IETF Logo Mail Archive

Re: [KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case

Simon Josefsson <simon@josefsson.org> Tue, 26 August 2008 09:25 UTC

Return-Path: <keyprov-bounces@ietf.org>
X-Original-To: keyprov-archive@optimus.ietf.org
Delivered-To: ietfarch-keyprov-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED9F63A6A6F; Tue, 26 Aug 2008 02:25:19 -0700 (PDT)
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 652903A6A7F for <keyprov@core3.amsl.com>; Tue, 26 Aug 2008 02:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[AWL=-0.745, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjlIMgM9tSME for <keyprov@core3.amsl.com>; Tue, 26 Aug 2008 02:25:15 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id B4B3C3A6A4D for <keyprov@ietf.org>; Tue, 26 Aug 2008 02:25:13 -0700 (PDT)
Received: from c80-216-126-5.bredband.comhem.se ([80.216.126.5] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1KXunT-0002ar-U5; Tue, 26 Aug 2008 11:25:11 +0200
X-Hashcash: 1:22:080826:hannes.tschofenig@gmx.net::IvaqZmnUj41qYL1i:PUeC
X-Hashcash: 1:22:080826:keyprov@ietf.org::OPFP8sDLWmqInv+s:0GGy2
From: Simon Josefsson <simon@josefsson.org>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <877ia53z1u.fsf@mocca.josefsson.org> <48B2E8DD.5020807@gmx.net>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:080826:keyprov-egrivxuawey@public.gmane.org::YX7ouOLYIJNF3cv/:4qcr
X-Hashcash: 1:22:080826:hannes.tschofenig-hi6y0cq0ng0@public.gmane.org::hjifce3Fja/QCzsN:DVxo
X-Hashcash: 1:22:080826:simon-rtwakxxyig6ei8dpzvb4nw@public.gmane.org::6if0DT10iRnP1Y3e:OlTb
Date: Tue, 26 Aug 2008 11:25:07 +0200
In-Reply-To: <48B2E8DD.5020807@gmx.net> (Hannes Tschofenig's message of "Mon, 25 Aug 2008 20:16:13 +0300")
Message-ID: <87iqto2kng.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Cc: keyprov@ietf.org
Subject: Re: [KEYPROV] YubiKey Algorithm Definition, a KeyData extension test case
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: keyprov-bounces@ietf.org
Errors-To: keyprov-bounces@ietf.org

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> writes:

> Hi Simon,
>
> you are right that the document does not provide enough description to 
> make it easy for protocol designers to extend it.There is clearly room 
> for improvement and we are working on it. Currently, there is also no 
> description about the registry for these algorithm definitions since one 
> should give a few guidelines on what standardized mechanisms have to 
> provide. In fact I have this action item...

Hi Hannes!  I am looking forward to your improved text in this area.

Do you think including the YubiKey Algorithm Definition would be useful?

Extensibility schemes are often under-specified in new protocols,
causing interop problems later on when people want to extend the
protocol.  Including an example that uses the extension mechanism in the
right way in the initial document may help to avoid that.

I'll be happy to work on improving the definition

> You example is good. I am not 100% sure that the <Data> element is the 
> right place to add the identity; I need to double-check that. I took a 
> look at the webpage and I got the impression that the identity is 
> actually an OpenID URL. Am I wrong?

Yes.  The identity part of the OTP is typically a short string such as
'dteffuje' or 'ekhgjhbctrgn'.  It is the same in every OTP.  The OpenID
URL is normally entered by the user.

