKEN and the key package with the
user's account on the cryptographic server.
Finally, the server generates a key confirmation MAC that the Finally, the server generates a key confirmation MAC that the
client will use to avoid a false "Commit" message that would cause client will use to avoid a false "Commit" message that would cause
the cryptographic module to end up in state in which the server the cryptographic module to end up in state in which the server
does not recognize the stored key. does not recognize the stored key.
The MAC used for key confirmation MUST be calculated as follows: The MAC used for key confirmation MUST be calculated as follows:
msg_hash = SHA-256(msg_1, ..., msg_n) msg_hash = SHA-256(msg_1, ..., msg_n)
dsLen = len(msg_hash) dsLen = len(msg_hash)
skipping to change at page 31, line 47 skipping to change at page 31, line 47
with this key. As such, a key package (KP) MUST be included in with this key. As such, a key package (KP) MUST be included in
this message, which holds an identifier for the generated key (but this message, which holds an identifier for the generated key (but
not the key itself) and additional configuration, e.g., the not the key itself) and additional configuration, e.g., the
identity of the DSKPP server, key usage attributes, etc. The identity of the DSKPP server, key usage attributes, etc. The
default symmetric key package format MUST be based on the Portable default symmetric key package format MUST be based on the Portable
Symmetric Key Container (PSKC) defined in [PSKC]. Alternative Symmetric Key Container (PSKC) defined in [PSKC]. Alternative
formats MAY include [SKPC-ASN.1], PKCS#12 [PKCS-12], or PKCS#5 XML formats MAY include [SKPC-ASN.1], PKCS#12 [PKCS-12], or PKCS#5 XML
[PKCS-5-XML] format. [PKCS-5-XML] format.
With KP, the server includes a key confirmation MAC that the With KP, the server includes a key confirmation MAC that the
client uses to avoid a false "Commit". client uses to avoid a false "Commit". The MAC algorithm is the
same DSKPP-PRF that was sent in the <KeyProvServerHello> message.
How the DSKPP client uses this message: How the DSKPP client uses this message:
When the Status attribute is not set to "Continue", this indicates When the Status attribute is not set to "Continue", this indicates
failure and the DSKPP client MUST abort the protocol. failure and the DSKPP client MUST abort the protocol.
After receiving a <KeyProvServerFinished> message with Status = After receiving a <KeyProvServerFinished> message with Status =
"Success", the DSKPP client MUST verify the key confirmation MAC "Success", the DSKPP client MUST verify the key confirmation MAC
that was transmitted with this message. The DSKPP client MUST that was transmitted with this message. The DSKPP client MUST
terminate the DSKPP session if the MAC does not verify, and MUST, terminate the DSKPP session if the MAC does not verify, and MUST,
in this case, also delete any nonces, keys, and/or secrets in this case, also delete any nonces, keys, and/or secrets
associated with the failed run of the protocol. associated with the failed run of the protocol.
If <KeyProvServerFinished> has Status = "Success" and the MAC was If <KeyProvServerFinished> has Status = "Success" and the MAC was
verified, then the DSKPP client MUST calculate K_TOKEN from the verified, then the DSKPP client MUST calculate K_TOKEN from the
combination of the two random nonces R_S and R_C and the server's combination of the two random nonces R_S and R_C and the server's
encryption key, K, as described in Section 4.1.2. The DSKPP encryption key, K, as described in Section 4.1.2. The DSKPP-PRF
client associates the key package contained in is the same one used for MAC computation. The DSKPP client
<KeyProvServerFinished> with the generated key, K_TOKEN, and associates the key package contained in <KeyProvServerFinished>
stores this data permanently on the cryptographic module. with the generated key, K_TOKEN, and stores this data permanently
on the cryptographic module.
After this operation, it MUST NOT be possible to overwrite the key After this operation, it MUST NOT be possible to overwrite the key
unless knowledge of an authorizing key is proven through a MAC on unless knowledge of an authorizing key is proven through a MAC on
a later <KeyProvServerHello> (and <KeyProvServerFinished>) a later <KeyProvServerHello> (and <KeyProvServerFinished>)
message. message.
5. Two-Pass Protocol Usage 5. Two-Pass Protocol Usage
This section describes the methods and message flow that comprise the This section describes the methods and message flow that comprise the
two-pass protocol variant. Two-pass DSKPP is essentially a transport two-pass protocol variant. Two-pass DSKPP is essentially a transport
skipping to change at page 33, line 5 skipping to change at page 32, line 51
used for server authentication and key confirmation. The keying used for server authentication and key confirmation. The keying
material also includes key usage attributes, such as expiry date and material also includes key usage attributes, such as expiry date and
length. length.
The DSKPP server encrypts K_PROV to ensure that it is not exposed to The DSKPP server encrypts K_PROV to ensure that it is not exposed to
any other entity than the DSKPP server and the cryptographic module any other entity than the DSKPP server and the cryptographic module
itself. The DSKPP server uses any of three key protection methods to itself. The DSKPP server uses any of three key protection methods to
encrypt K_PROV: Key Transport, Key Wrap, and Passphrase-Based Key encrypt K_PROV: Key Transport, Key Wrap, and Passphrase-Based Key
Wrap Key Protection Methods. Wrap Key Protection Methods.
While the DSKPP client and server may negotiate the key protection
method to use, the actual key protection is carried out in the
KeyPackage. For example, the default KeyPackage format
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer from [PSKC]
specifies how a key should be protected, including the three key
protection methods described here.
5.1. Key Protection Methods 5.1. Key Protection Methods
This section introduces three key protection methods for the two-pass This section introduces three key protection methods for the two-pass
variant. Additional methods MAY be defined by external entities or variant. Additional methods MAY be defined by external entities or
through the IETF process. through the IETF process.
5.1.1. Key Transport 5.1.1. Key Transport
Purpose of this method: Purpose of this method:
This method is intended for PKI-capable devices. The DSKPP server This method is intended for PKI-capable devices. The DSKPP server
encrypts keying material and transports it to the DSKPP client. encrypts keying material and transports it to the DSKPP client.
The server encrypts the keying material using the public key of The server encrypts the keying material using the public key of
the DSKPP client, whose private key part resides in the the DSKPP client, whose private key part resides in the
cryptographic module. The DSKPP client decrypts the keying cryptographic module. The DSKPP client decrypts the keying
material and uses it to derive the symmetric key, K_TOKEN. material and uses it to derive the symmetric key, K_TOKEN.
This method MUST be identified with the following URN: This method is identified with the following URN:
urn:ietf:params:xml:schema:keyprov:dskpp#transport urn:ietf:params:xml:schema:keyprov:dskpp#transport
The DSKPP server and client MUST support the following mechanism: The DSKPP server and client MUST support the following mechanism:
http://www.w3.org/2001/04/xmlenc#rsa-1_5 encryption mechanism http://www.w3.org/2001/04/xmlenc#rsa-1_5 encryption mechanism
defined in [XMLENC]. defined in [XMLENC].
5.1.2. Key Wrap 5.1.2. Key Wrap
Purpose of this method: Purpose of this method:
This method is ideal for pre-keyed devices, e.g., SIM cards. The This method is ideal for pre-keyed devices, e.g., SIM cards. The
DSKPP server encrypts keying material using a pre-shared key DSKPP server encrypts keying material using a pre-shared key
wrapping key and transports it to the DSKPP client. The DSKPP wrapping key and transports it to the DSKPP client. The DSKPP
client decrypts the keying material, and uses it to derive the client decrypts the keying material, and uses it to derive the
symmetric key, K_TOKEN. symmetric key, K_TOKEN.
This method MUST be identified with the following URN: This method is identified with the following URN:
urn:ietf:params:xml:schema:keyprov:dskpp#wrap urn:ietf:params:xml:schema:keyprov:dskpp#wrap
The DSKPP server and client MUST support one of the following key The DSKPP server and client MUST support one of the following key
wrapping mechanisms: wrapping mechanisms:
KW-AES128 without padding; refer to KW-AES128 without padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC]
KW-AES128 with padding; refer to KW-AES128 with padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] and
[AESKWPAD]
AES-CBC-128; refer to [FIPS197-AES] AES-CBC-128; refer to [FIPS197-AES]
5.1.3. Passphrase-Based Key Wrap 5.1.3. Passphrase-Based Key Wrap
Purpose of this method: Purpose of this method:
This method is a variation of the Key Wrap Method that is This method is a variation of the Key Wrap Method that is
applicable to constrained devices with keypads, e.g., mobile applicable to constrained devices with keypads, e.g., mobile
phones. The DSKPP server encrypts keying material using a phones. The DSKPP server encrypts keying material using a
wrapping key derived from a user-provided passphrase, and wrapping key derived from a user-provided passphrase, and
transports the encrypted material to the DSKPP client. The DSKPP transports the encrypted material to the DSKPP client. The DSKPP
client decrypts the keying material, and uses it to derive the client decrypts the keying material, and uses it to derive the
symmetric key, K_TOKEN. symmetric key, K_TOKEN.
To preserve the property of not exposing K_TOKEN to any other To preserve the property of not exposing K_TOKEN to any other
entity than the DSKPP server and the cryptographic module itself, entity than the DSKPP server and the cryptographic module itself,
the method SHOULD be employed only when the device contains the method SHOULD be employed only when the device contains
facilities (e.g. a keypad) for direct entry of the passphrase. facilities (e.g. a keypad) for direct entry of the passphrase.
