keyprov P. Hoyer Internet-Draft ActivIdentity Intended status: Standards Track M. Pei Expires: December 30, 2010 VeriSign S. Machani Diversinet June 28, 2010 Portable Symmetric Key Container (PSKC) draft-ietf-keyprov-pskc-07 Abstract This document specifies a symmetric key format for transport and provisioning of symmetric keys to different types of crypto modules. For example, One Time Password (OTP) shared secrets or symmetric cryptographic keys to strong authentication devices. A standard key transport format enables enterprises to deploy best-of-breed solutions combining components from different vendors into the same infrastructure. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 30, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the Hoyer, et al. Expires December 30, 2010 [Page 1] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Version Support . . . . . . . . . . . . . . . . . . . . . 4 1.3. Namespace Identifiers . . . . . . . . . . . . . . . . . . 5 1.3.1. Defined Identifiers . . . . . . . . . . . . . . . . . 5 1.3.2. Referenced Identifiers . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Portable Key Container Entities Overview and Relationships . . 8 4. Element: The Basics . . . . . . . . . . . . . . 10 4.1. : Embedding Keying Material and Key Related Information . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Key Value Encoding . . . . . . . . . . . . . . . . . . . . 12 4.2.1. AES Key Value Encoding . . . . . . . . . . . . . . . . 13 4.2.2. Triple DES Key Value Encoding . . . . . . . . . . . . 13 4.3. Transmission of supplementary Information . . . . . . . . 14 4.3.1. Element: Unique Device Identification . . 15 4.3.2. Element: CryptoModule Identification . . . . . . . . . . . . . . . . . . . . 16 4.3.3. Element: User Identification . . . . . . . . 17 4.3.4. Element: Supplementary Information for OTP and CR Algorithms . . . . . . . . 17 4.4. Transmission of Key Derivation Values . . . . . . . . . . 19 5. Key Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.1. PIN Algorithm definition . . . . . . . . . . . . . . . . . 25 6. Key Protection Methods . . . . . . . . . . . . . . . . . . . . 26 6.1. Encryption based on Pre-Shared Keys . . . . . . . . . . . 26 6.1.1. MAC Method . . . . . . . . . . . . . . . . . . . . . . 28 6.2. Encryption based on Passphrase-based Keys . . . . . . . . 29 6.3. Encryption based on Asymmetric Keys . . . . . . . . . . . 32 6.4. Padding of Encrypted Values for Non-Padded Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 33 7. Digital Signature . . . . . . . . . . . . . . . . . . . . . . 34 8. Bulk Provisioning . . . . . . . . . . . . . . . . . . . . . . 36 Hoyer, et al. Expires December 30, 2010 [Page 2] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 9. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 39 10. PSKC Algorithm Profile . . . . . . . . . . . . . . . . . . . . 40 10.1. HOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 10.2. PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 11. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 42 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49 12.1. Content-type registration for 'application/pskc+xml' . . . 49 12.2. XML Schema Registration . . . . . . . . . . . . . . . . . 50 12.3. URN Sub-Namespace Registration . . . . . . . . . . . . . . 50 12.4. PSKC Algorithm Profile Registry . . . . . . . . . . . . . 51 12.5. PSKC Version Registry . . . . . . . . . . . . . . . . . . 52 12.6. Key Usage Registry . . . . . . . . . . . . . . . . . . . . 52 13. Security Considerations . . . . . . . . . . . . . . . . . . . 54 13.1. PSKC Confidentiality . . . . . . . . . . . . . . . . . . . 54 13.2. PSKC Integrity . . . . . . . . . . . . . . . . . . . . . . 55 13.3. PSKC Authenticity . . . . . . . . . . . . . . . . . . . . 55 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 56 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 16.1. Normative References . . . . . . . . . . . . . . . . . . . 58 16.2. Informative References . . . . . . . . . . . . . . . . . . 59 Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . . 61 A.1. Online Use Cases . . . . . . . . . . . . . . . . . . . . . 61 A.1.1. Transport of keys from Server to Cryptographic Module . . . . . . . . . . . . . . . . . . . . . . . . 61 A.1.2. Transport of keys from Cryptographic Module to Cryptographic Module . . . . . . . . . . . . . . . . . 61 A.1.3. Transport of keys from Cryptographic Module to Server . . . . . . . . . . . . . . . . . . . . . . . . 62 A.1.4. Server to server Bulk import/export of keys . . . . . 62 A.2. Offline Use Cases . . . . . . . . . . . . . . . . . . . . 62 A.2.1. Server to server Bulk import/export of keys . . . . . 62 Appendix B. Requirements . . . . . . . . . . . . . . . . . . . . 