draft-ietf-keyprov-dskpp-08.txt   draft-ietf-keyprov-dskpp-09.txt 
KEYPROV Working Group A. Doherty KEYPROV Working Group A. Doherty
Internet-Draft RSA, The Security Division of EMC Internet-Draft RSA, The Security Division of EMC
Intended status: Standards Track M. Pei Intended status: Standards Track M. Pei
Expires: January 29, 2010 Verisign, Inc. Expires: May 20, 2010 Verisign, Inc.
S. Machani S. Machani
Diversinet Corp. Diversinet Corp.
M. Nystrom M. Nystrom
RSA, The Security Division of EMC Microsoft Corp.
July 28, 2009 November 16, 2009
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Dynamic Symmetric Key Provisioning Protocol (DSKPP)
draft-ietf-keyprov-dskpp-08.txt draft-ietf-keyprov-dskpp-09.txt
Abstract
DSKPP is a client-server protocol for initialization (and
configuration) of symmetric keys to locally and remotely accessible
cryptographic modules. The protocol can be run with or without
private-key capabilities in the cryptographic modules, and with or
without an established public-key infrastructure.
Two variations of the protocol support multiple usage scenarios.
With the four-pass variant, keys are mutually generated by the
provisioning server and cryptographic module; provisioned keys are
not transferred over-the-wire or over-the-air. The two-pass variant
enables secure and efficient download and installation of pre-
generated symmetric keys to a cryptographic module.
This document builds on information contained in [RFC4758], adding
specific enhancements in response to implementation experience and
liaison requests.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 30 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 29, 2010. This Internet-Draft will expire on May 20, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
DSKPP is a client-server protocol for initialization (and described in the BSD License.
configuration) of symmetric keys to locally and remotely accessible
cryptographic modules. The protocol can be run with or without
private-key capabilities in the cryptographic modules, and with or
without an established public-key infrastructure.
Two variations of the protocol support multiple usage scenarios.
With the four-pass variant, keys are mutually generated by the
provisioning server and cryptographic module; provisioned keys are
not transferred over-the-wire or over-the-air. The two-pass variant
enables secure and efficient download and installation of pre-
generated symmetric keys to a cryptographic module.
This document builds on information contained in [RFC4758], adding
specific enhancements in response to implementation experience and
liaison requests.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Versions . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Versions . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Namespace Identifiers . . . . . . . . . . . . . . . . . . 7 1.3. Namespace Identifiers . . . . . . . . . . . . . . . . . . 7
1.3.1. Defined Identifiers . . . . . . . . . . . . . . . . . 7 1.3.1. Defined Identifiers . . . . . . . . . . . . . . . . . 7
1.3.2. Identifiers Defined in Related Specifications . . . . 7 1.3.2. Identifiers Defined in Related Specifications . . . . 7
1.3.3. Referenced Identifiers . . . . . . . . . . . . . . . . 7 1.3.3. Referenced Identifiers . . . . . . . . . . . . . . . . 7
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 10 2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 10
3. DSKPP Overview . . . . . . . . . . . . . . . . . . . . . . . . 11 3. DSKPP Overview . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Protocol Entities . . . . . . . . . . . . . . . . . . . . 11 3.1. Protocol Entities . . . . . . . . . . . . . . . . . . . . 11
3.2. Basic DSKPP Exchange . . . . . . . . . . . . . . . . . . . 12 3.2. Basic DSKPP Exchange . . . . . . . . . . . . . . . . . . . 12
3.2.1. User Authentication . . . . . . . . . . . . . . . . . 12 3.2.1. User Authentication . . . . . . . . . . . . . . . . . 12
3.2.2. Protocol Initiated by the DSKPP Client . . . . . . . . 12 3.2.2. Protocol Initiated by the DSKPP Client . . . . . . . . 12
3.2.3. Protocol Triggered by the DSKPP Server . . . . . . . . 15 3.2.3. Protocol Triggered by the DSKPP Server . . . . . . . . 15
3.2.4. Variants . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.4. Variants . . . . . . . . . . . . . . . . . . . . . . . 16
3.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 17 3.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 17
3.4. Basic Constructs . . . . . . . . . . . . . . . . . . . . . 18 3.4. Basic Constructs . . . . . . . . . . . . . . . . . . . . . 18
skipping to change at page 3, line 48 skipping to change at page 3, line 48
4.2.4. KeyProvClientNonce . . . . . . . . . . . . . . . . . . 29 4.2.4. KeyProvClientNonce . . . . . . . . . . . . . . . . . . 29
4.2.5. KeyProvServerFinished . . . . . . . . . . . . . . . . 31 4.2.5. KeyProvServerFinished . . . . . . . . . . . . . . . . 31
5. Two-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 32 5. Two-Pass Protocol Usage . . . . . . . . . . . . . . . . . . . 32
5.1. Key Protection Methods . . . . . . . . . . . . . . . . . . 33 5.1. Key Protection Methods . . . . . . . . . . . . . . . . . . 33
5.1.1. Key Transport . . . . . . . . . . . . . . . . . . . . 33 5.1.1. Key Transport . . . . . . . . . . . . . . . . . . . . 33
5.1.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . . 33 5.1.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.3. Passphrase-Based Key Wrap . . . . . . . . . . . . . . 34 5.1.3. Passphrase-Based Key Wrap . . . . . . . . . . . . . . 34
5.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 35 5.2. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 35
5.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 35 5.2.1. KeyProvTrigger . . . . . . . . . . . . . . . . . . . . 35
5.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 35 5.2.2. KeyProvClientHello . . . . . . . . . . . . . . . . . . 35
5.2.3. KeyProvServerFinished . . . . . . . . . . . . . . . . 39 5.2.3. KeyProvServerFinished . . . . . . . . . . . . . . . . 40
6. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 40 6. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 41
6.1. The ClientInfoType Extension . . . . . . . . . . . . . . . 40 6.1. The ClientInfoType Extension . . . . . . . . . . . . . . . 41
6.2. The ServerInfoType Extension . . . . . . . . . . . . . . . 41 6.2. The ServerInfoType Extension . . . . . . . . . . . . . . . 41
7. Protocol Bindings . . . . . . . . . . . . . . . . . . . . . . 41 7. Protocol Bindings . . . . . . . . . . . . . . . . . . . . . . 41
7.1. General Requirements . . . . . . . . . . . . . . . . . . . 41 7.1. General Requirements . . . . . . . . . . . . . . . . . . . 41
7.2. HTTP/1.1 Binding for DSKPP . . . . . . . . . . . . . . . . 41 7.2. HTTP/1.1 Binding for DSKPP . . . . . . . . . . . . . . . . 41
7.2.1. Identification of DSKPP Messages . . . . . . . . . . . 41 7.2.1. Identification of DSKPP Messages . . . . . . . . . . . 42
7.2.2. HTTP Headers . . . . . . . . . . . . . . . . . . . . . 41 7.2.2. HTTP Headers . . . . . . . . . . . . . . . . . . . . . 42
7.2.3. HTTP Operations . . . . . . . . . . . . . . . . . . . 42 7.2.3. HTTP Operations . . . . . . . . . . . . . . . . . . . 42
7.2.4. HTTP Status Codes . . . . . . . . . . . . . . . . . . 42 7.2.4. HTTP Status Codes . . . . . . . . . . . . . . . . . . 43
7.2.5. HTTP Authentication . . . . . . . . . . . . . . . . . 43 7.2.5. HTTP Authentication . . . . . . . . . . . . . . . . . 43
7.2.6. Initialization of DSKPP . . . . . . . . . . . . . . . 43 7.2.6. Initialization of DSKPP . . . . . . . . . . . . . . . 43
7.2.7. Example Messages . . . . . . . . . . . . . . . . . . . 43 7.2.7. Example Messages . . . . . . . . . . . . . . . . . . . 44
8. DSKPP XML Schema . . . . . . . . . . . . . . . . . . . . . . . 44 8. DSKPP XML Schema . . . . . . . . . . . . . . . . . . . . . . . 44
8.1. General Processing Requirements . . . . . . . . . . . . . 44 8.1. General Processing Requirements . . . . . . . . . . . . . 44
8.2. Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 44 8.2. Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9. Conformance Requirements . . . . . . . . . . . . . . . . . . . 52 9. Conformance Requirements . . . . . . . . . . . . . . . . . . . 53
10. Security Considerations . . . . . . . . . . . . . . . . . . . 54 10. Security Considerations . . . . . . . . . . . . . . . . . . . 54
10.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 54 10.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.2. Active Attacks . . . . . . . . . . . . . . . . . . . . . . 54 10.2. Active Attacks . . . . . . . . . . . . . . . . . . . . . . 55
10.2.1. Introduction . . . . . . . . . . . . . . . . . . . . . 54 10.2.1. Introduction . . . . . . . . . . . . . . . . . . . . . 55
10.2.2. Message Modifications . . . . . . . . . . . . . . . . 54 10.2.2. Message Modifications . . . . . . . . . . . . . . . . 55
10.2.3. Message Deletion . . . . . . . . . . . . . . . . . . . 56 10.2.3. Message Deletion . . . . . . . . . . . . . . . . . . . 56
10.2.4. Message Insertion . . . . . . . . . . . . . . . . . . 56 10.2.4. Message Insertion . . . . . . . . . . . . . . . . . . 57
10.2.5. Message Replay . . . . . . . . . . . . . . . . . . . . 56 10.2.5. Message Replay . . . . . . . . . . . . . . . . . . . . 57
10.2.6. Message Reordering . . . . . . . . . . . . . . . . . . 57 10.2.6. Message Reordering . . . . . . . . . . . . . . . . . . 57
10.2.7. Man-in-the-Middle . . . . . . . . . . . . . . . . . . 57 10.2.7. Man-in-the-Middle . . . . . . . . . . . . . . . . . . 57
10.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 57 10.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 58
10.4. Cryptographic Attacks . . . . . . . . . . . . . . . . . . 57 10.4. Cryptographic Attacks . . . . . . . . . . . . . . . . . . 58
10.5. Attacks on the Interaction between DSKPP and User 10.5. Attacks on the Interaction between DSKPP and User
Authentication . . . . . . . . . . . . . . . . . . . . . . 58 Authentication . . . . . . . . . . . . . . . . . . . . . . 58
10.6. Miscellaneous Considerations . . . . . . . . . . . . . . . 59 10.6. Miscellaneous Considerations . . . . . . . . . . . . . . . 59
10.6.1. Client Contributions to K_TOKEN Entropy . . . . . . . 59 10.6.1. Client Contributions to K_TOKEN Entropy . . . . . . . 59
10.6.2. Key Confirmation . . . . . . . . . . . . . . . . . . . 59 10.6.2. Key Confirmation . . . . . . . . . . . . . . . . . . . 59
10.6.3. Server Authentication . . . . . . . . . . . . . . . . 59 10.6.3. Server Authentication . . . . . . . . . . . . . . . . 60
10.6.4. User Authentication . . . . . . . . . . . . . . . . . 59 10.6.4. User Authentication . . . . . . . . . . . . . . . . . 60
10.6.5. Key Protection in Two-Pass DSKPP . . . . . . . . . . . 60 10.6.5. Key Protection in Two-Pass DSKPP . . . . . . . . . . . 60
11. Internationalization Considerations . . . . . . . . . . . . . 61 11. Internationalization Considerations . . . . . . . . . . . . . 61
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62
12.1. URN Sub-Namespace Registration . . . . . . . . . . . . . . 61 12.1. URN Sub-Namespace Registration . . . . . . . . . . . . . . 62
12.2. XML Schema Registration . . . . . . . . . . . . . . . . . 62 12.2. XML Schema Registration . . . . . . . . . . . . . . . . . 62
12.3. MIME Media Type Registration . . . . . . . . . . . . . . . 62 12.3. MIME Media Type Registration . . . . . . . . . . . . . . . 63
12.4. Status Code Registry . . . . . . . . . . . . . . . . . . . 63 12.4. Status Code Registry . . . . . . . . . . . . . . . . . . . 63
13. Intellectual Property Considerations . . . . . . . . . . . . . 64 13. Intellectual Property Considerations . . . . . . . . . . . . . 64
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 64 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 64
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 64 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 64
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65
16.1. Normative references . . . . . . . . . . . . . . . . . . . 65 16.1. Normative references . . . . . . . . . . . . . . . . . . . 65
16.2. Informative references . . . . . . . . . . . . . . . . . . 66 16.2. Informative references . . . . . . . . . . . . . . . . . . 67
Appendix A. Usage Scenarios . . . . . . . . . . . . . . . . . . . 68 Appendix A. Usage Scenarios . . . . . . . . . . . . . . . . . . . 68
A.1. Single Key Request . . . . . . . . . . . . . . . . . . . . 68 A.1. Single Key Request . . . . . . . . . . . . . . . . . . . . 69
A.2. Multiple Key Requests . . . . . . . . . . . . . . . . . . 68 A.2. Multiple Key Requests . . . . . . . . . . . . . . . . . . 69
A.3. User Authentication . . . . . . . . . . . . . . . . . . . 69 A.3. User Authentication . . . . . . . . . . . . . . . . . . . 69
A.4. Provisioning Time-Out Policy . . . . . . . . . . . . . . . 69 A.4. Provisioning Time-Out Policy . . . . . . . . . . . . . . . 69
A.5. Key Renewal . . . . . . . . . . . . . . . . . . . . . . . 69 A.5. Key Renewal . . . . . . . . . . . . . . . . . . . . . . . 69
A.6. Pre-Loaded Key Replacement . . . . . . . . . . . . . . . . 69 A.6. Pre-Loaded Key Replacement . . . . . . . . . . . . . . . . 70
A.7. Pre-Shared Manufacturing Key . . . . . . . . . . . . . . . 70 A.7. Pre-Shared Manufacturing Key . . . . . . . . . . . . . . . 70
A.8. End-to-End Protection of Key Material . . . . . . . . . . 70 A.8. End-to-End Protection of Key Material . . . . . . . . . . 70
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 70 Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 71