This method MUST be identified with the following URN: This method is identified with the following URN:
urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap
The DSKPP server and client MUST support the following: The DSKPP server and client MUST support the following:
* The PBES2 password-based encryption scheme defined in [PKCS-5] * The PBES2 password-based encryption scheme defined in [PKCS-5]
(and identified as (and identified as
http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2 in http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2 in
[PKCS-5-XML]) [PKCS-5-XML])
* The PBKDF2 passphrase-based key derivation function also * The PBKDF2 passphrase-based key derivation function also
defined in [PKCS-5] (and identified as defined in [PKCS-5] (and identified as
http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2
in [PKCS-5-XML]) in [PKCS-5-XML])
* One of the following key wrapping mechanisms: * One of the following key wrapping mechanisms:
a. KW-AES128 without padding; refer to a. KW-AES128 without padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC]
b. KW-AES128 without padding; refer to b. KW-AES128 with padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] and
[AESKWPAD]
c. AES-CBC-128; refer to [FIPS197-AES] c. AES-CBC-128; refer to [FIPS197-AES]
5.2. Message Flow 5.2. Message Flow
The two-pass protocol flow consists of one exchange: The two-pass protocol flow consists of one exchange:
1: Pass 1 = <KeyProvClientHello>, Pass 2 = <KeyProvServerFinished> 1: Pass 1 = <KeyProvClientHello>, Pass 2 = <KeyProvServerFinished>
Although there is no exchange of the <ServerHello> message or the Although there is no exchange of the <ServerHello> message or the
<ClientNonce> message, the DSKPP client is still able to specify <ClientNonce> message, the DSKPP client is still able to specify
algorithm preferences and supported key types in the algorithm preferences and supported key types in the
skipping to change at page 37, line 26 skipping to change at page 37, line 36
DeviceID unless the server sent the DeviceID in a preceding DeviceID unless the server sent the DeviceID in a preceding
trigger message. Note that it is also legitimate for a DSKPP trigger message. Note that it is also legitimate for a DSKPP
client to initiate the DSKPP protocol run without having received client to initiate the DSKPP protocol run without having received
a <KeyProvTrigger> message from a server, but in this case any a <KeyProvTrigger> message from a server, but in this case any
provided DeviceID MUST NOT be accepted by the DSKPP server unless provided DeviceID MUST NOT be accepted by the DSKPP server unless
the server has access to a unique key for the identified device the server has access to a unique key for the identified device
and that key will be used in the protocol. and that key will be used in the protocol.
The DSKPP server MUST use AD to authenticate the user. If The DSKPP server MUST use AD to authenticate the user. If
authentication fails, then the DSKPP server MUST set the return authentication fails, then the DSKPP server MUST set the return
code to a failure status. code to a failure status, and MUST, in this case, also delete any
nonces, keys, and/or secrets associated with the failed run of the
protocol.
If user authentication passes, the DSKPP server generates a key If user authentication passes, the DSKPP server generates a key
K_PROV, which MUST consist of two parts of equal length, where the K_PROV, which MUST consist of two parts of equal length, where the
first half constitutes K_MAC and the second half constitutes first half constitutes K_MAC and the second half constitutes
K_TOKEN, i.e., K_TOKEN, i.e.,
K_PROV = K_MAC || K_TOKEN K_PROV = K_MAC || K_TOKEN
The length of K_TOKEN (and hence also the length of K_MAC) is The length of K_TOKEN (and hence also the length of K_MAC) is
determined by the type of K_TOKEN, which MUST be one of the key determined by the type of K_TOKEN, which MUST be one of the key
skipping to change at page 37, line 38 skipping to change at page 37, line 50
If user authentication passes, the DSKPP server generates a key If user authentication passes, the DSKPP server generates a key
K_PROV, which MUST consist of two parts of equal length, where the K_PROV, which MUST consist of two parts of equal length, where the
first half constitutes K_MAC and the second half constitutes first half constitutes K_MAC and the second half constitutes
K_TOKEN, i.e., K_TOKEN, i.e.,
K_PROV = K_MAC || K_TOKEN K_PROV = K_MAC || K_TOKEN
The length of K_TOKEN (and hence also the length of K_MAC) is The length of K_TOKEN (and hence also the length of K_MAC) is
determined by the type of K_TOKEN, which MUST be one of the key determined by the type of K_TOKEN, which MUST be one of the key
types supported by the DSKPP client. types supported by the DSKPP client.
Once K_PROV is computed, the DSKPP server selects one of the key Once K_PROV is computed, the DSKPP server selects one of the key
protection methods from the DSKPP client's KPML, and uses that protection methods from the DSKPP client's KPML, and uses that
method and corresponding payload to encrypt K_PROV. The result of method and corresponding payload to encrypt K_PROV.
the operation MUST be of type <xenc:EncryptedKeyType> ([XMLENC]). The DSKPP server generates a key package to transport the key
For all three key protection methods, the Type attribute of the encryption method information and the encrypted provisioning key
<xenc:EncryptedKeyType> MUST be present and MUST identify the type (K_PROV). The encrypted data format is subject to the choice
of the encrypted key. <xenc:CarriedKeyName> MAY also be present, supported by the selected key package. The key package MUST
but MUST, when present, contain the same value as the <KeyID> specify and use the selected key protection method and the key
element of the <KeyProvServerFinished> message. For each key information that was received in <KeyProvClientHello>.
protection method, the following encryption method and key info
values are allowed:
* Key Transport
<xenc:EncryptMethod> Only those encryption methods that
utilize a public key and are supported by
the DSKPP client
<ds:KeyInfo> This element MUST identify the same
public key as the key protection
"payload" that was received in
<KeyProvClientHello>
* Key Wrap
<xenc:EncryptMethod> Only those encryption methods that
utilize a symmetric key and are supported
by the DSKPP client
<ds:KeyInfo> This element MUST identify the same
symmetric key as the key protection
"payload" that was received in
<KeyProvClientHello>
* Passphrase-Based Key Wrap The key package also includes key usage attributes such as expiry
<xenc:EncryptMethod> Only those encryption methods that date and length. The server stores the key package and K_TOKEN
utilize a passphrase to derive the key with a user account on the cryptographic server.
wrapping key and are supported by the
DSKPP client
<ds:KeyInfo> This element MUST identify the same
symmetric key as the key protection
"payload" that was received in
<KeyProvClientHello>
After encrypting K_PROV, the DSKPP server generates a key package
that includes key usage attributes such as expiry date and length.
The key package MUST include the encrypted provisioning key
(K_PROV). The server stores the key package and K_TOKEN with a
user account on the cryptographic server.
The server generates two MAC's, one for key confirmation and The server generates two MAC's, one for key confirmation and
another for server authentication) that the client will use to another for server authentication) that the client will use to
avoid a false "Commit" message that would cause the cryptographic avoid a false "Commit" message that would cause the cryptographic
module to end up in state in which the server does not recognize module to end up in state in which the server does not recognize
the stored key. the stored key.
The method the DSKPP server MUST use to calculate the key The method the DSKPP server MUST use to calculate the key
confirmation MAC: confirmation MAC:
msg_hash = SHA-256(msg_1, ..., msg_n) msg_hash = SHA-256(msg_1, ..., msg_n)
skipping to change at page 45, line 18 skipping to change at page 44, line 43
different character encodings MUST use a comparison method that different character encodings MUST use a comparison method that
returns the same result as converting both values to the Unicode returns the same result as converting both values to the Unicode
character encoding, Normalization Form C [UNICODE], and then character encoding, Normalization Form C [UNICODE], and then
performing an exact binary comparison. performing an exact binary comparison.
No collation or sorting order for attributes or element values is No collation or sorting order for attributes or element values is
defined. Therefore, DSKPP implementations MUST NOT depend on defined. Therefore, DSKPP implementations MUST NOT depend on
specific sorting orders for values. specific sorting orders for values.
8.2. Schema 8.2. Schema
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<xs:schema <xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" targetNamespace="urn:ietf:params:xml:ns:keyprov:dskpp"
elementFormDefault="qualified" attributeFormDefault="unqualified" elementFormDefault="qualified" attributeFormDefault="unqualified"
version="1.0"> version="1.0">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation= schemaLocation=
"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ "http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
xmldsig-core-schema.xsd"/> <xs:import namespace="urn:ietf:params:xml:ns:keyprov:pskc"
<xs:import namespace="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
schemaLocation="keyprov-pskc-1.0.xsd"/> schemaLocation="keyprov-pskc-1.0.xsd"/>
<xs:complexType name="AbstractRequestType" abstract="true"> <xs:complexType name="AbstractRequestType" abstract="true">
<xs:annotation> <xs:annotation>
<xs:documentation> Basic types </xs:documentation> <xs:documentation> Basic types </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:attribute name="Version" type="dskpp:VersionType" <xs:attribute name="Version" type="dskpp:VersionType"
use="required"/> use="required"/>
</xs:complexType> </xs:complexType>
<xs:complexType name="AbstractResponseType" abstract="true"> <xs:complexType name="AbstractResponseType" abstract="true">
<xs:annotation> <xs:annotation>
<xs:documentation> Basic types </xs:documentation> <xs:documentation> Basic types </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:attribute name="Version" type="dskpp:VersionType" <xs:attribute name="Version" type="dskpp:VersionType"
use="required"/> use="required"/>