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 66 Hoyer, et al. Expires December 30, 2010 [Page 3] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 1. Introduction With increasing use of symmetric key based systems, such as encryption of data at rest, or systems used for strong authentication, such as those based on one-time-password (OTP) and challenge response (CR) mechanisms, there is a need for vendor interoperability and a standard format for importing and exporting (provisioning) symmetric keys. For instance, traditionally, vendors of authentication servers and service providers have used proprietary formats for importing and exporting these keys into their systems, thus making it hard to use tokens from two different vendors. This document defines a standardized XML-based key container, called Portable Symmetric Key Container (PSKC), for transporting symmetric keys and key related meta data. The document also specifies the information elements that are required when the symmetric key is utilized for specific purposes, such as the initial counter in the HMAC-Based One Time Password (HOTP) [HOTP] algorithm. It also requests the creation of an IANA registry for algorithm profiles where algorithms, their meta-data and PSKC transmission profile can be recorded for centralised standardised reference. 1.1. Key Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Version Support There is a provision made in the syntax for an explicit version number. Only version "1.0" is currently specified. The numbering scheme for PSKC versions is ".". The major and minor numbers MUST be treated as separate integers and each number MAY be incremented higher than a single digit. Thus, "PSKC 2.4" would be a lower version than "PSKC 2.13", which in turn would be lower than "PSKC 12.3". Leading zeros (e.g., "PSKC 6.01") MUST be ignored by recipients and MUST NOT be sent. The major version number should be incremented only if the message format (E.g. Element structure) has changed so dramatically that an older version implementation would not be able to interoperate with a newer version. The minor version number indicates new capabilities, and MUST be ignored by an entity with a smaller minor version number, but used for informational purposes by the entity with the larger minor version number. Hoyer, et al. Expires December 30, 2010 [Page 4] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 1.3. Namespace Identifiers This document uses Uniform Resource Identifiers [RFC3986] to identify resources, algorithms, and semantics. 1.3.1. Defined Identifiers The XML namespace [XMLNS] URI for Version 1.0 of PSKC is: "urn:ietf:params:xml:ns:keyprov:pskc" References to qualified elements in the PSKC schema defined in this specification and used in the example use the prefix "pskc" (defined as xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc") . It is RECOMMENDED to use this namespace in implementations. 1.3.2. Referenced Identifiers The PSKC syntax presented in this document relies on algorithm identifiers and elements defined in the XML Signature [XMLDSIG] namespace: xmlns:ds="http://www.w3.org/2000/09/xmldsig#" References to the XML Signature namespace are represented by the prefix "ds". PSKC also relies on algorithm identifiers and elements defined in the XML Encryption [XMLENC] namespace: xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" References to the XML Encryption namespace are represented by the prefix "xenc". When protecting keys in transport with passphrase-based keys, PSKC also relies on the derived key element defined in the XML Encryption Version 1.1 [XMLENC11] namespace: xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"" References to the XML Encryption Version 1.1 namespace are represented by the prefix "xenc11". When protecting keys in transport with passphrase-based keys, PSKC also relies on algorithm identifiers and elements defined in the PKCS#5 [PKCS5] namespace: Hoyer, et al. Expires December 30, 2010 [Page 5] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 xmlns:pkcs5= "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#" References to the PKCS#5 namespace are represented by the prefix "pkcs5". Hoyer, et al. Expires December 30, 2010 [Page 6] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 2. Terminology NOTE: In subsequent sections of the document we highlight **mandatory** XML elements and attributes. Optional elements and attributes are not explicitly indicated, i.e., if it does not say mandatory it is optional. Hoyer, et al. Expires December 30, 2010 [Page 7] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 3. Portable Key Container Entities Overview and Relationships The portable key container is based on an XML schema definition and contains the following main conceptual entities: 1. KeyContainer entity - representing the container that carries a number of KeyPackages. A valid container MUST carry at least 1 KeyPackage. 