Thanks,
Simon

> Ciao
> Hannes
>
>
> Simon Josefsson wrote:
>> Hi All,
>>
>> Inspired by Hannes posts with example definitions, I wanted to write up
>> an example for the YubiKey (see <http://www.yubico.com/>).  Section
>> 5.4.1 of draft-ietf-keyprov-portable-symmetric-key-container-05 suggests
>> the format is extensible, but I didn't find any examples.
>>
>> Some background: The KeyData for a YubiKey would need to hold the key
>> identity as well, since the identity is printed as part of the OTP.  The
>> OTP is a modhex-encoded variable length field holding the identity
>> string, followed by one AES-encrypted block.  The identity string is set
>> when the AES key is set.  Thus, I'm guessing it makes sense to store the
>> identity string in the KeyData structure as well, since it is important
>> during key configuration.  Does that sounds about right?
>>
>> Section 5.4.1 contains:
>>
>> <xs:complexType name="KeyDataType">
>>      <xs:sequence>
>> ...
>>        <xs:any namespace="##other" minOccurs="0"
>>        maxOccurs="unbounded"/>
>>      </xs:sequence>
>> ...
>>    o  <xs:any ..> the extension point for carrying future elements.
>>       Please note that all elements added MUST carry PlainValue and
>>       EncryptedValue sub eleemnts as described above.
>>
>> I have come up with an straw man below.  However, there are two
>> questions:
>>
>> 1) How to express, in the ResponseFormat the Length field, that the
>> length of the OTPs can vary?  The length is from 32 characters (no
>> identity, just AES output) and up (when an identity string is included
>> as the prefix).
>>
>> 2) How to express the extension field with the identity?  My XML fu is
>> not strong enough to feel confident about the proposal below.  I think
>> it can be useful to include an example of when the extension mechanism
>> is used, so that people can understand and implement it interoperable.
>>
>> I've marked these two questions with XXX below.
>>
>> Thanks,
>> Simon
>>
>> 8.4.4.12.  YubiKey-EVENT
>>
>>    Common Name:  YubiKey-EVENT
>>
>>    Class:  OTP
>>
>>    URI:  http://www.yubico.com/2008/04/algorithms/
>>       algorithms#ActivIdentity-EVENT
>>
>>    Algorithm Definition:  http://www.yubico.com/2008/04/
>>       algorithms/algorithms#ActivIdentity-EVENT
>>
>>    Identifier Definition  http://www.yubico.com/2008/04/
>>       algorithms/algorithms#ActivIdentity-EVENT
>>
>>    Registrant Contact:  Simon Josefsson, Yubico,
>>       <simon-doUGunA9pJjQT0dZR+AlfA@public.gmane.org>.
>>
>>    Profile of XML attributes and subelements of the Key entity:
>>
>>       For a Key of this algorithm, the <Usage> subelements MUST be
>>       present.  The "OTP" attribute of the <Usage> MUST be set "true"
>>       and it MUST be the only attribute set.  The element
>>       <ResponseFormat> of the <Usage> MUST be used to indicate the OTP
>>       length and the value format.
>>
>>       For the Data elements of a key of this algorithm, the following
>>       subelements MUST be present in either the Key element itself or an
>>       commonly shared KeyProperties element.
>>
>>       *  Secret
>>
>>       * A YubiKeyIdentity extension field from the
>>          http://www.yubico.com.org/2008/08/yubikey XML namespace.  It
>>          has a HEXADECIMAL PlainValue field.
>>
>>       An example of the Key of this algorithm is as follows.
>>
>>    <?xml version="1.0" encoding="UTF-8"?>
>>    <KeyContainer Version="1.0"
>>                  xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
>>                  xmlns:yubico="http://www.yubico.com.org/2008/08/yubikey">
>>        <Device>
>>            <DeviceInfo>
>>                <Manufacturer>Yubico</Manufacturer>
>>                <SerialNo>123456789</SerialNo>
>>            </DeviceInfo>
>>            <Key KeyAlgorithm="http://www.yubico.com/2008/04/
>>                 algorithms/algorithms#ActivIdentity-EVENT"
>>                 KeyId="3456789">
>>                <Issuer>Issuer</Issuer>
>>                <Usage OTP="true">
>>                    <ResponseFormat Length="XXX"
>>                    Format="ALPHANUMERIC"/>
>>                </Usage>
>>                <Data>
>>                    <Secret>
>>                        <PlainValue>
>>                        abZIHIurorYOjyIXm1jNVg==
>>                        </PlainValue>
>>                    </Secret>
>>                    <yubico:YubiKeyIdentity XXX>
>>                        <PlainValue>
>>                        2d344e83
>>                        </PlainValue>
>>                    </yubico:YubiKeyIdentity>
>>                </Data>
>>            </Key>
>>        </Device>
>>    </KeyContainer>
>> _______________________________________________
>> KEYPROV mailing list
>> KEYPROV-EgrivxUAwEY@public.gmane.org
>> https://www.ietf.org/mailman/listinfo/keyprov
>>   
_______________________________________________
KEYPROV mailing list
KEYPROV@ietf.org
https://www.ietf.org/mailman/listinfo/keyprov

v2.23.0 | Report a Bug | By Email