<xs:attribute name="SessionID" type="dskpp:IdentifierType"/> <xs:attribute name="SessionID" type="dskpp:IdentifierType"/>
<xs:attribute name="Status" type="dskpp:StatusCode" <xs:attribute name="Status" type="dskpp:StatusCode" use="required"/>
use="required"/>
</xs:complexType> </xs:complexType>
<xs:simpleType name="VersionType"> <xs:simpleType name="VersionType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="\d{1,2}\.\d{1,3}" /> <xs:pattern value="\d{1,2}\.\d{1,3}" />
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="IdentifierType"> <xs:simpleType name="IdentifierType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:maxLength value="128" /> <xs:maxLength value="128" />
</xs:restriction> </xs:restriction>
skipping to change at page 46, line 40 skipping to change at page 46, line 17
<xs:enumeration value="NoSupportedKeyPackages" /> <xs:enumeration value="NoSupportedKeyPackages" />
<xs:enumeration value="AuthenticationDataMissing" /> <xs:enumeration value="AuthenticationDataMissing" />
<xs:enumeration value="AuthenticationDataInvalid" /> <xs:enumeration value="AuthenticationDataInvalid" />
<xs:enumeration value="InitializationFailed" /> <xs:enumeration value="InitializationFailed" />
<xs:enumeration value="ProvisioningPeriodExpired" /> <xs:enumeration value="ProvisioningPeriodExpired" />
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="DeviceIdentifierDataType"> <xs:complexType name="DeviceIdentifierDataType">
<xs:choice> <xs:choice>
<xs:element name="DeviceId" type="pskc:DeviceIdType" /> <xs:element name="DeviceId" type="pskc:DeviceInfoType" />
<xs:any namespace="##other" processContents="strict" /> <xs:any namespace="##other" processContents="strict" />
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
<xs:simpleType name="PlatformType"> <xs:simpleType name="PlatformType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="Hardware" /> <xs:enumeration value="Hardware" />
<xs:enumeration value="Software" /> <xs:enumeration value="Software" />
<xs:enumeration value="Unspecified" /> <xs:enumeration value="Unspecified" />
</xs:restriction> </xs:restriction>
skipping to change at page 47, line 4 skipping to change at page 46, line 29
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
<xs:simpleType name="PlatformType"> <xs:simpleType name="PlatformType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="Hardware" /> <xs:enumeration value="Hardware" />
<xs:enumeration value="Software" /> <xs:enumeration value="Software" />
<xs:enumeration value="Unspecified" /> <xs:enumeration value="Unspecified" />
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="TokenPlatformInfoType"> <xs:complexType name="TokenPlatformInfoType">
<xs:attribute name="KeyLocation" type="dskpp:PlatformType"/> <xs:attribute name="KeyLocation" type="dskpp:PlatformType"/>
<xs:attribute name="AlgorithmLocation" <xs:attribute name="AlgorithmLocation" type="dskpp:PlatformType"/>
type="dskpp:PlatformType"/>
</xs:complexType> </xs:complexType>
<xs:simpleType name="NonceType"> <xs:simpleType name="NonceType">
<xs:restriction base="xs:base64Binary"> <xs:restriction base="xs:base64Binary">
<xs:minLength value="16" /> <xs:minLength value="16" />
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="AlgorithmsType"> <xs:complexType name="AlgorithmsType">
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
skipping to change at page 47, line 29 skipping to change at page 47, line 6
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:simpleType name="AlgorithmType"> <xs:simpleType name="AlgorithmType">
<xs:restriction base="xs:anyURI" /> <xs:restriction base="xs:anyURI" />
</xs:simpleType> </xs:simpleType>
<xs:complexType name="ProtocolVariantsType"> <xs:complexType name="ProtocolVariantsType">
<xs:sequence> <xs:sequence>
<xs:element name="FourPass" minOccurs="0" /> <xs:element name="FourPass" minOccurs="0" />
<xs:element name="TwoPass" <xs:element name="TwoPass" type="dskpp:KeyProtectionDataType"
type="dskpp:KeyProtectionDataType"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="KeyProtectionDataType"> <xs:complexType name="KeyProtectionDataType">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
This element is only valid for two-pass DSKPP. This element is only valid for two-pass DSKPP.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
<xs:element name="SupportedKeyProtectionMethod" <xs:element name="SupportedKeyProtectionMethod" type="xs:anyURI"/>
type="xs:anyURI"/> <xs:element name="Payload" type="dskpp:PayloadType" minOccurs="0"/>
<xs:element name="Payload" type="dskpp:PayloadType"
minOccurs="0"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="PayloadType"> <xs:complexType name="PayloadType">
<xs:choice> <xs:choice>
<xs:element name="Nonce" type="dskpp:NonceType" /> <xs:element name="Nonce" type="dskpp:NonceType" />
<xs:any namespace="##other" processContents="strict" /> <xs:any namespace="##other" processContents="strict" />
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
skipping to change at page 48, line 27 skipping to change at page 47, line 49
</xs:simpleType> </xs:simpleType>
<xs:complexType name="AuthenticationDataType"> <xs:complexType name="AuthenticationDataType">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Authentication data contains a MAC. Authentication data contains a MAC.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:sequence> <xs:sequence>
<xs:element name="ClientID" <xs:element name="ClientID"
type="dskpp:IdentifierType" /> type="dskpp:IdentifierType" minOccurs="0"/>
<xs:choice> <xs:choice>
<xs:element name="AuthenticationCodeMac" <xs:element name="AuthenticationCodeMac"
type="dskpp:AuthenticationMacType" type="dskpp:AuthenticationMacType"/>
<xs:any namespace="##other" processContents="strict" /> <xs:any namespace="##other" processContents="strict" />
</xs:choice> </xs:choice>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="AuthenticationMacType"> <xs:complexType name="AuthenticationMacType">
<xs:sequence> <xs:sequence>
<xs:element minOccurs="0" name="Nonce" <xs:element minOccurs="0" name="Nonce" type="dskpp:NonceType" />
type="dskpp:NonceType"/> <xs:element minOccurs="0" name="IterationCount" type="xs:int" />
<xs:element minOccurs="0" name="IterationCount"
type="xs:int"/>
<xs:element name="Mac" type="dskpp:MacType" /> <xs:element name="Mac" type="dskpp:MacType" />
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="MacType"> <xs:complexType name="MacType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:base64Binary"> <xs:extension base="xs:base64Binary">
<xs:attribute name="MacAlgorithm" type="xs:anyURI"/> <xs:attribute name="MacAlgorithm" type="xs:anyURI"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:complexType name="KeyPackageType"> <xs:complexType name="KeyPackageType">
<xs:sequence> <xs:sequence>
<xs:element minOccurs="0" name="ServerID" <xs:element minOccurs="0" name="ServerID" type="xs:anyURI" />
type="xs:anyURI"/>
<xs:element minOccurs="0" name="KeyProtectionMethod" <xs:element minOccurs="0" name="KeyProtectionMethod"
type="xs:anyURI" /> type="xs:anyURI" />
<xs:choice> <xs:choice>
<xs:element name="KeyPackage" <xs:element name="KeyContainer" type="pskc:KeyContainerType" />
type="pskc:KeyContainerType"/> <xs:any namespace="##other" processContents="strict" />
<xs:any namespace="##other"
processContents="strict"/>
</xs:choice> </xs:choice>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="InitializationTriggerType"> <xs:complexType name="InitializationTriggerType">
<xs:sequence> <xs:sequence>
<xs:element minOccurs="0" name="DeviceIdentifierData" <xs:element minOccurs="0" name="DeviceIdentifierData"
type="dskpp:DeviceIdentifierDataType" /> type="dskpp:DeviceIdentifierDataType" />
<xs:element minOccurs="0" name="KeyID" <xs:element minOccurs="0" name="KeyID" type="xs:base64Binary" />
type="xs:base64Binary"/>
<xs:element minOccurs="0" name="TokenPlatformInfo" <xs:element minOccurs="0" name="TokenPlatformInfo"
type="dskpp:TokenPlatformInfoType" /> type="dskpp:TokenPlatformInfoType" />
<xs:element name="AuthenticationData" <xs:element name="AuthenticationData" type="dskpp:AuthenticationDataType" />
type="dskpp:AuthenticationDataType" /> <xs:element minOccurs="0" name="ServerUrl" type="xs:anyURI" />
<xs:element minOccurs="0" name="ServerUrl"
type="xs:anyURI"/>
<xs:any minOccurs="0" namespace="##other" <xs:any minOccurs="0" namespace="##other"
processContents="strict" /> processContents="strict" />
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="ExtensionsType"> <xs:complexType name="ExtensionsType">
<xs:annotation> <xs:annotation>
<xs:documentation> Extension types </xs:documentation> <xs:documentation> Extension types </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
<xs:element name="Extension" <xs:element name="Extension" type="dskpp:AbstractExtensionType" />
type="dskpp:AbstractExtensionType"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="AbstractExtensionType" abstract="true"> <xs:complexType name="AbstractExtensionType" abstract="true">
<xs:attribute name="Critical" type="xs:boolean" /> <xs:attribute name="Critical" type="xs:boolean" />
</xs:complexType> </xs:complexType>
<xs:complexType name="ClientInfoType"> <xs:complexType name="ClientInfoType">
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractExtensionType"> <xs:extension base="dskpp:AbstractExtensionType">
<xs:sequence> <xs:sequence>
<xs:element name="Data" type="xs:base64Binary"/> <xs:element name="Data" type="xs:base64Binary"/>
</xs:sequence> </xs:sequence>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
</xs:complexType> </xs:complexType>
skipping to change at page 50, line 24 skipping to change at page 49, line 37
<xs:complexType name="ServerInfoType"> <xs:complexType name="ServerInfoType">
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractExtensionType"> <xs:extension base="dskpp:AbstractExtensionType">
<xs:sequence> <xs:sequence>
<xs:element name="Data" type="xs:base64Binary"/> <xs:element name="Data" type="xs:base64Binary"/>
</xs:sequence> </xs:sequence>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
</xs:complexType> </xs:complexType>
<xs:element name="KeyProvTrigger" <xs:element name="KeyProvTrigger" type="dskpp:KeyProvTriggerType">
type="dskpp:KeyProvTriggerType">
<xs:annotation> <xs:annotation>
<xs:documentation> DSKPP PDUs </xs:documentation> <xs:documentation> DSKPP PDUs </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:element> </xs:element>
<xs:complexType name="KeyProvTriggerType"> <xs:complexType name="KeyProvTriggerType">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Message used to trigger the device to initiate a Message used to trigger the device to initiate a
DSKPP protocol run. DSKPP protocol run.