2. KeyPackage entity - representing the package of at most one key and its related provisioning endpoint or current usage endpoint, such as a physical or virtual device and a specific CryptoModule 3. DeviceInfo entity - representing the information about the device and criteria to uniquely identify the device 4. CryptoModuleInfo entity - representing the information about the CryptoModule where the keys reside or are provisioned to 5. Key entity - representing the key transported or provisioned 6. Data entity - representing a list of meta-data related to the key, where the element name is the name of the meta-data and its associated value is either in encrypted form (for example for Data element ) or plaintext (for example the Data element ) Figure 1 shows the high-level structure of the PSKC data elements. Hoyer, et al. Expires December 30, 2010 [Page 8] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 ----------------- | KeyContainer | |---------------| | EncryptionKey | | Signature | | ... | ----------------- | | /|\ 1..n ---------------- ---------------- | KeyPackage | 0..1| DeviceInfo | |--------------|--------|--------------| | |-- | SerialNumber | ---------------- | | Manufacturer | | | | .... | | | ---------------- /|\ 0..1 | ---------------- | -------------------- | Key | | 0..1| CryptoModuleInfo | |--------------| -----|------------------| | Id | | Id | | Algorithm | |.... | | UserId | -------------------- | Policy | | .... | ---------------- | | /|\ 0..n --------------------------------------- - - | | | ------------------ ---------------- -------- - - | Data:Secret | | Data:Counter | | Data:other |----------------| |--------------| |-- - - | EncryptedValue | | PlainValue | | ValueMAC | ---------------- ------------------ Figure 1: PSKC data elements relationship diagram The following sections describe in detail all the entities and related XML schema elements and attributes. Hoyer, et al. Expires December 30, 2010 [Page 9] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 4. Element: The Basics In its most basic form, a PSKC document uses the top-level element and a single element to carry key information. The following example shows such a simple PSKC document. We will use it to describe the structure of the element and its child elements. Issuer-A MTIzNA== Figure 2: Basic PSKC Key Container Example The attributes of the element have the following semantics: 'Version:' The 'Version' attribute is used to identify the version of the PSKC schema version. This specification defines the initial version ("1.0") of the PSKC schema. This attribute MUST be included. 'Id:' The 'Id' attribute carries a unique identifier for the container. As such, it helps to identify a specific key container in cases when multiple containers are embedded in larger xml documents. 4.1. : Embedding Keying Material and Key Related Information The following attributes of the element MUST be included at a minimum: Hoyer, et al. Expires December 30, 2010 [Page 10] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 'Id': This attribute carries a unique identifier for the symmetric key in the context of key provisioning exchanges between two parties. This means that if PSKC is used in multiple interactions between a sending and receiving party, using different containers referencing the same keys, the KeyId MUST use the same KeyId values (e.g. after initial provisioning, if a system wants to update key meta data values in the other system the KeyId value of the key where the meta data is to be updates MUST be the same of the original KeyId value provisioned). The identifier is defined as a string of alphanumeric characters. 'Algorithm': This attribute contains a unique identifier for the PSKC algorithm profile. This profile associates specific semantics to the elements and attributes contained in the element. This document describes profiles for open standards algorithms in Section 10. Additional profiles are defined in the following information draft [PSKC-ALGORITHM-PROFILES]. The element has a number of optional child elements. An initial set is described below: : This element represents the name of the party that issued the key. For example, a bank "Foobar Bank Inc." issuing hardware tokens to their retail banking users may set this element to "Foobar Bank Inc.". : A human readable name for the secret key for easier reference. This element serves informational purposes only. This element is a language dependent string hence it SHOULD have an attribute xml:lang="xx" where xx is the language identifier as specified in [RFC4646]. If no xml:lang attribute is present implementations MUST assume the language to be English as defined by setting the attribute value to "en" (e.g. xml:lang="en"). : This element carries parameters that influence the result of the algorithmic computation, for example response truncation and format in OTP and CR algorithms. A more detailed discussion of the element can be found in Section 4.3.4. : This element carries data about and related to the key. The following child elements are defined for the element: : This element carries the value of the key itself in a binary representation, please see Section 4.2 for more details on Key Value Encoding. Hoyer, et al. Expires December 30, 2010 [Page 11] Internet-Draft Portable Symmetric Key Container (PSKC) June 2010 : This element contains the event counter for event based OTP algorithms.