[KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case
Simon Josefsson <simon@josefsson.org> Mon, 25 August 2008 15:18 UTC
Return-Path: <keyprov-bounces@ietf.org>
X-Original-To: keyprov-archive@optimus.ietf.org
Delivered-To: ietfarch-keyprov-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C49C03A6A86; Mon, 25 Aug 2008 08:18:23 -0700 (PDT)
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DC6B28C1FC for <keyprov@core3.amsl.com>; Mon, 25 Aug 2008 08:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryUJLzHAtxBh for <keyprov@core3.amsl.com>; Mon, 25 Aug 2008 08:18:21 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 837913A694E for <keyprov@ietf.org>; Mon, 25 Aug 2008 08:18:20 -0700 (PDT)
Received: from c80-216-126-5.bredband.comhem.se ([80.216.126.5] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1KXdnx-0001xd-VE for keyprov@ietf.org; Mon, 25 Aug 2008 17:16:31 +0200
X-Hashcash: 1:22:080825:keyprov@ietf.org::iJ60d9GECjGapmCp:6huS
From: Simon Josefsson <simon@josefsson.org>
To: keyprov@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Mon, 25 Aug 2008 17:16:29 +0200
Message-ID: <877ia53z1u.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Subject: [KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: keyprov-bounces@ietf.org
Errors-To: keyprov-bounces@ietf.org
Hi All, Inspired by Hannes posts with example definitions, I wanted to write up an example for the YubiKey (see <http://www.yubico.com/>). Section 5.4.1 of draft-ietf-keyprov-portable-symmetric-key-container-05 suggests the format is extensible, but I didn't find any examples. Some background: The KeyData for a YubiKey would need to hold the key identity as well, since the identity is printed as part of the OTP. The OTP is a modhex-encoded variable length field holding the identity string, followed by one AES-encrypted block. The identity string is set when the AES key is set. Thus, I'm guessing it makes sense to store the identity string in the KeyData structure as well, since it is important during key configuration. Does that sounds about right? Section 5.4.1 contains: <xs:complexType name="KeyDataType"> <xs:sequence> ... <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> ... o <xs:any ..> the extension point for carrying future elements. Please note that all elements added MUST carry PlainValue and EncryptedValue sub eleemnts as described above. I have come up with an straw man below. However, there are two questions: 1) How to express, in the ResponseFormat the Length field, that the length of the OTPs can vary? The length is from 32 characters (no identity, just AES output) and up (when an identity string is included as the prefix). 2) How to express the extension field with the identity? My XML fu is not strong enough to feel confident about the proposal below. I think it can be useful to include an example of when the extension mechanism is used, so that people can understand and implement it interoperable. I've marked these two questions with XXX below. Thanks, Simon 8.4.4.12. YubiKey-EVENT Common Name: YubiKey-EVENT Class: OTP URI: http://www.yubico.com/2008/04/algorithms/ algorithms#ActivIdentity-EVENT Algorithm Definition: http://www.yubico.com/2008/04/ algorithms/algorithms#ActivIdentity-EVENT Identifier Definition http://www.yubico.com/2008/04/ algorithms/algorithms#ActivIdentity-EVENT Registrant Contact: Simon Josefsson, Yubico, <simon@yubico.com>. Profile of XML attributes and subelements of the Key entity: For a Key of this algorithm, the <Usage> subelements MUST be present. The "OTP" attribute of the <Usage> MUST be set "true" and it MUST be the only attribute set. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length and the value format. For the Data elements of a key of this algorithm, the following subelements MUST be present in either the Key element itself or an commonly shared KeyProperties element. * Secret * A YubiKeyIdentity extension field from the http://www.yubico.com.org/2008/08/yubikey XML namespace. It has a HEXADECIMAL PlainValue field. An example of the Key of this algorithm is as follows. <?xml version="1.0" encoding="UTF-8"?> <KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0" xmlns:yubico="http://www.yubico.com.org/2008/08/yubikey"> <Device> <DeviceInfo> <Manufacturer>Yubico</Manufacturer> <SerialNo>123456789</SerialNo> </DeviceInfo> <Key KeyAlgorithm="http://www.yubico.com/2008/04/ algorithms/algorithms#ActivIdentity-EVENT" KeyId="3456789"> <Issuer>Issuer</Issuer> <Usage OTP="true"> <ResponseFormat Length="XXX" Format="ALPHANUMERIC"/> </Usage> <Data> <Secret> <PlainValue> abZIHIurorYOjyIXm1jNVg== </PlainValue> </Secret> <yubico:YubiKeyIdentity XXX> <PlainValue> 2d344e83 </PlainValue> </yubico:YubiKeyIdentity> </Data> </Key> </Device> </KeyContainer> _______________________________________________ KEYPROV mailing list KEYPROV@ietf.org https://www.ietf.org/mailman/listinfo/keyprov
- Re: [KEYPROV] YubiKey Algorithm Definition, a Key… Hannes Tschofenig
- [KEYPROV] YubiKey Algorithm Definition, a KeyData… Simon Josefsson
- Re: [KEYPROV] YubiKey Algorithm Definition, a Key… Simon Josefsson