</xs:documentation> </xs:documentation>
skipping to change at page 50, line 50 skipping to change at page 50, line 14
type="dskpp:InitializationTriggerType" /> type="dskpp:InitializationTriggerType" />
<xs:any namespace="##other" processContents="strict"/> <xs:any namespace="##other" processContents="strict"/>
</xs:choice> </xs:choice>
</xs:sequence> </xs:sequence>
<xs:attribute name="Version" type="dskpp:VersionType"/> <xs:attribute name="Version" type="dskpp:VersionType"/>
</xs:complexType> </xs:complexType>
<xs:element name="KeyProvClientHello" <xs:element name="KeyProvClientHello"
type="dskpp:KeyProvClientHelloPDU"> type="dskpp:KeyProvClientHelloPDU">
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation> KeyProvClientHello PDU </xs:documentation>
KeyProvClientHello PDU
</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:element> </xs:element>
<xs:complexType name="KeyProvClientHelloPDU"> <xs:complexType name="KeyProvClientHelloPDU">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Message sent from DSKPP client to DSKPP server to Message sent from DSKPP client to DSKPP server to initiate a
initiate a DSKPP session. DSKPP session.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractRequestType"> <xs:extension base="dskpp:AbstractRequestType">
<xs:sequence> <xs:sequence>
<xs:element minOccurs="0" name="DeviceIdentifierData" <xs:element minOccurs="0" name="DeviceIdentifierData"
type="dskpp:DeviceIdentifierDataType" /> type="dskpp:DeviceIdentifierDataType" />
<xs:element minOccurs="0" name="KeyID" <xs:element minOccurs="0" name="KeyID"
type="xs:base64Binary" /> type="xs:base64Binary" />
<xs:element minOccurs="0" name="ClientNonce" <xs:element minOccurs="0" name="ClientNonce"
type="dskpp:NonceType" /> type="dskpp:NonceType" />
<xs:element name="SupportedKeyTypes" <xs:element name="SupportedKeyTypes"
type="dskpp:AlgorithmsType" /> type="dskpp:AlgorithmsType" />
<xs:element name="SupportedEncryptionAlgorithms" <xs:element name="SupportedEncryptionAlgorithms"
type="dskpp:AlgorithmsType" /> type="dskpp:AlgorithmsType" />
<xs:element name="SupportedMacAlgorithms" <xs:element name="SupportedMacAlgorithms"
type="dskpp:AlgorithmsType" /> type="dskpp:AlgorithmsType" />
<xs:element minOccurs="0" <xs:element minOccurs="0" name="SupportedProtocolVariants"
name="SupportedProtocolVariants"
type="dskpp:ProtocolVariantsType" /> type="dskpp:ProtocolVariantsType" />
<xs:element minOccurs="0" name="SupportedKeyPackages" <xs:element minOccurs="0" name="SupportedKeyPackages"
type="dskpp:KeyPackagesFormatType" /> type="dskpp:KeyPackagesFormatType" />
<xs:element minOccurs="0" name="AuthenticationData" <xs:element minOccurs="0" name="AuthenticationData"
type="dskpp:AuthenticationDataType" /> type="dskpp:AuthenticationDataType" />
<xs:element minOccurs="0" name="Extensions" <xs:element minOccurs="0" name="Extensions"
type="dskpp:ExtensionsType" /> type="dskpp:ExtensionsType" />
</xs:sequence> </xs:sequence>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
skipping to change at page 51, line 42 skipping to change at page 51, line 4
<xs:element minOccurs="0" name="SupportedKeyPackages" <xs:element minOccurs="0" name="SupportedKeyPackages"
type="dskpp:KeyPackagesFormatType" /> type="dskpp:KeyPackagesFormatType" />
<xs:element minOccurs="0" name="AuthenticationData" <xs:element minOccurs="0" name="AuthenticationData"
type="dskpp:AuthenticationDataType" /> type="dskpp:AuthenticationDataType" />
<xs:element minOccurs="0" name="Extensions" <xs:element minOccurs="0" name="Extensions"
type="dskpp:ExtensionsType" /> type="dskpp:ExtensionsType" />
</xs:sequence> </xs:sequence>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
</xs:complexType> </xs:complexType>
<xs:element name="KeyProvServerHello" <xs:element name="KeyProvServerHello"
type="dskpp:KeyProvServerHelloPDU"> type="dskpp:KeyProvServerHelloPDU">
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation> KeyProvServerHello PDU </xs:documentation>
KeyProvServerHello PDU
</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:element> </xs:element>
<xs:complexType name="KeyProvServerHelloPDU"> <xs:complexType name="KeyProvServerHelloPDU">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Response message sent from DSKPP server to DSKPP client Response message sent from DSKPP server to DSKPP client
in four-pass DSKPP. in four-pass DSKPP.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractResponseType"> <xs:extension base="dskpp:AbstractResponseType">
<xs:sequence minOccurs="0"> <xs:sequence minOccurs="0">
<xs:element name="KeyType" <xs:element name="KeyType" type="dskpp:AlgorithmType" />
type="dskpp:AlgorithmType"/>
<xs:element name="EncryptionAlgorithm" <xs:element name="EncryptionAlgorithm"
type="dskpp:AlgorithmType" /> type="dskpp:AlgorithmType" />
<xs:element name="MacAlgorithm" <xs:element name="MacAlgorithm" type="dskpp:AlgorithmType" />
type="dskpp:AlgorithmType"/> <xs:element name="EncryptionKey" type="ds:KeyInfoType" />
<xs:element name="EncryptionKey"
type="ds:KeyInfoType"/>
<xs:element name="KeyPackageFormat" <xs:element name="KeyPackageFormat"
type="dskpp:KeyPackageFormatType" /> type="dskpp:KeyPackageFormatType" />
<xs:element name="Payload" <xs:element name="Payload" type="dskpp:PayloadType" />
type="dskpp:PayloadType"/>
<xs:element minOccurs="0" name="Extensions" <xs:element minOccurs="0" name="Extensions"
type="dskpp:ExtensionsType" /> type="dskpp:ExtensionsType" />
<xs:element minOccurs="0" name="Mac" <xs:element minOccurs="0" name="Mac" type="dskpp:MacType" />
type="dskpp:MacType"/>
</xs:sequence> </xs:sequence>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
</xs:complexType> </xs:complexType>
<xs:element name="KeyProvClientNonce" <xs:element name="KeyProvClientNonce"
type="dskpp:KeyProvClientNoncePDU"> type="dskpp:KeyProvClientNoncePDU">
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation> KeyProvClientNonce PDU </xs:documentation>
KeyProvClientNonce PDU
</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:element> </xs:element>
<xs:complexType name="KeyProvClientNoncePDU"> <xs:complexType name="KeyProvClientNoncePDU">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Response message sent from DSKPP client to Response message sent from DSKPP client to
DSKPP server in a four-pass DSKPP session. DSKPP server in a four-pass DSKPP session.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractRequestType"> <xs:extension base="dskpp:AbstractRequestType">
<xs:sequence> <xs:sequence>
<xs:element name="EncryptedNonce" <xs:element name="EncryptedNonce" type="xs:base64Binary" />
type="xs:base64Binary"/>
<xs:element minOccurs="0" name="AuthenticationData" <xs:element minOccurs="0" name="AuthenticationData"
type="dskpp:AuthenticationDataType"/> type="dskpp:AuthenticationDataType"/>
<xs:element minOccurs="0" name="Extensions" <xs:element minOccurs="0" name="Extensions"
type="dskpp:ExtensionsType"/> type="dskpp:ExtensionsType"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="SessionID" <xs:attribute name="SessionID" type="dskpp:IdentifierType"
type="dskpp:IdentifierType"
use="required"/> use="required"/>
</xs:extension> </xs:extension>
</xs:complexContent> </xs:complexContent>
</xs:complexType> </xs:complexType>
<xs:element name="KeyProvServerFinished" <xs:element name="KeyProvServerFinished"
type="dskpp:KeyProvServerFinishedPDU"> type="dskpp:KeyProvServerFinishedPDU">
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation> KeyProvServerFinished PDU </xs:documentation>
KeyProvServerFinished PDU
</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:element> </xs:element>
<xs:complexType name="KeyProvServerFinishedPDU"> <xs:complexType name="KeyProvServerFinishedPDU">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
Final message sent from DSKPP server to DSKPP client in Final message sent from DSKPP server to DSKPP client in a DSKPP
a DSKPP session. A MAC value serves for key confirmation session. A MAC value serves for key confirmation, and optional
and optional AuthenticationData serves for server AuthenticationData serves for server authentication.
authentication.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:complexContent mixed="false"> <xs:complexContent mixed="false">
<xs:extension base="dskpp:AbstractResponseType"> <xs:extension base="dskpp:AbstractResponseType">
<xs:sequence minOccurs="0"> <xs:sequence minOccurs="0">
<xs:element name="KeyPackage" <xs:element name="KeyPackage"
type="dskpp:KeyPackageType" /> type="dskpp:KeyPackageType" />
<xs:element minOccurs="0" name="Extensions" <xs:element minOccurs="0" name="Extensions"
type="dskpp:ExtensionsType" /> type="dskpp:ExtensionsType" />
<xs:element name="Mac" type="dskpp:MacType" /> <xs:element name="Mac" type="dskpp:MacType" />
skipping to change at page 54, line 18 skipping to change at page 53, line 13
interoperate, the DSKPP server: interoperate, the DSKPP server:
a. MUST implement the four-pass variation of the protocol a. MUST implement the four-pass variation of the protocol
(Section 4) (Section 4)
b. MUST implement the two-pass variation of the protocol (Section 5) b. MUST implement the two-pass variation of the protocol (Section 5)
c. MUST support user authentication (Section 3.2.1) c. MUST support user authentication (Section 3.2.1)
d. MUST support the following key derivation functions: d. MUST support the following key derivation functions:
* DSKPP-PRF-AES DSKPP-PRF realization (Appendix D) * DSKPP-PRF-AES DSKPP-PRF realization (refer to (Appendix D) for
* DSKPP-PRF-SHA256 DSKPP-PRF realization (Appendix D) an example)
* DSKPP-PRF-SHA256 DSKPP-PRF realization (refer to (Appendix D)
for an example)
e. MUST support the following encryption mechanisms for protection e. MUST support the following encryption mechanisms for protection
of the client nonce in the four-pass protocol: of the client nonce in the four-pass protocol:
* Mechanism described in Section 4.2.4 * Mechanism described in Section 4.2.4
f. MUST support one of the following encryption algorithms for f. MUST support one of the following encryption algorithms for
symmetric key operations, e.g., key wrap: symmetric key operations, e.g., key wrap:
* KW-AES128 without padding; refer to * KW-AES128 without padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC]
* KW-AES128 without padding; refer to * KW-AES128 with padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] and
[AESKWPAD]
* AES-CBC-128; refer to [FIPS197-AES] * AES-CBC-128; refer to [FIPS197-AES]
g. MUST support the following encryption algorithms for asymmetric g. MUST support the following encryption algorithms for asymmetric
key operations, e.g., key transport: key operations, e.g., key transport:
* RSA Encryption Scheme [PKCS-1] * RSA Encryption Scheme [PKCS-1]
h. MUST support the following integrity/KDF MAC functions: h. MUST support the following integrity/KDF MAC functions:
* HMAC-SHA256 [FIPS180-SHA] * DSKPP-PRF-AES (Appendix D)
* AES-CMAC-128 [FIPS197-AES] * DSKPP-PRF-SHA256 (Appendix D)
i. MUST support the PSKC key package [PSKC]; all three PSKC key i. MUST support the PSKC key package [PSKC]; all three PSKC key
protection methods (Key Transport, Key Wrap, and Passphrase-Based protection methods (Key Transport, Key Wrap, and Passphrase-Based
Key Wrap) MUST be implemented Key Wrap) MUST be implemented
j. MAY support the ASN.1 key package as defined in [SKPC-ASN.1] j. MAY support the ASN.1 key package as defined in [SKPC-ASN.1]
DSKPP clients MUST support either the two-pass or the four-pass DSKPP clients MUST support either the two-pass or the four-pass
variant of the protocol. DSKPP clients MUST fulfill all requirements variant of the protocol. DSKPP clients MUST fulfill all requirements
listed in item (c) - (j). listed in item (c) - (j).
skipping to change at page 55, line 24 skipping to change at page 54, line 22
No other entities than the DSKPP server and the cryptographic module No other entities than the DSKPP server and the cryptographic module
will have access to a generated K_TOKEN if the cryptographic will have access to a generated K_TOKEN if the cryptographic
algorithms used are of sufficient strength and, on the DSKPP client algorithms used are of sufficient strength and, on the DSKPP client
side, generation and encryption of R_C and generation of K_TOKEN take side, generation and encryption of R_C and generation of K_TOKEN take
place as specified in the cryptographic module. This applies even if place as specified in the cryptographic module. This applies even if
malicious software is present in the DSKPP client. However, as malicious software is present in the DSKPP client. However, as
discussed in the following sub-sections, DSKPP does not protect discussed in the following sub-sections, DSKPP does not protect
against certain other threats resulting from man-in-the-middle against certain other threats resulting from man-in-the-middle
attacks and other forms of attacks. DSKPP SHOULD, therefore, be run attacks and other forms of attacks. DSKPP SHOULD, therefore, be run
over a transport providing confidentiality and integrity, such as over a transport providing confidentiality and integrity, such as
HTTP over Transport Layer Security (TLS) with a suitable HTTP over Transport Layer Security (TLS) with a suitable ciphersuite,
ciphersuite,when such threats are a concern. Note that TLS when such threats are a concern. Note that TLS ciphersuites with
ciphersuites with anonymous key exchanges are not suitable in those anonymous key exchanges are not suitable in those situations.
situations.