B.1. Trigger Message . . . . . . . . . . . . . . . . . . . . . 71 B.1. Trigger Message . . . . . . . . . . . . . . . . . . . . . 71
B.2. Four-Pass Protocol . . . . . . . . . . . . . . . . . . . . 71 B.2. Four-Pass Protocol . . . . . . . . . . . . . . . . . . . . 71
B.2.1. <KeyProvClientHello> Without a Preceding Trigger . . . 72 B.2.1. <KeyProvClientHello> Without a Preceding Trigger . . . 71
B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger . . 73 B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger . . 72
B.2.3. <KeyProvServerHello> Without a Preceding Trigger . . . 74 B.2.3. <KeyProvServerHello> Without a Preceding Trigger . . . 74
B.2.4. <KeyProvServerHello> Assuming Key Renewal . . . . . . 75 B.2.4. <KeyProvServerHello> Assuming Key Renewal . . . . . . 75
B.2.5. <KeyProvClientNonce> Using Default Encryption . . . . 75 B.2.5. <KeyProvClientNonce> Using Default Encryption . . . . 75
B.2.6. <KeyProvServerFinished> Using Default Encryption . . . 77 B.2.6. <KeyProvServerFinished> Using Default Encryption . . . 76
B.3. Two-Pass Protocol . . . . . . . . . . . . . . . . . . . . 77 B.3. Two-Pass Protocol . . . . . . . . . . . . . . . . . . . . 78
B.3.1. Example Using the Key Transport Method . . . . . . . . 78 B.3.1. Example Using the Key Transport Method . . . . . . . . 78
B.3.2. Example Using the Key Wrap Method . . . . . . . . . . 81 B.3.2. Example Using the Key Wrap Method . . . . . . . . . . 81
B.3.3. Example Using the Passphrase-Based Key Wrap Method . . 84 B.3.3. Example Using the Passphrase-Based Key Wrap Method . . 84
Appendix C. Integration with PKCS #11 . . . . . . . . . . . . . . 87 Appendix C. Integration with PKCS #11 . . . . . . . . . . . . . . 88
C.1. The 4-pass Variant . . . . . . . . . . . . . . . . . . . . 87 C.1. The 4-pass Variant . . . . . . . . . . . . . . . . . . . . 88
C.2. The 2-pass Variant . . . . . . . . . . . . . . . . . . . . 88 C.2. The 2-pass Variant . . . . . . . . . . . . . . . . . . . . 88
Appendix D. Example of DSKPP-PRF Realizations . . . . . . . . . . 90 Appendix D. Example of DSKPP-PRF Realizations . . . . . . . . . . 91
D.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 90 D.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 91
D.2. DSKPP-PRF-AES . . . . . . . . . . . . . . . . . . . . . . 90 D.2. DSKPP-PRF-AES . . . . . . . . . . . . . . . . . . . . . . 91
D.2.1. Identification . . . . . . . . . . . . . . . . . . . . 90 D.2.1. Identification . . . . . . . . . . . . . . . . . . . . 91
D.2.2. Definition . . . . . . . . . . . . . . . . . . . . . . 90 D.2.2. Definition . . . . . . . . . . . . . . . . . . . . . . 91
D.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 92 D.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 92
D.3. DSKPP-PRF-SHA256 . . . . . . . . . . . . . . . . . . . . . 92 D.3. DSKPP-PRF-SHA256 . . . . . . . . . . . . . . . . . . . . . 93
D.3.1. Identification . . . . . . . . . . . . . . . . . . . . 92 D.3.1. Identification . . . . . . . . . . . . . . . . . . . . 93
D.3.2. Definition . . . . . . . . . . . . . . . . . . . . . . 92 D.3.2. Definition . . . . . . . . . . . . . . . . . . . . . . 93
D.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 93 D.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 94
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 94
1. Introduction 1. Introduction
Symmetric key based cryptographic systems (e.g., those providing Symmetric key based cryptographic systems (e.g., those providing
authentication mechanisms such as one-time passwords and challenge- authentication mechanisms such as one-time passwords and challenge-
response) offer performance and operational advantages over public response) offer performance and operational advantages over public
key schemes. Such use requires a mechanism for provisioning of key schemes. Such use requires a mechanism for provisioning of
symmetric keys providing equivalent functionality to mechanisms such symmetric keys providing equivalent functionality to mechanisms such
as CMP [RFC4210] and CMMC [RFC5272] in a Public Key Infrastructure. as CMP [RFC4210] and CMC [RFC5272] in a Public Key Infrastructure.
Traditionally, cryptographic modules have been provisioned with keys Traditionally, cryptographic modules have been provisioned with keys
during device manufacturing, and the keys have been imported to the during device manufacturing, and the keys have been imported to the
cryptographic server using, e.g., a CD-ROM disc shipped with the cryptographic server using, e.g., a CD-ROM disc shipped with the
devices. Some vendors also have proprietary provisioning protocols, devices. Some vendors also have proprietary provisioning protocols,
which often have not been publicly documented (CT-KIP is one which often have not been publicly documented (CT-KIP is one
exception [RFC4758]). exception [RFC4758]).
This document describes the Dynamic Symmetric Key Provisioning This document describes the Dynamic Symmetric Key Provisioning
Protocol (DSKPP), a client-server protocol for provisioning symmetric Protocol (DSKPP), a client-server protocol for provisioning symmetric
skipping to change at page 9, line 45 skipping to change at page 9, line 45
secret keys secret keys
Protocol Run: Complete execution of the DSKPP that involves one Protocol Run: Complete execution of the DSKPP that involves one
exchange (2-pass) or two exchanges (4-pass) exchange (2-pass) or two exchanges (4-pass)
Security Attribute List (SAL): A payload that contains the DSKPP Security Attribute List (SAL): A payload that contains the DSKPP
version, DSKPP variant (four- or two-pass), key package formats, version, DSKPP variant (four- or two-pass), key package formats,
key types, and cryptographic algorithms that the cryptographic key types, and cryptographic algorithms that the cryptographic
module is capable of supporting module is capable of supporting
Security Context (SC): A payload that contains the DSKPP version,
DSKPP variant (four- or two-pass), key package format, key type,
and cryptographic algorithms relevant to the current protocol run
2.2. Notation 2.2. Notation
|| String concatenation || String concatenation
[x] Optional element x [x] Optional element x
A ^ B Exclusive-OR operation on strings A and B (where A ^ B Exclusive-OR operation on strings A and B (where
A and B are of equal length) A and B are of equal length)
<XMLElement> A typographical convention used in the body of <XMLElement> A typographical convention used in the body of
the text the text
DSKPP-PRF(k,s,dsLen) A keyed pseudo-random function DSKPP-PRF(k,s,dsLen) A keyed pseudo-random function
E(k,m) Encryption of m with the key k E(k,m) Encryption of m with the key k
K Key used to encrypt R_C (either K_SERVER or K Key used to encrypt R_C (either K_SERVER or
K_SHARED), or in MAC or DSKPP_PRF computations K_SHARED), or in MAC or DSKPP_PRF computations
K_AC Secret key that is derived from the K_AC Secret key that is derived from the
skipping to change at page 11, line 12 skipping to change at page 11, line 9
KP Key Package KP Key Package
KPM Key Protection Method KPM Key Protection Method
KPML Key Protection Method List KPML Key Protection Method List
MAC Message Authentication Code MAC Message Authentication Code
PC Personal Computer PC Personal Computer
PDU Protocol Data Unit PDU Protocol Data Unit
PKCS Public-Key Cryptography Standards PKCS Public-Key Cryptography Standards
PRF Pseudo-Random Function PRF Pseudo-Random Function
PSKC Portable Symmetric Key Container PSKC Portable Symmetric Key Container
SAL Security Attribute List (see Section 2.1) SAL Security Attribute List (see Section 2.1)
SC Security Context (see Section 2.1)
TLS Transport Layer Security TLS Transport Layer Security
URL Uniform Resource Locator URL Uniform Resource Locator
USB Universal Serial Bus USB Universal Serial Bus
XML eXtensible Markup Language XML eXtensible Markup Language
3. DSKPP Overview 3. DSKPP Overview
The following sub-sections provide a high-level view of protocol The following sub-sections provide a high-level view of protocol
internals and how they interact with external provisioning internals and how they interact with external provisioning
applications. Usage scenarios are provided in Appendix A. applications. Usage scenarios are provided in Appendix A.
skipping to change at page 15, line 49 skipping to change at page 15, line 49
information is also needed by the DSKPP server; how the web server information is also needed by the DSKPP server; how the web server
and DSKPP server interact is beyond the scope of this document. and DSKPP server interact is beyond the scope of this document.
The <KeyProvTrigger> message is sent in a HTTP response, and it is The <KeyProvTrigger> message is sent in a HTTP response, and it is
marked with MIME type "application/vnd.ietf.keyprov.dskpp+xml". It marked with MIME type "application/vnd.ietf.keyprov.dskpp+xml". It
is assumed the web browser has been configured to recognize this MIME is assumed the web browser has been configured to recognize this MIME
type; the browser will start the DSKPP client, and provides it with type; the browser will start the DSKPP client, and provides it with
the <KeyProvTrigger> message. the <KeyProvTrigger> message.
The DSKPP client then contacts the DSKPP server, and uses the Client The DSKPP client then contacts the DSKPP server, and uses the Client
ID and Authentication Code (from the <KeyProvTrigger> messsage) the ID and Authentication Code (from the <KeyProvTrigger> message) the
same way as in the first message flow. same way as in the first message flow.
3.2.4. Variants 3.2.4. Variants
As noted in the previous section, once the protocol has started, the As noted in the previous section, once the protocol has started, the
client and server MAY engage in either a two-pass or four-pass client and server MAY engage in either a two-pass or four-pass
message exchange. The four-pass and two-pass protocols are message exchange. The four-pass and two-pass protocols are
appropriate in different deployment scenarios. The biggest appropriate in different deployment scenarios. The biggest
differentiator between the two is that the two-pass protocol supports differentiator between the two is that the two-pass protocol supports
transport of an existing key to a cryptographic module, while the transport of an existing key to a cryptographic module, while the
skipping to change at page 17, line 42 skipping to change at page 17, line 42
AccessDenied: The DSKPP client is not authorized to contact this AccessDenied: The DSKPP client is not authorized to contact this
DSKPP server DSKPP server
MalformedRequest: The DSKPP server failed to parse the DSKPP MalformedRequest: The DSKPP server failed to parse the DSKPP
client's request client's request
UnknownRequest: The DSKPP client made a request that is unknown to UnknownRequest: The DSKPP client made a request that is unknown to
the DSKPP server the DSKPP server
UnknownCriticalExtension: In order to assure that all UnknownCriticalExtension: A critical DSKPP extension (see below)
implementations of DSKPP can interoperate, the DSKPP server:A used by the DSKPP client was not supported or recognized by the
critical DSKPP extension (see below) used by the DSKPP client was DSKPP server
not supported or recognized by the DSKPP server
UnsupportedVersion: The DSKPP client used a DSKPP protocol version UnsupportedVersion: The DSKPP client used a DSKPP protocol version
not supported by the DSKPP server. This error is only valid in not supported by the DSKPP server. This error is only valid in
the DSKPP server's first response message the DSKPP server's first response message
NoSupportedKeyTypes: "NoSupportedKeyTypes" indicates that the DSKPP NoSupportedKeyTypes: "NoSupportedKeyTypes" indicates that the DSKPP
client only suggested key types that are not supported by the client only suggested key types that are not supported by the
DSKPP server. This error is only valid in the DSKPP server's DSKPP server. This error is only valid in the DSKPP server's
first response message first response message
skipping to change at page 20, line 17 skipping to change at page 20, line 17
+------+------------+-------------------------------------------+ +------+------------+-------------------------------------------+
| 1 | Client ID | Mandatory | { "AC00000A" } | | 1 | Client ID | Mandatory | { "AC00000A" } |
+------+------------+-------------+-----------------------------+ +------+------------+-------------+-----------------------------+
| 2 | Password | Mandatory | { "3582" } | | 2 | Password | Mandatory | { "3582" } |
+------+------------+-------------+-----------------------------+ +------+------------+-------------+-----------------------------+
| 3 | Checksum | Optional | { 0x5F8D } | | 3 | Checksum | Optional | { 0x5F8D } |
+------+------------+-------------+-----------------------------+ +------+------------+-------------+-----------------------------+
The Client ID is a mandatory TLV that represents the requester's The Client ID is a mandatory TLV that represents the requester's
identifier of maximum length 128. The value is represented as an identifier of maximum length 128. The value is represented as an
ASCII string that identifies the key request. The clientID MUST be ASCII string that identifies the key request. The ClientID MUST be
HEX encoded. For example, suppose clientID is set to "AC00000A", the HEX encoded. For example, suppose ClientID is set to "AC00000A", the
hexadecimal equivalent is 0x4143303030303041, resulting in a TLV of hexadecimal equivalent is 0x4143303030303041, resulting in a TLV of
{0x1, 0x8, 0x4143303030303041}. {0x1, 0x8, 0x4143303030303041}.
