IETF Logo Mail Archive

[KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case

Simon Josefsson <simon@josefsson.org> Mon, 25 August 2008 15:18 UTC

Return-Path: <keyprov-bounces@ietf.org>
X-Original-To: keyprov-archive@optimus.ietf.org
Delivered-To: ietfarch-keyprov-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C49C03A6A86; Mon, 25 Aug 2008 08:18:23 -0700 (PDT)
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DC6B28C1FC for <keyprov@core3.amsl.com>; Mon, 25 Aug 2008 08:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryUJLzHAtxBh for <keyprov@core3.amsl.com>; Mon, 25 Aug 2008 08:18:21 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 837913A694E for <keyprov@ietf.org>; Mon, 25 Aug 2008 08:18:20 -0700 (PDT)
Received: from c80-216-126-5.bredband.comhem.se ([80.216.126.5] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1KXdnx-0001xd-VE for keyprov@ietf.org; Mon, 25 Aug 2008 17:16:31 +0200
X-Hashcash: 1:22:080825:keyprov@ietf.org::iJ60d9GECjGapmCp:6huS
From: Simon Josefsson <simon@josefsson.org>
To: keyprov@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Mon, 25 Aug 2008 17:16:29 +0200
Message-ID: <877ia53z1u.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Subject: [KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: keyprov-bounces@ietf.org
Errors-To: keyprov-bounces@ietf.org

Hi All,

Inspired by Hannes posts with example definitions, I wanted to write up
an example for the YubiKey (see <http://www.yubico.com/>).  Section
5.4.1 of draft-ietf-keyprov-portable-symmetric-key-container-05 suggests
the format is extensible, but I didn't find any examples.

Some background: The KeyData for a YubiKey would need to hold the key
identity as well, since the identity is printed as part of the OTP.  The
OTP is a modhex-encoded variable length field holding the identity
string, followed by one AES-encrypted block.  The identity string is set
when the AES key is set.  Thus, I'm guessing it makes sense to store the
identity string in the KeyData structure as well, since it is important
during key configuration.  Does that sounds about right?

Section 5.4.1 contains:

<xs:complexType name="KeyDataType">
     <xs:sequence>
...
       <xs:any namespace="##other" minOccurs="0"
       maxOccurs="unbounded"/>
     </xs:sequence>
...
   o  <xs:any ..> the extension point for carrying future elements.
      Please note that all elements added MUST carry PlainValue and
      EncryptedValue sub eleemnts as described above.

I have come up with an straw man below.  However, there are two
questions:

1) How to express, in the ResponseFormat the Length field, that the
length of the OTPs can vary?  The length is from 32 characters (no
identity, just AES output) and up (when an identity string is included
as the prefix).

2) How to express the extension field with the identity?  My XML fu is
not strong enough to feel confident about the proposal below.  I think
it can be useful to include an example of when the extension mechanism
is used, so that people can understand and implement it interoperable.

I've marked these two questions with XXX below.

Thanks,
Simon

8.4.4.12.  YubiKey-EVENT

   Common Name:  YubiKey-EVENT

   Class:  OTP

   URI:  http://www.yubico.com/2008/04/algorithms/
      algorithms#ActivIdentity-EVENT

   Algorithm Definition:  http://www.yubico.com/2008/04/
      algorithms/algorithms#ActivIdentity-EVENT

   Identifier Definition  http://www.yubico.com/2008/04/
      algorithms/algorithms#ActivIdentity-EVENT

   Registrant Contact:  Simon Josefsson, Yubico,
      <simon@yubico.com>.

   Profile of XML attributes and subelements of the Key entity:

      For a Key of this algorithm, the <Usage> subelements MUST be
      present.  The "OTP" attribute of the <Usage> MUST be set "true"
      and it MUST be the only attribute set.  The element
      <ResponseFormat> of the <Usage> MUST be used to indicate the OTP
      length and the value format.

      For the Data elements of a key of this algorithm, the following
      subelements MUST be present in either the Key element itself or an
      commonly shared KeyProperties element.

      *  Secret

      * A YubiKeyIdentity extension field from the
         http://www.yubico.com.org/2008/08/yubikey XML namespace.  It
         has a HEXADECIMAL PlainValue field.

      An example of the Key of this algorithm is as follows.

   <?xml version="1.0" encoding="UTF-8"?>
   <KeyContainer Version="1.0"
                 xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
                 xmlns:yubico="http://www.yubico.com.org/2008/08/yubikey">
       <Device>
           <DeviceInfo>
               <Manufacturer>Yubico</Manufacturer>
               <SerialNo>123456789</SerialNo>
           </DeviceInfo>
           <Key KeyAlgorithm="http://www.yubico.com/2008/04/
                algorithms/algorithms#ActivIdentity-EVENT"
                KeyId="3456789">
               <Issuer>Issuer</Issuer>
               <Usage OTP="true">
                   <ResponseFormat Length="XXX"
                   Format="ALPHANUMERIC"/>
               </Usage>
               <Data>
                   <Secret>
                       <PlainValue>
                       abZIHIurorYOjyIXm1jNVg==
                       </PlainValue>
                   </Secret>
                   <yubico:YubiKeyIdentity XXX>
                       <PlainValue>
                       2d344e83
                       </PlainValue>
                   </yubico:YubiKeyIdentity>
               </Data>
           </Key>
       </Device>
   </KeyContainer>
_______________________________________________
KEYPROV mailing list
KEYPROV@ietf.org
https://www.ietf.org/mailman/listinfo/keyprov

v2.23.0 | Report a Bug | By Email