10.2. Active Attacks 10.2. Active Attacks
10.2.1. Introduction 10.2.1. Introduction
An active attacker MAY attempt to modify, delete, insert, replay, or An active attacker MAY attempt to modify, delete, insert, replay, or
reorder messages for a variety of purposes including service denial reorder messages for a variety of purposes including service denial
and compromise of generated keying material. and compromise of generated keying material.
10.2.2. Message Modifications 10.2.2. Message Modifications
skipping to change at page 56, line 39 skipping to change at page 55, line 36
algorithms, or protocol versions than the legitimate server would, algorithms, or protocol versions than the legitimate server would,
e.g., cryptographically weaker ones. The attacker may also provide a e.g., cryptographically weaker ones. The attacker may also provide a
different nonce than the one sent by the legitimate server. Clients different nonce than the one sent by the legitimate server. Clients
MAY protect against the former through strict adherence to policies MAY protect against the former through strict adherence to policies
regarding permissible algorithms and protocol versions. The latter regarding permissible algorithms and protocol versions. The latter
(wrong nonce) will not constitute a security problem, as a generated (wrong nonce) will not constitute a security problem, as a generated
key will not match the key generated on the legitimate server. Also, key will not match the key generated on the legitimate server. Also,
whenever the DSKPP run would result in the replacement of an existing whenever the DSKPP run would result in the replacement of an existing
key, the <Mac> element protects against modifications of R_S. key, the <Mac> element protects against modifications of R_S.
Modifications of <KeyProvClientNonce> messages are also,possible. If Modifications of <KeyProvClientNonce> messages are also possible. If
an attacker modifies the SessionID attribute, then, in effect, a an attacker modifies the SessionID attribute, then, in effect, a
switch to another session will occur at the server, assuming the new switch to another session will occur at the server, assuming the new
SessionID is valid at that time on the server. It still will not SessionID is valid at that time on the server. It still will not
allow the attacker to learn a generated K_TOKEN since R_C has been allow the attacker to learn a generated K_TOKEN since R_C has been
wrapped for the legitimate server. Modifications of the wrapped for the legitimate server. Modifications of the
<EncryptedNonce> element, e.g., replacing it with a value for which <EncryptedNonce> element, e.g., replacing it with a value for which
the attacker knows an underlying R'C, will not result in the client the attacker knows an underlying R'C, will not result in the client
changing its pre-DSKPP state, since the server will be unable to changing its pre-DSKPP state, since the server will be unable to
provide a valid MAC in its final message to the client. The server provide a valid MAC in its final message to the client. The server
MAY, however, end up storing K'TOKEN rather than K_TOKEN. If the MAY, however, end up storing K'TOKEN rather than K_TOKEN. If the
skipping to change at page 59, line 30 skipping to change at page 58, line 23
implementations. implementations.
10.5. Attacks on the Interaction between DSKPP and User Authentication 10.5. Attacks on the Interaction between DSKPP and User Authentication
If keys generated in DSKPP will be associated with a particular user If keys generated in DSKPP will be associated with a particular user
at the DSKPP server (or a server trusted by, and communicating with at the DSKPP server (or a server trusted by, and communicating with
the DSKPP server), then in order to protect against threats where an the DSKPP server), then in order to protect against threats where an
attacker replaces a client-provided encrypted R_C with his own R'C attacker replaces a client-provided encrypted R_C with his own R'C
(regardless of whether the public-key variation or the shared-secret (regardless of whether the public-key variation or the shared-secret
variation of DSKPP is employed to encrypt the client nonce), the variation of DSKPP is employed to encrypt the client nonce), the
server SHOULD NOT commit to associate a generated K_TOKEN with the server SHOULD not commit to associate a generated K_TOKEN with the
given cryptographic module until the user simultaneously has proven given cryptographic module until the user simultaneously has proven
both possession of the device that hosts the cryptographic module both possession of the device that hosts the cryptographic module
containing K_TOKEN and some out-of-band provided authenticating containing K_TOKEN and some out-of-band provided authenticating
information (e.g., an authentication code). For example, if the information (e.g., an authentication code). For example, if the
cryptographic module is a one-time password token, the user could be cryptographic module is a one-time password token, the user could be
required to authenticate with both a one-time password generated by required to authenticate with both a one-time password generated by
the cryptographic module and an out-of-band provided authentication the cryptographic module and an out-of-band provided authentication
code in order to have the server "commit" to the generated OTP value code in order to have the server "commit" to the generated OTP value
for the given user. Preferably, the user SHOULD perform this for the given user. Preferably, the user SHOULD perform this
operation from another host than the one used to initialize keys on operation from another host than the one used to initialize keys on
skipping to change at page 62, line 40 skipping to change at page 61, line 32
DSKPP servers and clients MUST NOT encode XML with encodings other DSKPP servers and clients MUST NOT encode XML with encodings other
than UTF-8 or UTF-16. than UTF-8 or UTF-16.
12. IANA Considerations 12. IANA Considerations
This document requires several IANA registrations, detailed below. This document requires several IANA registrations, detailed below.
12.1. URN Sub-Namespace Registration 12.1. URN Sub-Namespace Registration
This section registers a new XML namespace, This section registers a new XML namespace,
"urn:ietf:params:xml:ns:keyprov:dskpp:1.0" per the guidelines in "urn:ietf:params:xml:ns:keyprov:dskpp" per the guidelines in
[RFC3688]: [RFC3688]:
URI: urn:ietf:params:xml:ns:keyprov:dskpp:1.0 URI: urn:ietf:params:xml:ns:keyprov:dskpp
Registrant Contact: Registrant Contact:
IETF, KEYPROV Working Group (keyprov@ietf.org), Andrea Doherty IETF, KEYPROV Working Group (keyprov@ietf.org), Andrea Doherty
(andrea.doherty@rsa.com) (andrea.doherty@rsa.com)
XML: XML:
BEGIN BEGIN
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head> <head>
<title>DSKPP Messsages</title> <title>DSKPP Messsages</title>
</head> </head>
<body> <body>
<h1>Namespace for DSKPP Messages</h1> <h1>Namespace for DSKPP Messages</h1>
skipping to change at page 63, line 15 skipping to change at page 62, line 15
BEGIN BEGIN
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head> <head>
<title>DSKPP Messsages</title> <title>DSKPP Messsages</title>
</head> </head>
<body> <body>
<h1>Namespace for DSKPP Messages</h1> <h1>Namespace for DSKPP Messages</h1>
<h2>urn:ietf:params:xml:ns:keyprov:dskpp:1.0</h2> <h2>urn:ietf:params:xml:ns:keyprov:dskpp</h2>
[NOTE TO IANA/RFC-EDITOR: Please replace XXXX below [NOTE TO IANA/RFC-EDITOR: Please replace XXXX below
with the RFC number for this specification.] with the RFC number for this specification.]
<p>See RFCXXXX</p> <p>See RFCXXXX</p>
</body> </body>
</html> </html>
END END
12.2. XML Schema Registration 12.2. XML Schema Registration
This section registers an XML schema as per the guidelines in This section registers an XML schema as per the guidelines in
[RFC3688]. [RFC3688].
URI: urn:ietf:params:xml:ns:keyprov:dskpp:1.0 URI: urn:ietf:params:xml:ns:keyprov:dskpp
Registrant Contact: Registrant Contact:
IETF, KEYPROV Working Group (keyprov@ietf.org), Andrea Doherty IETF, KEYPROV Working Group (keyprov@ietf.org), Andrea Doherty
(andrea.doherty@rsa.com) (andrea.doherty@rsa.com)
Schema: Schema:
The XML for this schema can be found as the entirety of Section 8 The XML for this schema can be found as the entirety of Section 8
of this document. of this document.
12.3. MIME Media Type Registration 12.3. MIME Media Type Registration
This section registers the "application/dskpp+xml" MIME type: This section registers the "application/dskpp+xml" MIME type:
skipping to change at page 67, line 39 skipping to change at page 66, line 39
[XMLDSIG] W3C, "XML Signature Syntax and Processing", [XMLDSIG] W3C, "XML Signature Syntax and Processing",
W3C Recommendation, February 2002, W3C Recommendation, February 2002,
<http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>. <http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>.
[XMLENC] W3C, "XML Encryption Syntax and Processing", [XMLENC] W3C, "XML Encryption Syntax and Processing",
W3C Recommendation, December 2002, W3C Recommendation, December 2002,
<http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>. <http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>.
16.2. Informative references 16.2. Informative references
[AESKWPAD]
Housley, R. and M. Dworkin, "Advanced Encryption Standard
(AES) Key Wrap with Padding Algorithm", March 2009, <http:
//www.ietf.org/internet-drafts/
draft-housley-aes-key-wrap-with-pad-02.txt>.
[CT-KIP-P11] [CT-KIP-P11]
RSA Laboratories, "PKCS #11 Mechanisms for the RSA Laboratories, "PKCS #11 Mechanisms for the
Cryptographic Token Key Initialization Protocol", PKCS #11 Cryptographic Token Key Initialization Protocol", PKCS #11
Version 2.20 Amd.2, December 2005, Version 2.20 Amd.2, December 2005,
<http://www.rsasecurity.com/rsalabs/pkcs/>. <http://www.rsasecurity.com/rsalabs/pkcs/>.
[FAQ] RSA Laboratories, "Frequently Asked Questions About [FAQ] RSA Laboratories, "Frequently Asked Questions About
Today's Cryptography", Version 4.1, 2000. Today's Cryptography", Version 4.1, 2000.
[ISO3309] "ISO Information Processing Systems - Data Communication - [ISO3309] "ISO Information Processing Systems - Data Communication -
skipping to change at page 69, line 26 skipping to change at page 68, line 32
draft-ietf-keyprov-symmetrickeyformat-01.txt>. draft-ietf-keyprov-symmetrickeyformat-01.txt>.