The Password is a mandatory TLV the contains a one-time use shared The Password is a mandatory TLV the contains a one-time use shared
secret known by the user and the Provisioning Server. The password secret known by the user and the Provisioning Server. The password
value is unique and SHOULD be a random string to make AC more value is unique and SHOULD be a random string to make AC more
difficult to guess. The string MUST be UTF-8 encoded in accordance difficult to guess. The string MUST be UTF-8 encoded in accordance
with [RFC3629]. For example, suppose password is set to "3582", then with [RFC3629]. For example, suppose password is set to "3582", then
the TLV would be {0x2, 0x4, UTF-8("3582")}. the TLV would be {0x2, 0x4, UTF-8("3582")}.
skipping to change at page 20, line 45 skipping to change at page 20, line 45
the CRC16 calculation would generate a checksum of 0x5F8D, resulting the CRC16 calculation would generate a checksum of 0x5F8D, resulting
in TLV {0x3, 0x2, 0x5F8D}. in TLV {0x3, 0x2, 0x5F8D}.
3.4.1.2. User Authentication Data Calculation 3.4.1.2. User Authentication Data Calculation
The Authentication Data consists of a Client ID (extracted from the The Authentication Data consists of a Client ID (extracted from the
AC) and a value, which is derived from AC as follows (refer to AC) and a value, which is derived from AC as follows (refer to
Section 3.4.2 for a description of DSKPP-PRF in general and Section 3.4.2 for a description of DSKPP-PRF in general and
Appendix D for a description of DSKPP-PRF-AES): Appendix D for a description of DSKPP-PRF-AES):
MAC = DSKPP-PRF(K_AC, AC->clientID||URL_S||R_C||[R_S], 16) MAC = DSKPP-PRF(K_AC, AC->ClientID||URL_S||R_C||[R_S], 16)
In four-pass DSKPP, the cryptographic module uses R_C, R_S, and URL_S In four-pass DSKPP, the cryptographic module uses R_C, R_S, and URL_S
to calculate the MAC, where URL_S is the URL the DSKPP client uses to calculate the MAC, where URL_S is the URL the DSKPP client uses
when contacting the DSKPP server. In two-pass DSKPP, the when contacting the DSKPP server. In two-pass DSKPP, the
cryptographic module does not have access to R_S, therefore only R_C cryptographic module does not have access to R_S, therefore only R_C
is used in combination with URL_S to produce the MAC. In either is used in combination with URL_S to produce the MAC. In either
case, K_AC MUST be derived from AC->password as follows [PKCS-5]: case, K_AC MUST be derived from AC->password as follows [PKCS-5]:
K_AC = PBKDF2(AC->password, R_C || K, iter_count, 16) K_AC = PBKDF2(AC->password, R_C || K, iter_count, 16)
skipping to change at page 21, line 22 skipping to change at page 21, line 22
the server (K_SHARED) the server (K_SHARED)
b. In two-pass: b. In two-pass:
* The public key of the DSKPP client, or the public key of the * The public key of the DSKPP client, or the public key of the
device when a device certificate is available device when a device certificate is available
* The pre-shared key between the client and the server * The pre-shared key between the client and the server
(K_SHARED) (K_SHARED)
* A passphrase-derived key * A passphrase-derived key
The iteration count, iter_count, MUST be set to at least 100,000 The iteration count, iter_count, MUST be set to at least 100,000
except for case (b) and (c), above, in which case it MUST be set to except in the last two two-pass cases (where K is set to K_SHARED or
1. a passphrase-derived key), in which case iter_count MUST be set to 1.
3.4.2. The DSKPP One-Way Pseudorandom Function, DSKPP-PRF 3.4.2. The DSKPP One-Way Pseudorandom Function, DSKPP-PRF
Regardless of the protocol variant employed, there is a requirement Regardless of the protocol variant employed, there is a requirement
for a cryptographic primitive that provides a deterministic for a cryptographic primitive that provides a deterministic
transformation of a secret key k and a varying length octet string s transformation of a secret key k and a varying length octet string s
to a bit string of specified length dsLen. to a bit string of specified length dsLen.
This primitive must meet the same requirements as for a keyed hash This primitive must meet the same requirements as for a keyed hash
function: It MUST take an arbitrary length input, and generate an function: It MUST take an arbitrary length input, and generate an
skipping to change at page 27, line 41 skipping to change at page 27, line 41
legitimate for a DSKPP client to initiate the DSKPP protocol run legitimate for a DSKPP client to initiate the DSKPP protocol run
without having received a <KeyProvTrigger> message from a server, without having received a <KeyProvTrigger> message from a server,
but in this case any provided DeviceID MUST NOT be accepted by the but in this case any provided DeviceID MUST NOT be accepted by the
DSKPP server unless the server has access to a unique key for the DSKPP server unless the server has access to a unique key for the
identified device and that key will be used in the protocol. identified device and that key will be used in the protocol.
4.2.3. KeyProvServerHello 4.2.3. KeyProvServerHello
DSKPP Client DSKPP Server DSKPP Client DSKPP Server
------------ ------------ ------------ ------------
<--- SC, R_S, [K], [MAC] <--- SAL, R_S, [K], [MAC]
When this message is sent: When this message is sent:
The DSKPP server will send this message in response to a The DSKPP server will send this message in response to a
<KeyProvClientHello> message after it looks for an acceptable <KeyProvClientHello> message after it looks for an acceptable
combination of DSKPP version, variant (in this case, four-pass), combination of DSKPP version, variant (in this case, four-pass),
key package format, key type, and set of cryptographic algorithms. key package format, key type, and set of cryptographic algorithms.
If it could not find an acceptable combination, then it will still If it could not find an acceptable combination, then it will still
send the message, but with a failure status. send the message, but with a failure status.
Purpose of this message: Purpose of this message:
With this message, the context for the protocol run is set. With this message, the context for the protocol run is set.
Furthermore, the DSKPP server uses this message to transmit a Furthermore, the DSKPP server uses this message to transmit a
random nonce, which is required for each side to agree upon the random nonce, which is required for each side to agree upon the
same symmetric key (K_TOKEN). same symmetric key (K_TOKEN).
What is contained in this message: What is contained in this message:
A status attribute equivalent to the server's return code to A status attribute equivalent to the server's return code to
<KeyProvClientHello>. If the server found an acceptable set of <KeyProvClientHello>. If the server found an acceptable set of
attributes from the client's SAL, then it sets status to Continue attributes from the client's SAL, then it sets status to Continue
and returns an SC, which specifies the DSKPP version and variant and returns an SAL (selected from the SAL that it received in
(in this case, four-pass), key type, cryptographic algorithms, and <KeyProvClientHello>). The Server's SAL specifies the DSKPP
key package format that the DSKPP Client MUST use for the version and variant (in this case, four-pass), key type,
remainder of the protocol run. cryptographic algorithms, and key package format that the DSKPP
Client MUST use for the remainder of the protocol run.
A random nonce (R_S) for use in generating a symmetric key through A random nonce (R_S) for use in generating a symmetric key through
key agreement; the length of R_S may depend on the selected key key agreement; the length of R_S may depend on the selected key
type. type.
A key (K) for the DSKPP Client to use for encrypting the client A key (K) for the DSKPP Client to use for encrypting the client
nonce included with <KeyProvClientNonce>. K represents the nonce included with <KeyProvClientNonce>. K represents the
server's public key (K_SERVER) or a pre-shared secret key server's public key (K_SERVER) or a pre-shared secret key
(K_SHARED). (K_SHARED).
skipping to change at page 28, line 51 skipping to change at page 28, line 52
If successful execution of the protocol will result in the If successful execution of the protocol will result in the
replacement of an existing key with a newly generated one, the replacement of an existing key with a newly generated one, the
DSKPP client MUST verify the MAC provided in <KeyProvServerHello>. DSKPP client MUST verify the MAC provided in <KeyProvServerHello>.
The DSKPP client MUST terminate the DSKPP session if the MAC does The DSKPP client MUST terminate the DSKPP session if the MAC does
not verify, and MUST delete any nonces, keys, and/or secrets not verify, and MUST delete any nonces, keys, and/or secrets
associated with the failed run. associated with the failed run.
If Status is set to "Continue" the cryptographic module generates If Status is set to "Continue" the cryptographic module generates
a random nonce (R_C) using the cryptographic algorithm specified a random nonce (R_C) using the cryptographic algorithm specified
in SC. The length of the nonce R_C will depend on the selected in the SAL. The length of the nonce R_C will depend on the
key type. selected key type.
Encrypt R_C using K and the encryption algorithm included in SC. Encrypt R_C using K and the encryption algorithm included in the
SAL.
The method the DSKPP client MUST use to encrypt R_C: The method the DSKPP client MUST use to encrypt R_C:
If K is equivalent to K_SERVER (i.e., the public key of the DSKPP If K is equivalent to K_SERVER (i.e., the public key of the DSKPP
server), then an RSA encryption scheme from PKCS #1 [PKCS-1] MAY server), then an RSA encryption scheme from PKCS #1 [PKCS-1] MAY
be used. If K is equivalent to K_SERVER, then the cryptographic be used. If K is equivalent to K_SERVER, then the cryptographic
module SHOULD verify the server's certificate before using it to module SHOULD verify the server's certificate before using it to
encrypt R_C in accordance with [RFC5280]. encrypt R_C in accordance with [RFC5280].
If K is equivalent to K_SHARED, the DSKPP client MAY use the If K is equivalent to K_SHARED, the DSKPP client MAY use the
DSKPP-PRF function to avoid dependence on other algorithms. In DSKPP-PRF function to avoid dependence on other algorithms. In
skipping to change at page 30, line 42 skipping to change at page 30, line 42
Finally, the server generates a key confirmation MAC that the Finally, the server generates a key confirmation MAC that the
client will use to avoid a false "Commit" message that would cause client will use to avoid a false "Commit" message that would cause
the cryptographic module to end up in state in which the server the cryptographic module to end up in state in which the server
does not recognize the stored key. does not recognize the stored key.
The MAC used for key confirmation MUST be calculated as follows: The MAC used for key confirmation MUST be calculated as follows:
msg_hash = SHA-256(msg_1, ..., msg_n) msg_hash = SHA-256(msg_1, ..., msg_n)
dsLen = len(msg_hash) dsLen = len(msg_hash)
MAC = DSKPP-PRF (K_MAC, "MAC 2 computation" || msg_hash, dsLen) MAC = DSKPP-PRF (K_MAC, "MAC 1 computation" || msg_hash, dsLen)
where where
MAC The DSKPP Pseudo-Random Function defined in Section 3.4.2 is MAC The DSKPP Pseudo-Random Function defined in Section 3.4.2 is
used to compute the MAC. The particular realization of DSKPP- used to compute the MAC. The particular realization of DSKPP-
PRF (e.g., those defined in Appendix D depends on the MAC PRF (e.g., those defined in Appendix D depends on the MAC
algorithm contained in the <KeyProvServerHello> message. The algorithm contained in the <KeyProvServerHello> message. The
MAC MUST be computed using the existing MAC key (K_MAC), and a MAC MUST be computed using the existing MAC key (K_MAC), and a
string that is formed by concatenating the (ASCII) string "MAC string that is formed by concatenating the (ASCII) string "MAC
2 computation" and a msg_hash 1 computation" and a msg_hash
K_MAC The key derived from K_PROV, as described in Section 4.1.2. K_MAC The key derived from K_PROV, as described in Section 4.1.2.
msg_hash The message hash (defined in Section 3.4.3) of messages msg_hash The message hash (defined in Section 3.4.3) of messages
msg_1, ..., msg_n. msg_1, ..., msg_n.