[XMLNS] W3C, "Namespaces in XML", W3C Recommendation, [XMLNS] W3C, "Namespaces in XML", W3C Recommendation,
January 1999, January 1999,
<http://www.w3.org/TR/1999/REC-xml-names-19990114 >. <http://www.w3.org/TR/1999/REC-xml-names-19990114 >.
Appendix A. Usage Scenarios Appendix A. Usage Scenarios
DSKPP is expected to be used to provision symmetric keys to DSKPP is expected to be used to provision symmetric keys to
cryptographic modules in a number of different scenarios, each with cryptographic modules in a number of different scenarios, each with
its own special requirements. its own special requirements, as described below. This appendix
forms an informative part of the document.
A.1. Single Key Request A.1. Single Key Request
The usual scenario is that a cryptographic module makes a request for The usual scenario is that a cryptographic module makes a request for
a symmetric key from a provisioning server that is located on the a symmetric key from a provisioning server that is located on the
local network or somewhere on the Internet. Depending upon the local network or somewhere on the Internet. Depending upon the
deployment scenario, the provisioning server may generate a new key deployment scenario, the provisioning server may generate a new key
on-the-fly or use a pre-generated key, e.g., one provided by a legacy on-the-fly or use a pre-generated key, e.g., one provided by a legacy
back-end issuance server. The provisioning server assigns a unique back-end issuance server. The provisioning server assigns a unique
key ID to the symmetric key and provisions it to the cryptographic key ID to the symmetric key and provisions it to the cryptographic
skipping to change at page 71, line 33 skipping to change at page 70, line 41
at an application hosted on a PC rather than at the cryptographic at an application hosted on a PC rather than at the cryptographic
module (i.e., the endpoint) located on a data storage device. module (i.e., the endpoint) located on a data storage device.
Mutually authenticated key agreement provides end-to-end protection, Mutually authenticated key agreement provides end-to-end protection,
which TLS cannot provide. which TLS cannot provide.
Appendix B. Examples Appendix B. Examples
This appendix contains example messages that illustrate parameters, This appendix contains example messages that illustrate parameters,
encoding, and semantics in four-and two- pass DSKPP exchanges. The encoding, and semantics in four-and two- pass DSKPP exchanges. The
examples are written using XML, and are syntactically correct. MAC examples are written using XML, and are syntactically correct. MAC
and cipher values are fictitious however. and cipher values are fictitious however. This appendix forms an
informative part of the document.
B.1. Trigger Message B.1. Trigger Message
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvTrigger Version="1.0" <dskpp:KeyProvTrigger Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0"> xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc">
<dskpp:InitializationTrigger> <dskpp:InitializationTrigger>
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>XL0000000001234</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID> <dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID>
<dskpp:TokenPlatformInfo KeyLocation="Hardware" <dskpp:TokenPlatformInfo KeyLocation="Hardware"
skipping to change at page 73, line 9 skipping to change at page 72, line 9
</dskpp:ServerUrl> </dskpp:ServerUrl>
</dskpp:InitializationTrigger> </dskpp:InitializationTrigger>
</dskpp:KeyProvTrigger> </dskpp:KeyProvTrigger>
B.2. Four-Pass Protocol B.2. Four-Pass Protocol
B.2.1. <KeyProvClientHello> Without a Preceding Trigger B.2.1. <KeyProvClientHello> Without a Preceding Trigger
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>XL0000000001234</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ <dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/
otps-wst#SecurID-AES</dskpp:Algorithm> otps-wst#SecurID-AES</dskpp:Algorithm>
</dskpp:SupportedKeyTypes> </dskpp:SupportedKeyTypes>
<dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms> </dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants><dskpp:FourPass/> <dskpp:SupportedProtocolVariants><dskpp:FourPass/>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>XL0000000001234</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID> <dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp</dskpp:Algorithm>
http://www.ietf.org/keyprov/pskc#hotp
</dskpp:Algorithm>
<dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ <dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/
otps-wst#SecurID-AES</dskpp:Algorithm> otps-wst#SecurID-AES</dskpp:Algorithm>
</dskpp:SupportedKeyTypes> </dskpp:SupportedKeyTypes>
<dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms> </dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants><dskpp:FourPass/> <dskpp:SupportedProtocolVariants><dskpp:FourPass/>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
B.2.3. <KeyProvServerHello> Without a Preceding Trigger B.2.3. <KeyProvServerHello> Without a Preceding Trigger
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerHello Version="1.0" SessionID="4114" <dskpp:KeyProvServerHello Version="1.0" SessionID="4114" Status="Continue"
Status="Continue" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dskpp:KeyType>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ <dskpp:KeyType>
otps-wst#SecurID-AES http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
</dskpp:KeyType> </dskpp:KeyType>
<dskpp:EncryptionAlgorithm> <dskpp:EncryptionAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:EncryptionAlgorithm> </dskpp:EncryptionAlgorithm>
<dskpp:MacAlgorithm> <dskpp:MacAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:MacAlgorithm> </dskpp:MacAlgorithm>
<dskpp:EncryptionKey> <dskpp:EncryptionKey>
<ds:KeyName>KEY-1</ds:KeyName> <ds:KeyName>KEY-1</ds:KeyName>
</dskpp:EncryptionKey> </dskpp:EncryptionKey>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
<dskpp:Payload> <dskpp:Payload>
<dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce> <dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce>
</dskpp:Payload> </dskpp:Payload>
</dskpp:KeyProvServerHello> </dskpp:KeyProvServerHello>
B.2.4. <KeyProvServerHello> Assuming Key Renewal B.2.4. <KeyProvServerHello> Assuming Key Renewal
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerHello Version="1.0" SessionID="4114" <dskpp:KeyProvServerHello Version="1.0" SessionID="4114"
Status="Continue" Status="Continue"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dskpp:KeyType> <dskpp:KeyType>
urn:ietf:params:xml:schema:keyprov:otpalg#SecurID-AES urn:ietf:params:xml:schema:keyprov:otpalg#SecurID-AES
</dskpp:KeyType> </dskpp:KeyType>
<dskpp:EncryptionAlgorithm> <dskpp:EncryptionAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:EncryptionAlgorithm> </dskpp:EncryptionAlgorithm>
<dskpp:MacAlgorithm> <dskpp:MacAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:MacAlgorithm> </dskpp:MacAlgorithm>
<dskpp:EncryptionKey> <dskpp:EncryptionKey>
<ds:KeyName>KEY-1</ds:KeyName> <ds:KeyName>KEY-1</ds:KeyName>
</dskpp:EncryptionKey> </dskpp:EncryptionKey>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
<dskpp:Payload> <dskpp:Payload>
<dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce> <dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce>
</dskpp:Payload> </dskpp:Payload>
<dskpp:Mac <dskpp:Mac
MacAlgorithm= MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
cXcycmFuZG9tMzEyYXNkZXIzOTRqdw== cXcycmFuZG9tMzEyYXNkZXIzOTRqdw==
</dskpp:Mac> </dskpp:Mac>
</dskpp:KeyProvServerHello> </dskpp:KeyProvServerHello>
B.2.5. <KeyProvClientNonce> Using Default Encryption B.2.5. <KeyProvClientNonce> Using Default Encryption
This message contains the nonce chosen by the cryptographic module, This message contains the nonce chosen by the cryptographic module,
R_C, encrypted by the specified encryption key and encryption R_C, encrypted by the specified encryption key and encryption
algorithm. algorithm.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientNonce Version="1.0" SessionID="4114" <dskpp:KeyProvClientNonce Version="1.0" SessionID="4114"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0"> xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp">
<dskpp:EncryptedNonce>VXENc+Um/9/NvmYKiHDLaErK0gk= <dskpp:EncryptedNonce>VXENc+Um/9/NvmYKiHDLaErK0gk=
</dskpp:EncryptedNonce> </dskpp:EncryptedNonce>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac> </dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvClientNonce> </dskpp:KeyProvClientNonce>
B.2.6. <KeyProvServerFinished> Using Default Encryption B.2.6. <KeyProvServerFinished> Using Default Encryption
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" <dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" Status="Success"
Status="Success" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc">
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<dskpp:KeyPackage> <dskpp:KeyPackage>
<dskpp:KeyPackage Version="1.0"> <KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<pskc:MACAlgorithm>http://www.w3.org/2000/09/xmldsig#hmac-sha1 <KeyPackage>
</pskc:MACAlgorithm> <DeviceInfo>
<pskc:Device> <Manufacturer>Manufacturer</Manufacturer>
<pskc:Key <SerialNo>987654321</SerialNo>
KeyAlgorithm= </DeviceInfo>
"http://www.rsa.com/rsalabs/otps/schemas/2005/09/ <CryptoModuleInfo>
otps-wst#SecurID-AES" <Id>CM_ID_001</Id>
KeyId="XL0000000001234"> </CryptoModuleInfo>
<pskc:Issuer>CredentialIssuer</pskc:Issuer> <Key Id="12345678"
<pskc:Usage OTP="true"> Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp">
<pskc:ResponseFormat Format="DECIMAL" Length="6"/> <Issuer>Issuer</Issuer>
</pskc:Usage> <AlgorithmParameters>
<pskc:FriendlyName>MyFirstToken</pskc:FriendlyName> <ResponseFormat Length="8" Encoding="DECIMAL"/>
<pskc:Data> </AlgorithmParameters>
<pskc:Time> <Data>
<pskc:PlainValue>0</pskc:PlainValue> <Time>
</pskc:Time> <PlainValue>0</PlainValue>
</pskc:Data> </Time>
<pskc:ExpiryDate>2012-12-31T00:00:00</pskc:ExpiryDate> </Data>
</pskc:Key> <Policy>
</pskc:Device> <PINPolicy MinLength="4" MaxLength="4"
</dskpp:KeyPackage> PINKeyId="123456781" PINEncoding="DECIMAL"
PINUsageMode="Local"/>
<KeyUsage>OTP</KeyUsage>
</Policy>
</Key>
</KeyPackage>
</KeyContainer>
</dskpp:KeyPackage> </dskpp:KeyPackage>
<dskpp:Mac <dskpp:Mac
MacAlgorithm= MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
miidfasde312asder394jw== miidfasde312asder394jw==
</dskpp:Mac> </dskpp:Mac>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3. Two-Pass Protocol B.3. Two-Pass Protocol
B.3.1. Example Using the Key Transport Method B.3.1. Example Using the Key Transport Method
The client indicates support for all the Key Transport, Key Wrap, and The client indicates support for all the Key Transport, Key Wrap, and
Passphrase-Based Key Wrap key protection methods: Passphrase-Based Key Wrap key protection methods:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> <dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>
http://www.rsa.com/rsalabs/otps/schemas/2005/09/ http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
otps-wst#SecurID-AES
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedKeyTypes> </dskpp:SupportedKeyTypes>
<dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 <dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms> </dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants> <dskpp:SupportedProtocolVariants>
<dskpp:TwoPass> <dskpp:TwoPass>
<dskpp:SupportedKeyProtectionMethod> <dskpp:SupportedKeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#wrap
</dskpp:SupportedKeyProtectionMethod>
<dskpp:Payload>
<ds:KeyInfo xsi:type="ds:KeyInfoType">
<ds:KeyName>Key_001</ds:KeyName>
</ds:KeyInfo>
</dskpp:Payload>
<dskpp:SupportedKeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#transport urn:ietf:params:xml:schema:keyprov:dskpp#transport
</dskpp:SupportedKeyProtectionMethod> </dskpp:SupportedKeyProtectionMethod>
<dskpp:SupportedKeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap
</dskpp:SupportedKeyProtectionMethod>
<dskpp:Payload> <dskpp:Payload>
<ds:KeyInfo xsi:type="ds:KeyInfoType"> <ds:KeyInfo xsi:type="ds:KeyInfoType">
<ds:X509Data> <ds:X509Data>
<ds:X509Certificate>miib</ds:X509Certificate> <ds:X509Certificate>
MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M
Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF
Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR
GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e
DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ
xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY
JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf
rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w
4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
</ds:X509Certificate>
</ds:X509Data> </ds:X509Data>
</ds:KeyInfo> </ds:KeyInfo>
</dskpp:Payload> </dskpp:Payload>
</dskpp:TwoPass> </dskpp:TwoPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac> </dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Key Transport key protection method.. using the Key Transport key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" <dskpp:KeyProvServerFinished Version="1.0" SessionID="4114"
Status="Success" Status="Success"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<dskpp:KeyPackage> <dskpp:KeyPackage>
<dskpp:ServerID>https://www.somedskppservice.com/ <dskpp:ServerID>https://www.somedskppservice.com/</dskpp:ServerID>
</dskpp:ServerID>
<dskpp:KeyProtectionMethod> <dskpp:KeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#transport urn:ietf:params:xml:schema:keyprov:dskpp#transport
</dskpp:KeyProtectionMethod> </dskpp:KeyProtectionMethod>
<dskpp:KeyPackage Version="1.0"> <KeyContainer Version="1.0"
<pskc:EncryptionKey> xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<EncryptionKey>
<ds:X509Data> <ds:X509Data>
<ds:X509Certificate>miib</ds:X509Certificate>
<ds:X509Certificate>MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M
Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF
Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR
GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e
DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ
xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY
JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf
rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w
4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
</ds:X509Certificate>
</ds:X509Data> </ds:X509Data>
</pskc:EncryptionKey> </EncryptionKey>
<pskc:Device> <KeyPackage>
<pskc:DeviceInfo> <DeviceInfo>
<pskc:Manufacturer>ACME</pskc:Manufacturer> <Manufacturer>TokenVendorAcme</Manufacturer>
<pskc:SerialNo>0755225266</pskc:SerialNo> <SerialNo>987654321</SerialNo>
</pskc:DeviceInfo> </DeviceInfo>
<pskc:Key <Key
KeyAlgorithm="http://www.ietf.org/keyprov/pskc#hotp" Id="MBK000000001"
KeyId="0755225266"> Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<pskc:Issuer>AnIssuer</pskc:Issuer> <Issuer>Example-Issuer</Issuer>
<pskc:Usage OTP="true"> <AlgorithmParameters>
<pskc:ResponseFormat Length="8" Format="DECIMAL"/> <ResponseFormat Length="6" Encoding="DECIMAL"/>
</pskc:Usage> </AlgorithmParameters>
<pskc:Data> <Data>
<pskc:Secret> <Secret>
<pskc:EncryptedValue Id="ED"> <EncryptedValue>
<xenc:EncryptionMethod <xenc:EncryptionMethod
Algorithm= Algorithm="http://www.w3.org/2001/04/xmlenc#rsa_1_5"/>
"http://www.w3.org/2001/04/xmlenc#rsa_1_5"/>
<xenc:CipherData> <xenc:CipherData>
<xenc:CipherValue>rf4dx3rvEPO0vKtKL14NbeVu8nk= <xenc:CipherValue>hJ+fvpoMPMO9BYpK2rdyQYGIxiATYHTHC7e/sPLKYo5/r1v+4
xTYG3gJolCWuVMydJ7Ta0GaiBPHcWa8ctCVYmHKfSz5fdeV5nqbZApe6dofTqhRwZK6
Yx4ufevi91cjN2vBpSxYafvN3c3+xIgk0EnTV4iVPRCR0rBwyfFrPc4=
</xenc:CipherValue> </xenc:CipherValue>
</xenc:CipherData> </xenc:CipherData>
</pskc:EncryptedValue> </EncryptedValue>
</pskc:Secret> </Secret>
<pskc:Counter> <Counter>
<pskc:PlainValue>0</pskc:PlainValue> <PlainValue>0</PlainValue>
</pskc:Counter> </Counter>
</pskc:Data> </Data>
</pskc:Key> </Key>
</pskc:Device> </KeyPackage>
</dskpp:KeyPackage> </KeyContainer>
</dskpp:KeyPackage> </dskpp:KeyPackage>
<dskpp:Mac <dskpp:Mac
MacAlgorithm= MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
miidfasde312asder394jw== miidfasde312asder394jw==
</dskpp:Mac> </dskpp:Mac>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3.2. Example Using the Key Wrap Method B.3.2. Example Using the Key Wrap Method
The client sends a request that specifies a shared key to protect the The client sends a request that specifies a shared key to protect the
K_TOKEN, and the server responds using the Key Wrap key protection K_TOKEN, and the server responds using the Key Wrap key protection
method. Authentication data in this example is based on an method. Authentication data in this example is based on an
authentication code rather than a device certificate. authentication code rather than a device certificate.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:pkcs-5= xmlns:pkcs-5=
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"> "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> <dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/
http://www.rsa.com/rsalabs/otps/schemas/2005/09/
otps-wst#SecurID-AES</dskpp:Algorithm> otps-wst#SecurID-AES</dskpp:Algorithm>
</dskpp:SupportedKeyTypes> </dskpp:SupportedKeyTypes>
<dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 <dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.rsasecurity.com/rsalabs/pkcs/schemas/
http://www.rsasecurity.com/rsalabs/pkcs/schemas/
pkcs-5#pbes2</dskpp:Algorithm> pkcs-5#pbes2</dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm> <dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms> </dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants> <dskpp:SupportedProtocolVariants>
<dskpp:TwoPass> <dskpp:TwoPass>
<dskpp:SupportedKeyProtectionMethod> <dskpp:SupportedKeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#wrap urn:ietf:params:xml:schema:keyprov:dskpp#wrap
</dskpp:SupportedKeyProtectionMethod> </dskpp:SupportedKeyProtectionMethod>
<dskpp:Payload> <dskpp:Payload>
<ds:KeyInfo xsi:type="ds:KeyInfoType"> <ds:KeyInfo xsi:type="ds:KeyInfoType">
<ds:KeyName>Key_001</ds:KeyName> <ds:KeyName>Pre-shared-key</ds:KeyName>
</ds:KeyInfo> </ds:KeyInfo>
</dskpp:Payload> </dskpp:Payload>
</dskpp:TwoPass> </dskpp:TwoPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac> </dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Key Wrap key protection method. using the Key Wrap key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerFinished Version="1.0" Status="Success" <dskpp:KeyProvServerFinished Version="1.0" Status="Success"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<dskpp:KeyPackage> <dskpp:KeyPackage>
<dskpp:ServerID>https://www.somedskppservice.com/ <dskpp:ServerID>https://www.somedskppservice.com/</dskpp:ServerID>
</dskpp:ServerID>
<dskpp:KeyProtectionMethod> <dskpp:KeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#wrap urn:ietf:params:xml:schema:keyprov:dskpp#wrap
</dskpp:KeyProtectionMethod> </dskpp:KeyProtectionMethod>
<dskpp:KeyPackage Version="1.0"> <KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<pskc:EncryptionKey> <EncryptionKey>
<ds:KeyName>PRE_SHARED_KEY</ds:KeyName> <ds:KeyName>Pre-shared-key</ds:KeyName>
</pskc:EncryptionKey> </EncryptionKey>
<pskc:MACAlgorithm>http://www.w3.org/2000/09/xmldsig#hmac-sha1 <MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
</pskc:MACAlgorithm> <MACKey>
<pskc:Device>
<pskc:Key KeyAlgorithm=
"http://www.ietf.org/keyprov/pskc#hotp"
KeyId="312345678">
<pskc:Issuer>CredentialIssuer</pskc:Issuer>
<pskc:Usage OTP="true">
<pskc:ResponseFormat Format="DECIMAL" Length="6"/>
</pskc:Usage>
<pskc:FriendlyName>MyFirstToken</pskc:FriendlyName>
<pskc:Data>
<pskc:Secret>
<pskc:EncryptedValue>
<xenc:EncryptionMethod <xenc:EncryptionMethod
Algorithm= Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
"http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData> <xenc:CipherData>
<xenc:CipherValue> <xenc:CipherValue>
kyzrWTJuhJKQHhZtf2CWbKC5H3LdfAPvKzHHQ8SdxyE= R8+5I6m74doa0nRhaPejbt3elq9hLPGvxHgXVlYpbgA=
</xenc:CipherValue> </xenc:CipherValue>
</xenc:CipherData> </xenc:CipherData>
</pskc:EncryptedValue> </MACKey>
<pskc:ValueMAC>cwJI898rRpGBytTqCAsegaQqPZA= </MACMethod>
</pskc:ValueMAC> <KeyPackage>
</pskc:Secret> <DeviceInfo>
<pskc:Counter> <Manufacturer>Manufacturer</Manufacturer>
<pskc:PlainValue>1/pskc:PlainValue> <SerialNo>987654321</SerialNo>
</pskc:Counter> </DeviceInfo>
</pskc:Data> <CryptoModuleInfo>