4.2.5. KeyProvServerFinished 4.2.5. KeyProvServerFinished
DSKPP Client DSKPP Server DSKPP Client DSKPP Server
------------ ------------ ------------ ------------
skipping to change at page 32, line 41 skipping to change at page 32, line 41
This section describes the methods and message flow that comprise the This section describes the methods and message flow that comprise the
two-pass protocol variant. Two-pass DSKPP is essentially a transport two-pass protocol variant. Two-pass DSKPP is essentially a transport
of keying material from the DSKPP server to the DSKPP client. The of keying material from the DSKPP server to the DSKPP client. The
DSKPP server transmits keying material in a key package formatted in DSKPP server transmits keying material in a key package formatted in
accordance with [PSKC], [SKPC-ASN.1], PKCS#12 [PKCS-12], or PKCS#5 accordance with [PSKC], [SKPC-ASN.1], PKCS#12 [PKCS-12], or PKCS#5
XML [PKCS-5-XML]. XML [PKCS-5-XML].
The keying material includes a provisioning master key, K_PROV, from The keying material includes a provisioning master key, K_PROV, from
which the DSKPP client derives two keys: the symmetric key to be which the DSKPP client derives two keys: the symmetric key to be
established in the cryptographic module, K_TOKEN, and a key, K_MAC, established in the cryptographic module, K_TOKEN, and a key, K_MAC,
used for server authentication and key confirmation. The keying used for server authentication (in the case of key renewal) and key
material also includes key usage attributes, such as expiry date and confirmation. The keying material also includes key usage
length. attributes, such as expiry date and length.
The DSKPP server encrypts K_PROV to ensure that it is not exposed to The DSKPP server encrypts K_PROV to ensure that it is not exposed to
any other entity than the DSKPP server and the cryptographic module any other entity than the DSKPP server and the cryptographic module
itself. The DSKPP server uses any of three key protection methods to itself. The DSKPP server uses any of three key protection methods to
encrypt K_PROV: Key Transport, Key Wrap, and Passphrase-Based Key encrypt K_PROV: Key Transport, Key Wrap, and Passphrase-Based Key
Wrap Key Protection Methods. Wrap Key Protection Methods.
While the DSKPP client and server may negotiate the key protection While the DSKPP client and server may negotiate the key protection
method to use, the actual key protection is carried out in the method to use, the actual key protection is carried out in the
KeyPackage. For example, the default KeyPackage format KeyPackage. For example, the default KeyPackage format
skipping to change at page 36, line 5 skipping to change at page 36, line 5
user before the first DSKPP message was sent. user before the first DSKPP message was sent.
Application note: Application note:
This message MUST send user authentication data (AD) to the DSKPP This message MUST send user authentication data (AD) to the DSKPP
server. If this message is preceded by trigger message server. If this message is preceded by trigger message
<KeyProvTrigger>, then the application will already have AD <KeyProvTrigger>, then the application will already have AD
available (see Section 4.2.1). However, if this message was not available (see Section 4.2.1). However, if this message was not
preceded by <KeyProvTrigger>, then the application MUST retrieve preceded by <KeyProvTrigger>, then the application MUST retrieve
the user authentication code, possibly by prompting the user to the user authentication code, possibly by prompting the user to
manually enter their authentication code, e.g., on a device with manually enter their authentication code, e.g., on a device with
only a numeric keypad. only a numeric keypad. The application MUST also derive
The application MUST also derive Authentication Data (AD) from the Authentication Data (AD) from the authentication code, as
authentication code, as described in Section 3.4.1, and save it described in Section 3.4.1, and save it for use in its next
for use in its next message, <KeyProvClientNonce>. message, <KeyProvClientNonce>.
What is contained in this message: What is contained in this message:
The Security Attribute List (SAL) included with The Security Attribute List (SAL) included with
<KeyProvClientHello> contains the combinations of DSKPP versions, <KeyProvClientHello> contains the combinations of DSKPP versions,
variants, key package formats, key types, and cryptographic variants, key package formats, key types, and cryptographic
algorithms that the DSKPP client supports in order of the client's algorithms that the DSKPP client supports in order of the client's
preference (favorite choice first). preference (favorite choice first).
Authentication Data (AD) that was either included with Authentication Data (AD) that was either included with
<KeyProvTrigger>, or generated as described in the "Application <KeyProvTrigger>, or generated as described in the "Application
skipping to change at page 37, line 49 skipping to change at page 37, line 49
If user authentication passes, the DSKPP server generates a key If user authentication passes, the DSKPP server generates a key
K_PROV, which MUST consist of two parts of equal length, where the K_PROV, which MUST consist of two parts of equal length, where the
first half constitutes K_MAC and the second half constitutes first half constitutes K_MAC and the second half constitutes
K_TOKEN, i.e., K_TOKEN, i.e.,
K_PROV = K_MAC || K_TOKEN K_PROV = K_MAC || K_TOKEN
The length of K_TOKEN (and hence also the length of K_MAC) is The length of K_TOKEN (and hence also the length of K_MAC) is
determined by the type of K_TOKEN, which MUST be one of the key determined by the type of K_TOKEN, which MUST be one of the key
types supported by the DSKPP client. types supported by the DSKPP client. In cases where the desired
key length for K_TOKEN is different from the length of K_MAC for
the underlying MAC algorithm, the greater length of the two MUST
be chosen to generate K_PROV. The actual MAC key is truncated
from the resulting K_MAC when it is used in the MAC algorithm when
K_MAC is longer than necessary in order to match the desired
K_TOKEN length. If K_TOKEN is longer than needed in order to
match the K_MAC length, the provisioning server and the receiving
client must determine the actual secret key length from the target
key algorithm and store only the truncated portion of the K_TOKEN.
The truncation MUST take the beginning bytes of the desired length
from K_TOKEN or K_MAC for the actual key. For example, when a
provisioning server provisions an event based HOTP secret key with
length 20 and MAC algorithm DSKPP-PRF-SHA256 (Appendix D), K_PROV
length will be 64. The derived K_TOKEN and K_MAC will each
consist of 32 bytes. The actual HOTP key should be the first 20
bytes of the K_TOKEN.
Once K_PROV is computed, the DSKPP server selects one of the key Once K_PROV is computed, the DSKPP server selects one of the key
protection methods from the DSKPP client's KPML, and uses that protection methods from the DSKPP client's KPML, and uses that
method and corresponding payload to encrypt K_PROV. method and corresponding payload to encrypt K_PROV.
The DSKPP server generates a key package to transport the key The DSKPP server generates a key package to transport the key
encryption method information and the encrypted provisioning key encryption method information and the encrypted provisioning key
(K_PROV). The encrypted data format is subject to the choice (K_PROV). The encrypted data format is subject to the choice
supported by the selected key package. The key package MUST supported by the selected key package. The key package MUST
specify and use the selected key protection method and the key specify and use the selected key protection method and the key
information that was received in <KeyProvClientHello>. information that was received in <KeyProvClientHello>.
The key package also includes key usage attributes such as expiry The key package also includes key usage attributes such as expiry
date and length. The server stores the key package and K_TOKEN date and length. The server stores the key package and K_TOKEN
with a user account on the cryptographic server. with a user account on the cryptographic server.
The server generates two MAC's, one for key confirmation and The server generates a MAC for key confirmation, which the client
another for server authentication) that the client will use to will use to avoid a false "Commit" message that would cause the
avoid a false "Commit" message that would cause the cryptographic cryptographic module to end up in state in which the server does
module to end up in state in which the server does not recognize not recognize the stored key. In addition, the server generates a
the stored key. second MAC if an existing key is being renewed so that the DSKPP
client will use to confirm that the replacement key came from a
trusted server.
The method the DSKPP server MUST use to calculate the key The method the DSKPP server MUST use to calculate the key
confirmation MAC: confirmation MAC:
msg_hash = SHA-256(msg_1, ..., msg_n) msg_hash = SHA-256(msg_1, ..., msg_n)
dsLen = len(msg_hash) dsLen = len(msg_hash)
MAC = DSKPP-PRF (K_MAC, "MAC 1 computation" || msg_hash || MAC = DSKPP-PRF (K_MAC, "MAC 1 computation" || msg_hash ||
ServerID, dsLen) ServerID, dsLen)
skipping to change at page 40, line 4 skipping to change at page 40, line 28
With this message the DSKPP server transports a key package With this message the DSKPP server transports a key package
containing the encrypted provisioning key (K_PROV) and key usage containing the encrypted provisioning key (K_PROV) and key usage
attributes. attributes.
What is contained in this message: What is contained in this message:
A status attribute equivalent to the server's return code to A status attribute equivalent to the server's return code to
<KeyProvClientHello>. If the server found an acceptable set of <KeyProvClientHello>. If the server found an acceptable set of
attributes from the client's SAL, then it sets status to Continue. attributes from the client's SAL, then it sets status to Continue.
The confirmation message MUST include the Key Package (KP) that The confirmation message MUST include the Key Package (KP) that
holds the DSKPP Server's ID, key ID,key type, encrypted holds the DSKPP Server's ID, key ID, key type, encrypted
provisioning key (K_PROV), encryption method, and additional provisioning key (K_PROV), encryption method, and additional
configuration information. The default symmetric key package configuration information. The default symmetric key package
format is based on the Portable Symmetric Key Container (PSKC) format is based on the Portable Symmetric Key Container (PSKC)
defined in [PSKC]. Alternative formats MAY include [SKPC-ASN.1], defined in [PSKC]. Alternative formats MAY include [SKPC-ASN.1],
PKCS#12 [PKCS-12], or PKCS#5 XML [PKCS-5-XML]. PKCS#12 [PKCS-12], or PKCS#5 XML [PKCS-5-XML].
Finally, this message MUST include a MAC that the DSKPP client Finally, this message MUST include a MAC that the DSKPP client
will use for key confirmation. It MUST also include a server will use for key confirmation. In addition, this message MUST
authentication MAC (AD). These MACs are calculated as described also include a server authentication MAC (AD) if an existing key
in the previous section. is being replaced. These MACs are calculated as described in the
previous section.
How the DSKPP client uses this message: How the DSKPP client uses this message:
After receiving a <KeyProvServerFinished> message with Status = After receiving a <KeyProvServerFinished> message with Status =
"Success", the DSKPP client MUST verify both MACs (MAC and AD). "Success", the DSKPP client MUST verify both MACs (MAC and AD).
The DSKPP client MUST terminate the DSKPP protocol run if either The DSKPP client MUST terminate the DSKPP protocol run if either
MAC does not verify, and MUST, in this case, also delete any MAC does not verify, and MUST, in this case, also delete any
nonces, keys, and/or secrets associated with the failed run of the nonces, keys, and/or secrets associated with the failed run of the
protocol. protocol.
If <KeyProvServerFinished> has Status = "Success" and the MACs If <KeyProvServerFinished> has Status = "Success" and the MACs
skipping to change at page 45, line 8 skipping to change at page 45, line 31
<xs:schema <xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="urn:ietf:params:xml:ns:keyprov:dskpp" targetNamespace="urn:ietf:params:xml:ns:keyprov:dskpp"
elementFormDefault="qualified" attributeFormDefault="unqualified" elementFormDefault="qualified" attributeFormDefault="unqualified"
version="1.0"> version="1.0">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation= schemaLocation=
"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> "http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:keyprov:pskc" <xs:import namespace="urn:ietf:params:xml:ns:keyprov:pskc"
schemaLocation="keyprov-pskc-1.0.xsd"/> schemaLocation="keyprov-pskc-1.0.xsd"/>
<xs:complexType name="AbstractRequestType" abstract="true"> <xs:complexType name="AbstractRequestType" abstract="true">
<xs:annotation> <xs:annotation>
<xs:documentation> Basic types </xs:documentation> <xs:documentation> Basic types </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:attribute name="Version" type="dskpp:VersionType" <xs:attribute name="Version" type="dskpp:VersionType"
use="required"/> use="required"/>
</xs:complexType> </xs:complexType>
skipping to change at page 47, line 18 skipping to change at page 47, line 40
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="KeyProtectionDataType"> <xs:complexType name="KeyProtectionDataType">
<xs:annotation> <xs:annotation>
<xs:documentation xml:lang="en"> <xs:documentation xml:lang="en">
This element is only valid for two-pass DSKPP. This element is only valid for two-pass DSKPP.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
<xs:element name="SupportedKeyProtectionMethod" type="xs:anyURI"/> <xs:element name="SupportedKeyProtectionMethod" type="xs:anyURI"/>
<xs:element name="Payload" type="dskpp:PayloadType" minOccurs="0"/> <xs:element name="Payload" type="dskpp:PayloadType" minOccurs="0"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="PayloadType"> <xs:complexType name="PayloadType">
<xs:choice> <xs:choice>
<xs:element name="Nonce" type="dskpp:NonceType" /> <xs:element name="Nonce" type="dskpp:NonceType" />
<xs:any namespace="##other" processContents="strict" /> <xs:any namespace="##other" processContents="strict" />
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
<xs:complexType name="KeyPackagesFormatType"> <xs:complexType name="KeyPackagesFormatType">
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
<xs:element name="KeyPackageFormat" <xs:element name="KeyPackageFormat"
type="dskpp:KeyPackageFormatType"/> type="dskpp:KeyPackageFormatType"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:simpleType name="KeyPackageFormatType"> <xs:simpleType name="KeyPackageFormatType">
<xs:restriction base="xs:anyURI" /> <xs:restriction base="xs:anyURI" />
</xs:simpleType> </xs:simpleType>
skipping to change at page 48, line 45 skipping to change at page 49, line 19
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="InitializationTriggerType"> <xs:complexType name="InitializationTriggerType">
<xs:sequence> <xs:sequence>
<xs:element minOccurs="0" name="DeviceIdentifierData" <xs:element minOccurs="0" name="DeviceIdentifierData"
type="dskpp:DeviceIdentifierDataType" /> type="dskpp:DeviceIdentifierDataType" />
<xs:element minOccurs="0" name="KeyID" type="xs:base64Binary" /> <xs:element minOccurs="0" name="KeyID" type="xs:base64Binary" />
<xs:element minOccurs="0" name="TokenPlatformInfo" <xs:element minOccurs="0" name="TokenPlatformInfo"
type="dskpp:TokenPlatformInfoType" /> type="dskpp:TokenPlatformInfoType" />
<xs:element name="AuthenticationData" type="dskpp:AuthenticationDataType" /> <xs:element name="AuthenticationData"
type="dskpp:AuthenticationDataType" />
<xs:element minOccurs="0" name="ServerUrl" type="xs:anyURI" /> <xs:element minOccurs="0" name="ServerUrl" type="xs:anyURI" />
<xs:any minOccurs="0" namespace="##other" <xs:any minOccurs="0" namespace="##other"
processContents="strict" /> processContents="strict" />
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="ExtensionsType"> <xs:complexType name="ExtensionsType">
<xs:annotation> <xs:annotation>
<xs:documentation> Extension types </xs:documentation> <xs:documentation> Extension types </xs:documentation>
</xs:annotation> </xs:annotation>
<xs:sequence maxOccurs="unbounded"> <xs:sequence maxOccurs="unbounded">
<xs:element name="Extension" type="dskpp:AbstractExtensionType" /> <xs:element name="Extension" type="dskpp:AbstractExtensionType" />
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
<xs:complexType name="AbstractExtensionType" abstract="true"> <xs:complexType name="AbstractExtensionType" abstract="true">
skipping to change at page 53, line 13 skipping to change at page 53, line 35
interoperate, the DSKPP server: interoperate, the DSKPP server:
a. MUST implement the four-pass variation of the protocol a. MUST implement the four-pass variation of the protocol
(Section 4) (Section 4)
b. MUST implement the two-pass variation of the protocol (Section 5) b. MUST implement the two-pass variation of the protocol (Section 5)
c. MUST support user authentication (Section 3.2.1) c. MUST support user authentication (Section 3.2.1)
d. MUST support the following key derivation functions: d. MUST support the following key derivation functions:
* DSKPP-PRF-AES DSKPP-PRF realization (refer to (Appendix D) for * DSKPP-PRF-AES DSKPP-PRF realization (Appendix D)
an example) * DSKPP-PRF-SHA256 DSKPP-PRF realization (Appendix D)
* DSKPP-PRF-SHA256 DSKPP-PRF realization (refer to (Appendix D)
for an example)
e. MUST support the following encryption mechanisms for protection e. MUST support the following encryption mechanisms for protection
of the client nonce in the four-pass protocol: of the client nonce in the four-pass protocol:
* Mechanism described in Section 4.2.4 * Mechanism described in Section 4.2.4
f. MUST support one of the following encryption algorithms for f. MUST support one of the following encryption algorithms for
symmetric key operations, e.g., key wrap: symmetric key operations, e.g., key wrap:
* KW-AES128 without padding; refer to * KW-AES128 without padding; refer to
http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC] http://www.w3.org/2001/04/xmlenc#kw-aes128 in [XMLENC]
* KW-AES128 with padding; refer to * KW-AES128 with padding; refer to
skipping to change at page 60, line 45 skipping to change at page 61, line 25
the AC format). The passphrase SHOULD be selected well, and usage the AC format). The passphrase SHOULD be selected well, and usage
guidelines such as the ones in [NIST-PWD] SHOULD be taken into guidelines such as the ones in [NIST-PWD] SHOULD be taken into
account. account.
o A different passphrase SHOULD be used for every key initialization o A different passphrase SHOULD be used for every key initialization
wherever possible (the use of a global passphrase for a batch of wherever possible (the use of a global passphrase for a batch of
cryptographic modules SHOULD be avoided, for example). One way to cryptographic modules SHOULD be avoided, for example). One way to
achieve this is to use randomly-generated passphrases. achieve this is to use randomly-generated passphrases.
o The passphrase SHOULD be protected well if stored on the server o The passphrase SHOULD be protected well if stored on the server
and/or on the cryptographic module and SHOULD be delivered to the and/or on the cryptographic module and SHOULD be delivered to the
device's user using secure methods. device's user using secure methods.
o User per-authentication SHOULD be implemented to ensure that o User pre-authentication SHOULD be implemented to ensure that
K_TOKEN is not delivered to a rogue recipient. K_TOKEN is not delivered to a rogue recipient.
o The iteration count in PBKDF2 SHOULD be high to impose more work o The iteration count in PBKDF2 SHOULD be high to impose more work
for an attacker using brute-force methods (see [PKCS-5] for for an attacker using brute-force methods (see [PKCS-5] for
recommendations). However, it MUST be noted that the higher the recommendations). However, it MUST be noted that the higher the
count, the more work is required on the legitimate cryptographic count, the more work is required on the legitimate cryptographic
module to decrypt the newly delivered K_TOKEN. Servers MAY use module to decrypt the newly delivered K_TOKEN. Servers MAY use
relatively low iteration counts to accommodate devices with relatively low iteration counts to accommodate devices with
limited processing power such as some PDA and cell phones when limited processing power such as some PDA and cell phones when
other security measures are implemented and the security of the other security measures are implemented and the security of the
passphrase-based key wrap method is not weakened. passphrase-based key wrap method is not weakened.
skipping to change at page 65, line 10 skipping to change at page 65, line 26
January 2009) January 2009)
We would also like to thank the following for their input to selected We would also like to thank the following for their input to selected
design aspects of the DSKPP protocol: design aspects of the DSKPP protocol:
o Anders Rundgren (Key Package Format and Client Authentication o Anders Rundgren (Key Package Format and Client Authentication
Data) Data)
o Thomas Roessler (HTTP Binding) o Thomas Roessler (HTTP Binding)
o Hannes Tschofenig (HTTP Binding) o Hannes Tschofenig (HTTP Binding)
o Phillip Hallam-Baker (Registry for Algorithms) o Phillip Hallam-Baker (Registry for Algorithms)
o N. Asokan (original observation of weakness in Authentication
Data)
Finally, we would like to thank Robert Griffin for opening Finally, we would like to thank Robert Griffin for opening
communication channels for us with the IEEE P1619.3 Key Management communication channels for us with the IEEE P1619.3 Key Management
Group, and facilitating our groups in staying informed of potential Group, and facilitating our groups in staying informed of potential
areas (esp. key provisioning and global key identifiers of areas (esp. key provisioning and global key identifiers of
collaboration) of collaboration. collaboration) of collaboration.
16. References 16. References
16.1. Normative references 16.1. Normative references
skipping to change at page 71, line 7 skipping to change at page 71, line 15
Appendix B. Examples Appendix B. Examples
This appendix contains example messages that illustrate parameters, This appendix contains example messages that illustrate parameters,
encoding, and semantics in four-and two- pass DSKPP exchanges. The encoding, and semantics in four-and two- pass DSKPP exchanges. The
examples are written using XML, and are syntactically correct. MAC examples are written using XML, and are syntactically correct. MAC
and cipher values are fictitious however. This appendix forms an and cipher values are fictitious however. This appendix forms an
informative part of the document. informative part of the document.
B.1. Trigger Message B.1. Trigger Message
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvTrigger Version="1.0" <dskpp:KeyProvTrigger Version="1.0"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"> xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc">
<dskpp:InitializationTrigger> <dskpp:InitializationTrigger>
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
</dskpp:DeviceId> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
</dskpp:DeviceId>
</dskpp:DeviceIdentifierData> </dskpp:DeviceIdentifierData>
<dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID> <dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID>
<dskpp:TokenPlatformInfo KeyLocation="Hardware" <dskpp:TokenPlatformInfo KeyLocation="Hardware"
AlgorithmLocation="Software"/> AlgorithmLocation="Software"/>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> <dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac> </dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData> </dskpp:AuthenticationData>
<dskpp:ServerUrl>https://www.somekeyprovservice.com/ <dskpp:ServerUrl>https://www.somekeyprovservice.com/
</dskpp:ServerUrl> </dskpp:ServerUrl>
</dskpp:InitializationTrigger> </dskpp:InitializationTrigger>
</dskpp:KeyProvTrigger> </dskpp:KeyProvTrigger>
B.2. Four-Pass Protocol B.2. Four-Pass Protocol
B.2.1. <KeyProvClientHello> Without a Preceding Trigger
<?xml version="1.0" encoding="UTF-8"?> B.2.1. <KeyProvClientHello> Without a Preceding Trigger
<dskpp:KeyProvClientHello Version="1.0" <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" <dskpp:KeyProvClientHello
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