<pskc:ExpiryDate>2012-12-31T00:00:00</pskc:ExpiryDate> <Id>CM_ID_001</Id>
</pskc:Key> </CryptoModuleInfo>
</pskc:Device> <Key Id="12345678"
</dskpp:KeyPackage> Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<Issuer>Issuer</Issuer>
<AlgorithmParameters>
<ResponseFormat Length="8" Encoding="DECIMAL"/>
</AlgorithmParameters>
<Data>
<Secret>
<EncryptedValue>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>
pgznhXdDh4LJ2G3mOY2RL7UA47yizMlXX3ADDcZd8Vs=
</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
<ValueMAC>ooo0Swn6s/myD4o05FCfBHN0560=</ValueMAC>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</KeyPackage>
</KeyContainer>
</dskpp:KeyPackage> </dskpp:KeyPackage>
<dskpp:Mac <dskpp:Mac
MacAlgorithm= MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
miidfasde312asder394jw== miidfasde312asder394jw==
</dskpp:Mac> </dskpp:Mac>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3.3. Example Using the Passphrase-Based Key Wrap Method B.3.3. Example Using the Passphrase-Based Key Wrap Method
The client sends a request similar to that in Appendix B.3.1 with The client sends a request similar to that in Appendix B.3.1 with
authentication data based on an authentication code, and the server authentication data based on an authentication code, and the server
responds using the Passphrase-Based Key Wrap method to encrypt the responds using the Passphrase-Based Key Wrap method to encrypt the
provisioning key (note that the encryption is derived from the provisioning key (note that the encryption is derived from the
password component of the authentication code). The authentication password component of the authentication code). The authentication
data is set in clear text when it is sent over a secure transport data is set in clear text when it is sent over a secure transport
channel such as TLS. channel such as TLS.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:pkcs-5= xmlns:pkcs-5=
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"> "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:Model>U2</pskc:Model>
</dskpp:DeviceId> </dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> <dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>
http://www.rsa.com/rsalabs/otps/schemas/2005/09/ http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
otps-wst#SecurID-AES
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedKeyTypes> </dskpp:SupportedKeyTypes>
<dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 <dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> <dskpp:Algorithm>
http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2 http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2
</dskpp:Algorithm> </dskpp:Algorithm>
skipping to change at page 86, line 13 skipping to change at page 85, line 27
<ds:KeyName>Key_001</ds:KeyName> <ds:KeyName>Key_001</ds:KeyName>
</ds:KeyInfo> </ds:KeyInfo>
</dskpp:Payload> </dskpp:Payload>
<dskpp:SupportedKeyProtectionMethod> <dskpp:SupportedKeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap
</dskpp:SupportedKeyProtectionMethod> </dskpp:SupportedKeyProtectionMethod>
</dskpp:TwoPass> </dskpp:TwoPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
http://www.ietf.org/keyprov/pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac> </dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Passphrase-Based Key Wrap key protection method. using the Passphrase-Based Key Wrap key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" <dskpp:KeyProvServerFinished Version="1.0" SessionID="4114"
Status="Success" Status="Success"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp:1.0" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pkcs-5= xmlns:dkey="http://www.w3.org/2009/xmlsec-derivedkey#"
xmlns:pkcs5=
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#" "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<dskpp:KeyPackage> <dskpp:KeyPackage>
<dskpp:ServerID>https://www.somedskppservice.com/ <dskpp:ServerID>https://www.somedskppservice.com/
</dskpp:ServerID> </dskpp:ServerID>
<dskpp:KeyProtectionMethod> <dskpp:KeyProtectionMethod>
urn:ietf:params:xml:schema:keyprov:protocol#passphrase-wrap urn:ietf:params:xml:schema:keyprov:protocol#passphrase-wrap
</dskpp:KeyProtectionMethod> </dskpp:KeyProtectionMethod>
<dskpp:KeyPackage Version="1.0"> <dskpp:KeyContainer Version="1.0">
<pskc:EncryptionKey> <pskc:EncryptionKey>
<pskc:DerivedKey> <dkey:DerivedKey>
<pskc:CarriedKeyName>Passphrase1</pskc:CarriedKeyName> <dkey:KeyDerivationMethod Algorithm=
<pskc:KeyDerivationMethod "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2">
Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas <pkcs5:PBKDF2-params>
/pkcs-5#pbkdf2">
<pkcs-5:PBKDF2-params>
<Salt> <Salt>
<Specified>P1ciQdGbrI0=</Specified> <Specified>Ej7/PEpyEpw=</Specified>
</Salt> </Salt>
<IterationCount>2000</IterationCount> <IterationCount>1000</IterationCount>
<KeyLength>16</KeyLength> <KeyLength>16</KeyLength>
<PRF/> <PRF/>
</pkcs-5:PBKDF2-params> </pkcs5:PBKDF2-params>
</pskc:KeyDerivationMethod> </dkey:KeyDerivationMethod>
<xenc:ReferenceList> <xenc:ReferenceList>
<xenc:DataReference URI="#ED"/> <xenc:DataReference URI="#ED"/>
</xenc:ReferenceList> </xenc:ReferenceList>
</pskc:DerivedKey> <dkey:MasterKeyName>My Password 1</dkey:MasterKeyName>
</dkey:DerivedKey>
</pskc:EncryptionKey> </pskc:EncryptionKey>
<pskc:Device> <pskc:MACMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<pskc:MACKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>
2GTTnLwM3I4e5IO5FkufoNhk05y8DNyOHuSDuRZLn6DhIjoTY/dX4SkUAbQ
SWJblA7Dzi031L6FNnUrcjsGGcQ==
</xenc:CipherValue>
</xenc:CipherData>
</pskc:MACKey>
</pskc:MACMethod>
<pskc:KeyPackage>
<pskc:DeviceInfo> <pskc:DeviceInfo>
<pskc:Manufacturer>Manufacturer</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>0755225266</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
</pskc:DeviceInfo> </pskc:DeviceInfo>
<pskc:Key KeyAlgorithm= <pskc:CryptoModuleInfo>
"http://www.ietf.org/keyprov/pskc#hotp" KeyId="0755225266"> <pskc:Id>CM_ID_001</pskc:Id>
<pskc:Issuer>AnIssuer</pskc:Issuer> </pskc:CryptoModuleInfo>
<pskc:Usage OTP="true"> <pskc:Key Algorithm=
<pskc:ResponseFormat Length="6" Format="DECIMAL"/> "urn:ietf:params:xml:ns:keyprov:pskc#hotp" Id="123456">
</pskc:Usage> <pskc:Issuer>Example-Issuer</pskc:Issuer>
<pskc:AlgorithmParameters>
<pskc:ResponseFormat Length="8" Encoding="DECIMAL"/>
</pskc:AlgorithmParameters>
<pskc:Data> <pskc:Data>
<pskc:Secret> <pskc:Secret>
<pskc:EncryptedValue> <pskc:EncryptedValue Id="ED">
<xenc:EncryptionMethod Algorithm= <xenc:EncryptionMethod
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/ Algorithm=
pkcs-5#pbes2"> "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pskc:EncryptionScheme Algorithm= <pskc:EncryptionScheme
"http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</xenc:EncryptionMethod> </xenc:EncryptionMethod>
<xenc:CipherData> <xenc:CipherData>
<xenc:CipherValue>rf4dx3rvEPO0vKtKL14NbeVu8nk= <xenc:CipherValue>
oTvo+S22nsmS2Z/RtcoF8Hfh+jzMe0RkiafpoDpnoZTjPYZu6V+A4aEn032yCr4f
</xenc:CipherValue> </xenc:CipherValue>
</xenc:CipherData> </xenc:CipherData>
</pskc:EncryptedValue> </pskc:EncryptedValue>
<pskc:ValueMAC>LP6xMvjtypbfT9PdkJhBZ+D6O4w=
</pskc:ValueMAC>
</pskc:Secret> </pskc:Secret>
<pskc:Counter>
<pskc:PlainValue>0</pskc:PlainValue>
</pskc:Counter>
</pskc:Data> </pskc:Data>
</pskc:Key> </pskc:Key>
</pskc:Device> </pskc:KeyPackage>
</dskpp:KeyPackage> </dskpp:KeyContainer>
</dskpp:KeyPackage> </dskpp:KeyPackage>
<dskpp:Mac MacAlgorithm= <dskpp:Mac MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes">
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes">
miidfasde312asder394jw== miidfasde312asder394jw==
</dskpp:Mac> </dskpp:Mac>
<dskpp:AuthenticationData>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationData>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
Appendix C. Integration with PKCS #11 Appendix C. Integration with PKCS #11
A DSKPP client that needs to communicate with a connected A DSKPP client that needs to communicate with a connected
cryptographic module to perform a DSKPP exchange MAY use PKCS #11 cryptographic module to perform a DSKPP exchange MAY use PKCS #11
[PKCS-11] as a programming interface. [PKCS-11] as a programming interface as described herein. This
appendix forms an informative part of the document.
C.1. The 4-pass Variant C.1. The 4-pass Variant
When performing 4-pass DSKPP with a cryptographic module using the When performing 4-pass DSKPP with a cryptographic module using the
PKCS #11 programming interface, the procedure described in PKCS #11 programming interface, the procedure described in
[CT-KIP-P11], Appendix B, is RECOMMENDED. [CT-KIP-P11], Appendix B, is RECOMMENDED.
C.2. The 2-pass Variant C.2. The 2-pass Variant
A suggested procedure to perform 2-pass DSKPP with a cryptographic A suggested procedure to perform 2-pass DSKPP with a cryptographic
skipping to change at page 91, line 8 skipping to change at page 90, line 28
the previous protocol run). Again, if the MAC does not the previous protocol run). Again, if the MAC does not
verify the protocol session ends with a failure, and the verify the protocol session ends with a failure, and the
token MUST be constructed no to "commit" to the new K_TOKEN token MUST be constructed no to "commit" to the new K_TOKEN
or the new K_MAC unless the MAC verifies. or the new K_MAC unless the MAC verifies.
Appendix D. Example of DSKPP-PRF Realizations Appendix D. Example of DSKPP-PRF Realizations
D.1. Introduction D.1. Introduction
This example appendix defines DSKPP-PRF in terms of AES [FIPS197-AES] This example appendix defines DSKPP-PRF in terms of AES [FIPS197-AES]
and HMAC [RFC2104]. and HMAC [RFC2104]. This appendix forms an informative part of the
document.
D.2. DSKPP-PRF-AES D.2. DSKPP-PRF-AES
D.2.1. Identification D.2.1. Identification
For cryptographic modules supporting this realization of DSKPP-PRF, For cryptographic modules supporting this realization of DSKPP-PRF,
the following URL MAY be used to identify this algorithm in DSKPP: the following URL MAY be used to identify this algorithm in DSKPP:
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128
 End of changes. 185 change blocks. 
575 lines changed or deleted 583 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/