<dskpp:DeviceIdentifierData> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<dskpp:DeviceId> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> Version="1.0">
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <dskpp:DeviceIdentifierData>
<pskc:Model>U2</pskc:Model> <dskpp:DeviceId>
</dskpp:DeviceId> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
</dskpp:DeviceIdentifierData> <pskc:SerialNo>987654321</pskc:SerialNo>
<dskpp:SupportedKeyTypes> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
</dskpp:Algorithm> </dskpp:DeviceId>
<dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ </dskpp:DeviceIdentifierData>
otps-wst#SecurID-AES</dskpp:Algorithm> <dskpp:SupportedKeyTypes>
</dskpp:SupportedKeyTypes> <dskpp:Algorithm>
<dskpp:SupportedEncryptionAlgorithms> urn:ietf:params:xml:ns:keyprov:pskc#hotp
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 </dskpp:Algorithm>
</dskpp:Algorithm> <dskpp:Algorithm>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedKeyTypes>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 <dskpp:Algorithm>
</dskpp:Algorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc
</dskpp:SupportedMacAlgorithms> </dskpp:Algorithm>
<dskpp:SupportedProtocolVariants><dskpp:FourPass/> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
</dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants>
<dskpp:FourPass xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns6="http://www.w3.org/2001/XMLSchema" xsi:type="ns6:string">
</dskpp:FourPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger B.2.2. <KeyProvClientHello> Assuming a Preceding Trigger
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<?xml version="1.0" encoding="UTF-8"?> <dskpp:KeyProvClientHello
<dskpp:KeyProvClientHello Version="1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<dskpp:DeviceIdentifierData> Version="1.0">
<dskpp:DeviceId> <dskpp:DeviceIdentifierData>
<pskc:Manufacturer>ManufacturerABC</pskc:Manufacturer> <dskpp:DeviceId>
<pskc:SerialNo>XL0000000001234</pskc:SerialNo> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:Model>U2</pskc:Model> <pskc:SerialNo>987654321</pskc:SerialNo>
</dskpp:DeviceId> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
</dskpp:DeviceIdentifierData> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
<dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID> </dskpp:DeviceId>
<dskpp:SupportedKeyTypes> </dskpp:DeviceIdentifierData>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp</dskpp:Algorithm> <dskpp:KeyID>SE9UUDAwMDAwMDAx</dskpp:KeyID>
<dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ <dskpp:SupportedKeyTypes>
otps-wst#SecurID-AES</dskpp:Algorithm> <dskpp:Algorithm>
</dskpp:SupportedKeyTypes> urn:ietf:params:xml:ns:keyprov:pskc#hotp
<dskpp:SupportedEncryptionAlgorithms> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:Algorithm>
</dskpp:Algorithm> http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 </dskpp:Algorithm>
</dskpp:Algorithm> </dskpp:SupportedKeyTypes>
</dskpp:SupportedEncryptionAlgorithms> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:Algorithm>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.w3.org/2001/04/xmlenc#aes128-cbc
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedProtocolVariants><dskpp:FourPass/> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
</dskpp:Algorithm>
</dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants>
<dskpp:FourPass xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns6="http://www.w3.org/2001/XMLSchema" xsi:type="ns6:string">
</dskpp:FourPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
B.2.3. <KeyProvServerHello> Without a Preceding Trigger B.2.3. <KeyProvServerHello> Without a Preceding Trigger
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvServerHello Version="1.0" SessionID="4114" Status="Continue" <dskpp:KeyProvServerHello
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<dskpp:KeyType> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES Version="1.0"
</dskpp:KeyType> Status="Continue"
<dskpp:EncryptionAlgorithm> SessionID="4114">
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 <dskpp:KeyType>
</dskpp:EncryptionAlgorithm> urn:ietf:params:xml:ns:keyprov:pskc#hotp
<dskpp:MacAlgorithm> </dskpp:KeyType>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 <dskpp:EncryptionAlgorithm>
</dskpp:MacAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc
<dskpp:EncryptionKey> </dskpp:EncryptionAlgorithm>
<ds:KeyName>KEY-1</ds:KeyName> <dskpp:MacAlgorithm>
</dskpp:EncryptionKey> http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
<dskpp:KeyPackageFormat> </dskpp:MacAlgorithm>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer <dskpp:EncryptionKey>Example-Key1</dskpp:EncryptionKey>
</dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
<dskpp:Payload> urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
<dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce> </dskpp:KeyPackageFormat>
</dskpp:Payload> <dskpp:Payload>
</dskpp:KeyProvServerHello> <dskpp:Nonce>EjRWeJASNFZ4kBI0VniQEg==</dskpp:Nonce>
</dskpp:Payload>
</dskpp:KeyProvServerHello>
B.2.4. <KeyProvServerHello> Assuming Key Renewal B.2.4. <KeyProvServerHello> Assuming Key Renewal
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvServerHello Version="1.0" SessionID="4114" <dskpp:KeyProvServerHello
Status="Continue"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Version="1.0"
SessionID="4114"
Status="Continue">
<dskpp:KeyType> <dskpp:KeyType>
urn:ietf:params:xml:schema:keyprov:otpalg#SecurID-AES urn:ietf:params:xml:schema:keyprov:otpalg#SecurID-AES
</dskpp:KeyType> </dskpp:KeyType>
<dskpp:EncryptionAlgorithm> <dskpp:EncryptionAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.w3.org/2001/04/xmlenc#aes128-cbc
</dskpp:EncryptionAlgorithm> </dskpp:EncryptionAlgorithm>
<dskpp:MacAlgorithm> <dskpp:MacAlgorithm>
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
</dskpp:MacAlgorithm> </dskpp:MacAlgorithm>
<dskpp:EncryptionKey> <dskpp:EncryptionKey>Example-Key1</dskpp:EncryptionKey>
<ds:KeyName>KEY-1</ds:KeyName>
</dskpp:EncryptionKey>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
<dskpp:Payload> <dskpp:Payload>
<dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce> <dskpp:Nonce>qw2ewasde312asder394jw==</dskpp:Nonce>
</dskpp:Payload> </dskpp:Payload>
<dskpp:Mac <dskpp:Mac
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128"> MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
cXcycmFuZG9tMzEyYXNkZXIzOTRqdw== cXcycmFuZG9tMzEyYXNkZXIzOTRqdw==
</dskpp:Mac> </dskpp:Mac>
</dskpp:KeyProvServerHello> </dskpp:KeyProvServerHello>
B.2.5. <KeyProvClientNonce> Using Default Encryption B.2.5. <KeyProvClientNonce> Using Default Encryption
This message contains the nonce chosen by the cryptographic module, This message contains the nonce chosen by the cryptographic module,
R_C, encrypted by the specified encryption key and encryption R_C, encrypted by the specified encryption key and encryption
algorithm. algorithm.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvClientNonce Version="1.0" SessionID="4114" <dskpp:KeyProvClientNonce
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"> xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
<dskpp:EncryptedNonce>VXENc+Um/9/NvmYKiHDLaErK0gk= xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
SessionID="4114"
Version="1.0">
<dskpp:EncryptedNonce>
oTvo+S22nsmS2Z/RtcoF8CTwadRa1PVsRXkZnCihHkU1rPueggrd0NpEWVZR16Rg16+
FHuTg33GK1wH3wffDZQ==
</dskpp:EncryptedNonce> </dskpp:EncryptedNonce>
<dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID>
<dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData>
</dskpp:KeyProvClientNonce> </dskpp:KeyProvClientNonce>
B.2.6. <KeyProvServerFinished> Using Default Encryption B.2.6. <KeyProvServerFinished> Using Default Encryption
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<?xml version="1.0" encoding="UTF-8"?> <dskpp:KeyProvServerFinished
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" Status="Success" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<dskpp:KeyPackage> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc"> Version="1.0"
<KeyPackage> Status="Success"
<DeviceInfo> SessionID="4114">
<Manufacturer>Manufacturer</Manufacturer> <dskpp:KeyPackage>
<SerialNo>987654321</SerialNo> <dskpp:KeyContainer Version="1.0" Id="KC0001">
</DeviceInfo> <pskc:KeyPackage>
<CryptoModuleInfo> <pskc:DeviceInfo>
<Id>CM_ID_001</Id> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
</CryptoModuleInfo> <pskc:SerialNo>987654321</pskc:SerialNo>
<Key Id="12345678" <pskc:StartDate>2009-09-01Z</pskc:StartDate>
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp"> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
<Issuer>Issuer</Issuer> </pskc:DeviceInfo>
<AlgorithmParameters> <pskc:CryptoModuleInfo>
<ResponseFormat Length="8" Encoding="DECIMAL"/> <pskc:Id>CM_ID_001</pskc:Id>
</AlgorithmParameters> </pskc:CryptoModuleInfo>
<Data> <pskc:Key
<Time> Id="MBK000000001"
<PlainValue>0</PlainValue> Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
</Time> <pskc:Issuer>Example-Issuer</pskc:Issuer>
</Data> <pskc:AlgorithmParameters>
<Policy> <pskc:ResponseFormat Length="6" Encoding="DECIMAL"/>
<PINPolicy MinLength="4" MaxLength="4" </pskc:AlgorithmParameters>
PINKeyId="123456781" PINEncoding="DECIMAL" <pskc:Data>
PINUsageMode="Local"/> <pskc:Counter>
<KeyUsage>OTP</KeyUsage> <pskc:PlainValue>0</pskc:PlainValue>
</Policy> </pskc:Counter>
</Key> </pskc:Data>
</KeyPackage> <pskc:Policy>
</KeyContainer> <pskc:KeyUsage>OTP</pskc:KeyUsage>
</dskpp:KeyPackage> </pskc:Policy>
<dskpp:Mac </pskc:Key>
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128"> </pskc:KeyPackage>
miidfasde312asder394jw== </dskpp:KeyContainer>
</dskpp:Mac> </dskpp:KeyPackage>
<dskpp:Mac
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
151yAR2NqU5dJzETK+SGYqN6sq6DEH5AgHohra3Jpp4=
</dskpp:Mac>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3. Two-Pass Protocol B.3. Two-Pass Protocol
B.3.1. Example Using the Key Transport Method B.3.1. Example Using the Key Transport Method
The client indicates support for all the Key Transport, Key Wrap, and The client indicates support for all the Key Transport, Key Wrap, and
Passphrase-Based Key Wrap key protection methods: Passphrase-Based Key Wrap key protection methods:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
<dskpp:DeviceIdentifierData> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<dskpp:DeviceId> Version="1.0">
<pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer> <dskpp:DeviceIdentifierData>
<pskc:SerialNo>987654321</pskc:SerialNo> <dskpp:DeviceId>
<pskc:Model>U2</pskc:Model> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
</dskpp:DeviceId> <pskc:SerialNo>987654321</pskc:SerialNo>
</dskpp:DeviceIdentifierData> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
<dskpp:SupportedKeyTypes> </dskpp:DeviceId>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp </dskpp:DeviceIdentifierData>
</dskpp:Algorithm> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm> <dskpp:Algorithm>
http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES urn:ietf:params:xml:ns:keyprov:pskc#hotp
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedKeyTypes> <dskpp:Algorithm>
<dskpp:SupportedEncryptionAlgorithms> http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 </dskpp:Algorithm>
</dskpp:Algorithm> </dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 <dskpp:SupportedEncryptionAlgorithms>
</dskpp:Algorithm> <dskpp:Algorithm>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 http://www.w3.org/2001/04/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedMacAlgorithms>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 <dskpp:Algorithm>
</dskpp:Algorithm> http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
</dskpp:SupportedMacAlgorithms> </dskpp:Algorithm>
<dskpp:SupportedProtocolVariants> </dskpp:SupportedMacAlgorithms>
<dskpp:TwoPass> <dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyProtectionMethod> <dskpp:TwoPass>
urn:ietf:params:xml:schema:keyprov:dskpp#transport <dskpp:SupportedKeyProtectionMethod>
</dskpp:SupportedKeyProtectionMethod> urn:ietf:params:xml:schema:keyprov:dskpp#transport
<dskpp:Payload> </dskpp:SupportedKeyProtectionMethod>
<ds:KeyInfo xsi:type="ds:KeyInfoType"> <dskpp:Payload>
<ds:X509Data> <ds:KeyInfo>
<ds:X509Certificate> <ds:X509Data>
MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M <ds:X509Certificate>
Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4MQ0wCwYDVQQKEwRJRVRGMRMwEQY
Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR DVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMT
GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI EwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDV
hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e QQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1
DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ gL4cggQYdyyKK17btt/aS6Q/eDsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypf
xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY zTX4zDJMkh61SZwlHNJxBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WI
JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf h1AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBL
rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w otUKuqfrnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/
4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo= w4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
</ds:X509Certificate> </ds:X509Certificate>
</ds:X509Data> </ds:X509Data>
</ds:KeyInfo> </ds:KeyInfo>
</dskpp:Payload> </dskpp:Payload>
</dskpp:TwoPass> </dskpp:TwoPass>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedProtocolVariants>
<dskpp:SupportedKeyPackages> <dskpp:SupportedKeyPackages>
<dskpp:KeyPackageFormat> <dskpp:KeyPackageFormat>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:KeyPackageFormat> </dskpp:KeyPackageFormat>
</dskpp:SupportedKeyPackages> </dskpp:SupportedKeyPackages>
<dskpp:AuthenticationData> <dskpp:AuthenticationData>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:ClientID>AC00000A</dskpp:ClientID>
<dskpp:AuthenticationCodeMac> <dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount> <dskpp:Nonce>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> ESIzRFVmd4iZqrvM3e7/ESIzRFVmd4iZqrvM3e7/ESI=
</dskpp:AuthenticationCodeMac> </dskpp:Nonce>
</dskpp:AuthenticationData> <dskpp:IterationCount>100000</dskpp:IterationCount>
<dskpp:Mac
MacAlgorithm=
"http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
3eRz51ILqiG+dJW2iLcjuA==
</dskpp:Mac>
</dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Key Transport key protection method. using the Key Transport key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" <dskpp:KeyProvServerFinished
Status="Success" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> xmlns:dkey="http://www.w3.org/2009/xmlsec-derivedkey#"
<dskpp:KeyPackage> xmlns:pkcs5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
<dskpp:ServerID>https://www.somedskppservice.com/</dskpp:ServerID> Version="1.0"
<dskpp:KeyProtectionMethod> Status="Success"
urn:ietf:params:xml:schema:keyprov:dskpp#transport SessionID="4114">
</dskpp:KeyProtectionMethod> <dskpp:KeyPackage>
<KeyContainer Version="1.0" <dskpp:KeyContainer Version="1.0" Id="KC0001">
xmlns="urn:ietf:params:xml:ns:keyprov:pskc"> <pskc:EncryptionKey>
<EncryptionKey> <ds:X509Data>
<ds:X509Data> <ds:X509Certificate>
MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4MQ0wCwYDVQQKEwRJRVRGMRMwEQY
DVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMT
EwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDV
QQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1
gL4cggQYdyyKK17btt/aS6Q/eDsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypf
zTX4zDJMkh61SZwlHNJxBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WI
h1AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBL
otUKuqfrnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/
w4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
</ds:X509Certificate>
</ds:X509Data>
</pskc:EncryptionKey>
<pskc:KeyPackage>
<pskc:DeviceInfo>
<pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:StartDate>2009-09-01Z</pskc:StartDate>
<pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
</pskc:DeviceInfo>
<pskc:Key
Id="MBK000000001"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<pskc:Issuer>Example-Issuer</pskc:Issuer>
<pskc:AlgorithmParameters>
<pskc:ResponseFormat Length="6" Encoding="DECIMAL"/>
</pskc:AlgorithmParameters>
<pskc:Data>
<pskc:Secret>
<pskc:EncryptedValue>
<xenc:EncryptionMethod
Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa_1_5"
/>
<xenc:CipherData>
<xenc:CipherValue>
eyjr23WMy9S2UdKgGnQEbs44T1jmX1TNWEBq48xfS20PK2VWF4ZK1iSctHj/u3uk+7+y8uKrAzH
Em5mujKPAU4DCbb5mSibXMnAbbIoAi2cJW60/l8FlzwaU4EZsZ1LyQ1GcBQKACEeylG5vK8NTo4
7vZTatL5UxmbmOX2HvaVQ=
</xenc:CipherValue>
<ds:X509Certificate>MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M </xenc:CipherData>
Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF </pskc:EncryptedValue>
Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR </pskc:Secret>
GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI <pskc:Counter>
hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e <pskc:PlainValue>0</pskc:PlainValue>
DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ </pskc:Counter>
xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY </pskc:Data>
JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf <pskc:Policy>
rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w <pskc:KeyUsage>OTP</pskc:KeyUsage>
4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo= </pskc:Policy>
</ds:X509Certificate> </pskc:Key>
</ds:X509Data> </pskc:KeyPackage>
</EncryptionKey> </dskpp:KeyContainer>
<KeyPackage> </dskpp:KeyPackage>
<DeviceInfo> <dskpp:Mac
<Manufacturer>TokenVendorAcme</Manufacturer> MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
<SerialNo>987654321</SerialNo> GHZ0H6Y+KpxdlVZ7zgcJDiDdqc8Gcmlcf+HQi4EUxYU=
</DeviceInfo> </dskpp:Mac>
<Key
Id="MBK000000001"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<Issuer>Example-Issuer</Issuer>
<AlgorithmParameters>
<ResponseFormat Length="6" Encoding="DECIMAL"/>
</AlgorithmParameters>
<Data>
<Secret>
<EncryptedValue>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa_1_5"/>
<xenc:CipherData>
<xenc:CipherValue>hJ+fvpoMPMO9BYpK2rdyQYGIxiATYHTHC7e/sPLKYo5/r1v+4
xTYG3gJolCWuVMydJ7Ta0GaiBPHcWa8ctCVYmHKfSz5fdeV5nqbZApe6dofTqhRwZK6
Yx4ufevi91cjN2vBpSxYafvN3c3+xIgk0EnTV4iVPRCR0rBwyfFrPc4=
</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</KeyPackage>
</KeyContainer>
</dskpp:KeyPackage>
<dskpp:Mac
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128">
miidfasde312asder394jw==
</dskpp:Mac>
<dskpp:AuthenticationData>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationData>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3.2. Example Using the Key Wrap Method B.3.2. Example Using the Key Wrap Method
The client sends a request that specifies a shared key to protect the The client sends a request that specifies a shared key to protect the
K_TOKEN, and the server responds using the Key Wrap key protection K_TOKEN, and the server responds using the Key Wrap key protection
method. Authentication data in this example is based on an method. Authentication data in this example is based on an
authentication code rather than a device certificate. authentication code rather than a device certificate.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:pkcs-5= xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"> Version="1.0">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>987654321</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
</dskpp:DeviceId> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
</dskpp:DeviceIdentifierData> </dskpp:DeviceId>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> </dskpp:DeviceIdentifierData>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>
</dskpp:Algorithm> urn:ietf:params:xml:ns:keyprov:pskc#hotp
<dskpp:Algorithm>http://www.rsa.com/rsalabs/otps/schemas/2005/09/ </dskpp:Algorithm>
otps-wst#SecurID-AES</dskpp:Algorithm> <dskpp:Algorithm>
</dskpp:SupportedKeyTypes> http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
<dskpp:SupportedEncryptionAlgorithms> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 </dskpp:SupportedKeyTypes>
</dskpp:Algorithm> <dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 <dskpp:Algorithm>
</dskpp:Algorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc
<dskpp:Algorithm>http://www.rsasecurity.com/rsalabs/pkcs/schemas/ </dskpp:Algorithm>
pkcs-5#pbes2</dskpp:Algorithm> </dskpp:SupportedEncryptionAlgorithms>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 <dskpp:SupportedMacAlgorithms>
</dskpp:Algorithm> <dskpp:Algorithm>
</dskpp:SupportedEncryptionAlgorithms> http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
<dskpp:SupportedMacAlgorithms> </dskpp:Algorithm>
<dskpp:Algorithm>http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 </dskpp:SupportedMacAlgorithms>
</dskpp:Algorithm> <dskpp:SupportedProtocolVariants>
<dskpp:TwoPass>
</dskpp:SupportedMacAlgorithms> <dskpp:SupportedKeyProtectionMethod>
<dskpp:SupportedProtocolVariants> urn:ietf:params:xml:schema:keyprov:dskpp#wrap
<dskpp:TwoPass> </dskpp:SupportedKeyProtectionMethod>
<dskpp:SupportedKeyProtectionMethod> <dskpp:Payload>
urn:ietf:params:xml:schema:keyprov:dskpp#wrap <ds:KeyInfo>Pre-shared-key-1</ds:KeyInfo>
</dskpp:SupportedKeyProtectionMethod> </dskpp:Payload>
<dskpp:Payload> </dskpp:TwoPass>
<ds:KeyInfo xsi:type="ds:KeyInfoType"> </dskpp:SupportedProtocolVariants>
<ds:KeyName>Pre-shared-key</ds:KeyName> <dskpp:SupportedKeyPackages>
</ds:KeyInfo> <dskpp:KeyPackageFormat>
</dskpp:Payload> urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
</dskpp:TwoPass> </dskpp:KeyPackageFormat>
</dskpp:SupportedProtocolVariants> </dskpp:SupportedKeyPackages>
<dskpp:SupportedKeyPackages> <dskpp:AuthenticationData>
<dskpp:KeyPackageFormat> <dskpp:ClientID>AC00000A</dskpp:ClientID>
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer <dskpp:AuthenticationCodeMac>
</dskpp:KeyPackageFormat> <dskpp:Nonce>
</dskpp:SupportedKeyPackages> ESIzRFVmd4iZqrvM3e7/ESIzRFVmd4iZqrvM3e7/ESI=
<dskpp:AuthenticationData> </dskpp:Nonce>
<dskpp:ClientID>31300257</dskpp:ClientID> <dskpp:IterationCount>1</dskpp:IterationCount>
<dskpp:AuthenticationCodeMac> <dskpp:Mac
<dskpp:IterationCount>512</dskpp:IterationCount> MacAlgorithm=
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> "http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
</dskpp:AuthenticationCodeMac> 3eRz51ILqiG+dJW2iLcjuA==
</dskpp:AuthenticationData> </dskpp:Mac>
</dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Key Wrap key protection method. using the Key Wrap key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvServerFinished Version="1.0" Status="Success" <dskpp:KeyProvServerFinished
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<dskpp:KeyPackage> xmlns:dkey="http://www.w3.org/2009/xmlsec-derivedkey#"
<dskpp:ServerID>https://www.somedskppservice.com/</dskpp:ServerID> xmlns:pkcs5=
<dskpp:KeyProtectionMethod> "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
urn:ietf:params:xml:schema:keyprov:dskpp#wrap Version="1.0"
</dskpp:KeyProtectionMethod> Status="Success"
<KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc"> SessionID="4114">
<EncryptionKey> <dskpp:KeyPackage>
<ds:KeyName>Pre-shared-key</ds:KeyName> <dskpp:KeyContainer Version="1.0" Id="KC0001">
</EncryptionKey> <pskc:EncryptionKey>Pre-shared-key-1</pskc:EncryptionKey>
<MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"> <pskc:MACMethod
<MACKey> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<xenc:EncryptionMethod <pskc:MACKey>
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <xenc:EncryptionMethod
<xenc:CipherData> Algorithm=
<xenc:CipherValue> "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
R8+5I6m74doa0nRhaPejbt3elq9hLPGvxHgXVlYpbgA= <xenc:CipherData>
</xenc:CipherValue> <xenc:CipherValue>
</xenc:CipherData> 2GTTnLwM3I4e5IO5FkufoMUBJBuAf25hARFv0Z7MFk9Ecdb04PWY/qaeCbrgz7Es
</MACKey> </xenc:CipherValue>
</MACMethod> </xenc:CipherData>
<KeyPackage> </pskc:MACKey>
<DeviceInfo> </pskc:MACMethod>
<Manufacturer>Manufacturer</Manufacturer> <pskc:KeyPackage>
<SerialNo>987654321</SerialNo> <pskc:DeviceInfo>
</DeviceInfo> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<CryptoModuleInfo> <pskc:SerialNo>987654321</pskc:SerialNo>
<Id>CM_ID_001</Id> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
</CryptoModuleInfo> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
<Key Id="12345678" </pskc:DeviceInfo>
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp"> <pskc:CryptoModuleInfo>
<Issuer>Issuer</Issuer> <pskc:Id>CM_ID_001</pskc:Id>
<AlgorithmParameters> </pskc:CryptoModuleInfo>
<ResponseFormat Length="8" Encoding="DECIMAL"/> <pskc:Key
</AlgorithmParameters> Id="MBK000000001"
<Data> Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<Secret> <pskc:Issuer>Example-Issuer</pskc:Issuer>
<EncryptedValue> <pskc:AlgorithmParameters>
<xenc:EncryptionMethod <pskc:ResponseFormat Length="6" Encoding="DECIMAL"/>
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> </pskc:AlgorithmParameters>
<xenc:CipherData> <pskc:Data>
<xenc:CipherValue> <pskc:Secret>
pgznhXdDh4LJ2G3mOY2RL7UA47yizMlXX3ADDcZd8Vs= <pskc:EncryptedValue>
</xenc:CipherValue> <xenc:EncryptionMethod
</xenc:CipherData> Algorithm=
</EncryptedValue> "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
<ValueMAC>ooo0Swn6s/myD4o05FCfBHN0560=</ValueMAC> />
</Secret> <xenc:CipherData>
<Counter> <xenc:CipherValue>
<PlainValue>0</PlainValue> oTvo+S22nsmS2Z/RtcoF8AabC6vr09sh0Q
</Counter> IU+E224S96sZjpV+6nFYgn6525OoepbPnL
</Data> /fGuuey64WCYXoqhTg==
</Key> </xenc:CipherValue>
</KeyPackage> </xenc:CipherData>
</KeyContainer> </pskc:EncryptedValue>
</dskpp:KeyPackage> <pskc:ValueMAC>
<dskpp:Mac o+e9xgMVUbYuZH9UHe0W9dIo88A=
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128"> </pskc:ValueMAC>
miidfasde312asder394jw== </pskc:Secret>
</dskpp:Mac> <pskc:Counter>
<dskpp:AuthenticationData> <pskc:PlainValue>0</pskc:PlainValue>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac> </pskc:Counter>
</dskpp:AuthenticationData> </pskc:Data>
<pskc:Policy>
<pskc:KeyUsage>OTP</pskc:KeyUsage>
</pskc:Policy>
</pskc:Key>
</pskc:KeyPackage>
</dskpp:KeyContainer>
</dskpp:KeyPackage>
<dskpp:Mac
MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
l53BmSO6qUzoIgbQegimsKk2es+WRpEl0YFqaOp5PGE=
</dskpp:Mac>
</dskpp:KeyProvServerFinished> </dskpp:KeyProvServerFinished>
B.3.3. Example Using the Passphrase-Based Key Wrap Method B.3.3. Example Using the Passphrase-Based Key Wrap Method
The client sends a request similar to that in Appendix B.3.1 with The client sends a request similar to that in Appendix B.3.1 with
authentication data based on an authentication code, and the server authentication data based on an authentication code, and the server
responds using the Passphrase-Based Key Wrap method to encrypt the responds using the Passphrase-Based Key Wrap method to encrypt the
provisioning key (note that the encryption is derived from the provisioning key (note that the encryption is derived from the
password component of the authentication code). The authentication password component of the authentication code). The authentication
data is set in clear text when it is sent over a secure transport data is set in clear text when it is sent over a secure transport
channel such as TLS. channel such as TLS.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvClientHello Version="1.0" <dskpp:KeyProvClientHello
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:pkcs-5= xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"> Version="1.0">
<dskpp:DeviceIdentifierData> <dskpp:DeviceIdentifierData>
<dskpp:DeviceId> <dskpp:DeviceId>
<pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
<pskc:SerialNo>987654321</pskc:SerialNo> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:Model>U2</pskc:Model> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
</dskpp:DeviceId> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
</dskpp:DeviceIdentifierData> </dskpp:DeviceId>
<dskpp:ClientNonce>xwQzwEl0CjPAiQeDxwRJdQ==</dskpp:ClientNonce> </dskpp:DeviceIdentifierData>
<dskpp:SupportedKeyTypes> <dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.ietf.org/keyprov/pskc#hotp <dskpp:Algorithm>
</dskpp:Algorithm> urn:ietf:params:xml:ns:keyprov:pskc#hotp
<dskpp:Algorithm> </dskpp:Algorithm>
http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES <dskpp:Algorithm>
</dskpp:Algorithm> http://www.rsa.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES
</dskpp:SupportedKeyTypes> </dskpp:Algorithm>
<dskpp:SupportedEncryptionAlgorithms> </dskpp:SupportedKeyTypes>
<dskpp:Algorithm>http://www.w3.org/2001/05/xmlenc#rsa_1_5 <dskpp:SupportedEncryptionAlgorithms>
</dskpp:Algorithm> <dskpp:Algorithm>
<dskpp:Algorithm>http://www.w3.org/2001/04/xmlenc#kw-aes128 http://www.w3.org/2001/04/xmlenc#rsa_1_5
</dskpp:Algorithm> </dskpp:Algorithm>
<dskpp:Algorithm> </dskpp:SupportedEncryptionAlgorithms>
http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2 <dskpp:SupportedMacAlgorithms>
</dskpp:Algorithm> <dskpp:Algorithm>
<dskpp:Algorithm> http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 </dskpp:Algorithm>
</dskpp:Algorithm> </dskpp:SupportedMacAlgorithms>
<dskpp:SupportedProtocolVariants>
</dskpp:SupportedEncryptionAlgorithms> <dskpp:TwoPass>
<dskpp:SupportedMacAlgorithms> <dskpp:SupportedKeyProtectionMethod>
<dskpp:Algorithm> urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap
http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes-128 </dskpp:SupportedKeyProtectionMethod>
</dskpp:Algorithm> <dskpp:Payload>
</dskpp:SupportedMacAlgorithms> <ds:KeyInfo>Passphrase-1</ds:KeyInfo>
<dskpp:SupportedProtocolVariants> </dskpp:Payload>
<dskpp:TwoPass> </dskpp:TwoPass>
<dskpp:SupportedKeyProtectionMethod> </dskpp:SupportedProtocolVariants>
urn:ietf:params:xml:schema:keyprov:dskpp#wrap <dskpp:SupportedKeyPackages>
</dskpp:SupportedKeyProtectionMethod> <dskpp:KeyPackageFormat>
<dskpp:Payload> urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer
<ds:KeyInfo xsi:type="ds:KeyInfoType"> </dskpp:KeyPackageFormat>
<ds:KeyName>Key_001</ds:KeyName> </dskpp:SupportedKeyPackages>
</ds:KeyInfo> <dskpp:AuthenticationData>
</dskpp:Payload> <dskpp:ClientID>AC00000A</dskpp:ClientID>
<dskpp:SupportedKeyProtectionMethod> <dskpp:AuthenticationCodeMac>
urn:ietf:params:xml:schema:keyprov:dskpp#passphrase-wrap <dskpp:Nonce>
</dskpp:SupportedKeyProtectionMethod> ESIzRFVmd4iZqrvM3e7/ESIzRFVmd4iZqrvM3e7/ESI=
</dskpp:TwoPass> </dskpp:Nonce>
</dskpp:SupportedProtocolVariants> <dskpp:IterationCount>1</dskpp:IterationCount>
<dskpp:SupportedKeyPackages> <dskpp:Mac
<dskpp:KeyPackageFormat> MacAlgorithm=
urn:ietf:params:xml:ns:keyprov:pskc#KeyContainer "http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
</dskpp:KeyPackageFormat> K4YvLMN6Q1DZvtShoCxQag==
</dskpp:SupportedKeyPackages> </dskpp:Mac>
<dskpp:AuthenticationData> </dskpp:AuthenticationCodeMac>
<dskpp:ClientID>31300257</dskpp:ClientID> </dskpp:AuthenticationData>
<dskpp:AuthenticationCodeMac>
<dskpp:IterationCount>512</dskpp:IterationCount>
<dskpp:Mac>4bRJf9xXd3KchKoTenHJiw==</dskpp:Mac>
</dskpp:AuthenticationCodeMac>
</dskpp:AuthenticationData>
</dskpp:KeyProvClientHello> </dskpp:KeyProvClientHello>
In this example, the server responds to the previous request by In this example, the server responds to the previous request by
returning a key package in which the provisioning key was encrypted returning a key package in which the provisioning key was encrypted
using the Passphrase-Based Key Wrap key protection method. using the Passphrase-Based Key Wrap key protection method.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<dskpp:KeyProvServerFinished Version="1.0" SessionID="4114" <dskpp:KeyProvServerFinished
Status="Success" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp" xmlns:dskpp="urn:ietf:params:xml:ns:keyprov:dskpp"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:dkey="http://www.w3.org/2009/xmlsec-derivedkey#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:pkcs5= xmlns:dkey="http://www.w3.org/2009/xmlsec-derivedkey#"
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#" xmlns:pkcs5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
Version="1.0"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Status="Success"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> SessionID="4114">
<dskpp:KeyPackage> <dskpp:KeyPackage>
<dskpp:ServerID>https://www.somedskppservice.com/ <dskpp:KeyContainer Version="1.0" Id="KC0002">
</dskpp:ServerID> <pskc:EncryptionKey>
<dskpp:KeyProtectionMethod> <dkey:DerivedKey>
urn:ietf:params:xml:schema:keyprov:protocol#passphrase-wrap <dkey:KeyDerivationMethod
</dskpp:KeyProtectionMethod> Algorithm=
<dskpp:KeyContainer Version="1.0"> "http://www.rsasecurity.com/rsalabs/pkcs/schemas/
<pskc:EncryptionKey> pkcs-5v2-0#pbkdf2">
<dkey:DerivedKey> <pkcs5:PBKDF2-params>
<dkey:KeyDerivationMethod Algorithm= <Salt>
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2"> <Specified>Ej7/PEpyEpw=</Specified>
<pkcs5:PBKDF2-params> </Salt>
<Salt> <IterationCount>1000</IterationCount>
<Specified>Ej7/PEpyEpw=</Specified> <KeyLength>16</KeyLength>
</Salt> </pkcs5:PBKDF2-params>
<IterationCount>1000</IterationCount> </dkey:KeyDerivationMethod>
<KeyLength>16</KeyLength> <xenc:ReferenceList>
<PRF/> <xenc:DataReference URI="#ED"/>
</pkcs5:PBKDF2-params> </xenc:ReferenceList>
</dkey:KeyDerivationMethod> <dkey:MasterKeyName>Passphrase1</dkey:MasterKeyName>
<xenc:ReferenceList> </dkey:DerivedKey>
<xenc:DataReference URI="#ED"/> </pskc:EncryptionKey>
</xenc:ReferenceList> <pskc:MACMethod
<dkey:MasterKeyName>My Password 1</dkey:MasterKeyName> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
</dkey:DerivedKey> <pskc:MACKey>
</pskc:EncryptionKey> <xenc:EncryptionMethod
<pskc:MACMethod Algorithm=
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"> "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<pskc:MACKey> <xenc:CipherData>
<xenc:EncryptionMethod <xenc:CipherValue>
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> 2GTTnLwM3I4e5IO5FkufoOEiOhNj91fhKRQBtBJYluUDsPOLTfUvoU2dStyOwYZx
<xenc:CipherData> </xenc:CipherValue>
<xenc:CipherValue> </xenc:CipherData>
2GTTnLwM3I4e5IO5FkufoNhk05y8DNyOHuSDuRZLn6DhIjoTY/dX4SkUAbQ </pskc:MACKey>
SWJblA7Dzi031L6FNnUrcjsGGcQ== </pskc:MACMethod>
</xenc:CipherValue> <pskc:KeyPackage>
</xenc:CipherData> <pskc:DeviceInfo>
</pskc:MACKey> <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
</pskc:MACMethod> <pskc:SerialNo>987654321</pskc:SerialNo>
<pskc:KeyPackage> <pskc:StartDate>2009-09-01Z</pskc:StartDate>
<pskc:DeviceInfo> <pskc:ExpiryDate>2014-09-01Z</pskc:ExpiryDate>
<pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer> </pskc:DeviceInfo>
<pskc:SerialNo>987654321</pskc:SerialNo> <pskc:CryptoModuleInfo>
</pskc:DeviceInfo> <pskc:Id>CM_ID_001</pskc:Id>
<pskc:CryptoModuleInfo> </pskc:CryptoModuleInfo>
<pskc:Id>CM_ID_001</pskc:Id> <pskc:Key
Id="MBK000000001"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
<pskc:Issuer>Example-Issuer</pskc:Issuer>
<pskc:AlgorithmParameters>
<pskc:ResponseFormat Length="6" Encoding="DECIMAL"/>
</pskc:AlgorithmParameters>
<pskc:Data>
<pskc:Secret>
<pskc:EncryptedValue>
<xenc:EncryptionMethod
Algorithm=
"http://www.w3.org/2001/04/
xmlenc#aes128-cbc"/>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>
oTvo+S22nsmS2Z/RtcoF8HX385uMWgJmyIFME
SBmcvtHQXp/6T1TgCS9CsgKtmcOrF8VoK254t
ZKnrAjiD5cdw==
</xenc:CipherValue>
</xenc:CipherData>
</pskc:EncryptedValue>
<pskc:ValueMAC>
pbgEbVYxoYs0x41wdeC7eDRbUEk=
</pskc:ValueMAC>
</pskc:CryptoModuleInfo> </pskc:Secret>
<pskc:Key Algorithm= <pskc:Counter>
"urn:ietf:params:xml:ns:keyprov:pskc#hotp" Id="123456"> <pskc:PlainValue>0</pskc:PlainValue>
<pskc:Issuer>Example-Issuer</pskc:Issuer> </pskc:Counter>
<pskc:AlgorithmParameters> </pskc:Data>
<pskc:ResponseFormat Length="8" Encoding="DECIMAL"/> <pskc:Policy>
</pskc:AlgorithmParameters> <pskc:KeyUsage>OTP</pskc:KeyUsage>
<pskc:Data> </pskc:Policy>
<pskc:Secret> </pskc:Key>
<pskc:EncryptedValue Id="ED"> </pskc:KeyPackage>
<xenc:EncryptionMethod </dskpp:KeyContainer>
Algorithm= </dskpp:KeyPackage>
"http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2"> <dskpp:Mac MacAlgorithm=
<pskc:EncryptionScheme "http://www.ietf.org/keyprov/dskpp#dskpp-prf-sha256">
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> Jc4VsNODYXgfbDmTn9qQZgcL3cKoa//j/NRT7sTpKOM=
</xenc:EncryptionMethod> </dskpp:Mac>
<xenc:CipherData> </dskpp:KeyProvServerFinished>
<xenc:CipherValue>
oTvo+S22nsmS2Z/RtcoF8Hfh+jzMe0RkiafpoDpnoZTjPYZu6V+A4aEn032yCr4f
</xenc:CipherValue>
</xenc:CipherData>
</pskc:EncryptedValue>
<pskc:ValueMAC>LP6xMvjtypbfT9PdkJhBZ+D6O4w=
</pskc:ValueMAC>
</pskc:Secret>
</pskc:Data>
</pskc:Key>
</pskc:KeyPackage>
</dskpp:KeyContainer>
</dskpp:KeyPackage>
<dskpp:Mac MacAlgorithm="http://www.ietf.org/keyprov/dskpp#dskpp-prf-aes">
miidfasde312asder394jw==
</dskpp:Mac>
</dskpp:KeyProvServerFinished>
Appendix C. Integration with PKCS #11 Appendix C. Integration with PKCS #11
A DSKPP client that needs to communicate with a connected A DSKPP client that needs to communicate with a connected
cryptographic module to perform a DSKPP exchange MAY use PKCS #11 cryptographic module to perform a DSKPP exchange MAY use PKCS #11
[PKCS-11] as a programming interface as described herein. This [PKCS-11] as a programming interface as described herein. This
appendix forms an informative part of the document. appendix forms an informative part of the document.
C.1. The 4-pass Variant C.1. The 4-pass Variant
skipping to change at page 94, line 32 skipping to change at page 95, line 32
Salah Machani Salah Machani
Diversinet Corp. Diversinet Corp.
2225 Sheppard Avenue East, Suite 1801 2225 Sheppard Avenue East, Suite 1801
Toronto, Ontario M2J 5C2 Toronto, Ontario M2J 5C2
Canada Canada
Email: smachani@diversinet.com Email: smachani@diversinet.com
Magnus Nystrom Magnus Nystrom
RSA, The Security Division of EMC Microsoft Corp.
Arenavagen 29 One Microsoft Way
Stockholm, Stockholm Ln 121 29 Redmond, WA 98052
SE USA
Email: magnus.nystrom@rsa.com Email: mnystrom@microsoft.com
 End of changes. 83 change blocks. 
712 lines changed or deleted 785 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/