Network Working Group S. Josefsson Internet-Draft Yubico Intended status: Informational November 11, 2010 Expires: May 15, 2011 Yubico YubiKey Portable Symmetric Key Container (PSKC) Profile draft-josefsson-keyprov-pskc-yubikey-00 Abstract This document specify how to provision the YubiKey using the Portable Symmetric Key Container (PSKC) format. The YubiKey is a small portable device that generate One-Time-Passwords. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 15, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Josefsson Expires May 15, 2011 [Page 1] Internet-Draft Yubico YubiKey PSKC Profile November 2010 Table of Contents 1. Introduction and Background . . . . . . . . . . . . . . . . . . 3 2. YubiKey-AES PSKC Profile Definition . . . . . . . . . . . . . . 3 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 Josefsson Expires May 15, 2011 [Page 2] Internet-Draft Yubico YubiKey PSKC Profile November 2010 1. Introduction and Background The YubiKey is a small portable device that generate One-Time- Passwords. In its default mode, the One-Time-Password consists of a static identifier concatenated with a never-repeating AES-128 encrypted part. Personalization of the device consumes several data fields, including a public identifier, an internal identifier and a AES-128 key. This document specify a PSKC [RFC6030] algorithm profile called "YubiKey-AES" for the Yubico [YUBICO] YubiKey in the default AES- based one-time-password mode. The intent is to provide a standard format for transporting provisiong information. 2. YubiKey-AES PSKC Profile Definition Following the template laid out in section 12.4 of [RFC6030] we specify a new PSKC Profile. Common Name: YubiKey-AES Class: OTP URI: http://www.yubico.com/#yubikey-aes Identifier Definition: This document. Algorithm Definition: [YUBICO] Registrant Contact: Simon Josefsson, Yubico, . Deprecated: FALSE. PSKC Profiling: - The element will hold a value of "oath.UB" to indicate Yubico. - The element will hold the serial number of the unique device. For example, "283599". Valid reasons to omit the field is when the information does not belong to a unique physical device. - The element (inside a element) holds the creation time of the key which is the same as the start date of the device. For example, "2010-11-10T07:14:22Z". Josefsson Expires May 15, 2011 [Page 3] Internet-Draft Yubico YubiKey PSKC Profile November 2010 - The element can be used to indicate which key slot in the YubiKey is intended. The element holds the name of the key slot. The values "1" and "2" denote the first and second key slot respectively. - The element of the element can hold the static YubiKey public prefix associated with the key using a CN AttributeType name string. The YubiKey is using 0-16 characters for this field, for example, "CN=ekhgjhbctrgn". The UID AttributeType name string can be used to associate the internal YubiKey identity, and it is always 12 hex characters, for example "UID=ca62baca62ba". - The value of the element contain key material, normally with a length of 16 octets (128 bits). - The element will have the "Encoding" attribute set to "ALPHANUMERIC" and the "Length" attribute set to indicate the length of generated OTPs including the YubiKey public prefix. For example, if a YubiKey will have a 12 character prefix, the total length of the OTP will be 44 alpha-numeric characters. - The element can be used to indicate the purpose of the key, normally this will be "OTP". - The element (in the element) will hold one element with additional YubiKey specific parameters. Three elements are provided: 1) The with an attribute "Flag" containing a string denoting a YubiKey configuration/ticket flag, 2) The with an attribute "Code" to hold a write protect locking code to use for the new configuration, and 3) The with an attribute "Code" to hold the locking code required to unlock the YubiKey before writing. The semantics of flags and write protection codes are described in [YUBIKEY-MANUAL]. 3. Examples A simple example follows illustrating how slot 1 of the YubiKey with serial number 283599 is provisioned with public identifier "ekhgjhbctrgn", internal identity "ca62baca62ba" and the indicated encryption key. Josefsson Expires May 15, 2011 [Page 4] Internet-Draft Yubico YubiKey PSKC Profile November 2010 oath.UB 283599 2009-01-22T00:25:11Z 1 ACME Inc. K34VFiiu0qar9xWICc9PPA== CN=ekhgjhbctrgn, UID=ca62baca62ba Another example to illustrate how both slots can be programmed at the same time. oath.UB 283598 2009-01-22T00:25:10Z 1 ACME Inc. Vpg1bTCGjEIB4m9mxYK7RQ== CN=ekhgjhbctrgn, UID=ca62baca62ba oath.UB 283598 2009-01-22T00:25:10Z 2 ACME Inc. OIkrgqvxgHeIRY/FpRZcgA== CN=ekhgjhbctrgn, UID=ca62baca62ba One example to illustrate how additional parameters, locking code and unlocking code, can be provided through an extension. Josefsson Expires May 15, 2011 [Page 6] Internet-Draft Yubico YubiKey PSKC Profile November 2010 oath.UB 283597 2009-01-22T00:25:09Z 1 ACME Inc. K34VFiiu0qar9xWICc9PPA== CN=ekhgjhbctrgn, UID=ca62baca62ba 4. Acknowledgements This definition is based on earlier formats used internally at Yubico. Josefsson Expires May 15, 2011 [Page 7] Internet-Draft Yubico YubiKey PSKC Profile November 2010 5. Security Considerations Data using this format is typically highly sensitive and needs integrity and confidentiality protection, which is provided by and discussed further in the core PSKC document. A security analysis of the YubiKey itself is available from [YUBIKEY-SECURITY-ANALYSIS]. 6. References 6.1. Normative References [RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key Container (PSKC)", RFC 6030, October 2010. 6.2. Informative References [YUBICO] "Yubico Company Web Page", WWW http://www.yubico.com/. [YUBIKEY-MANUAL] Ehrensvard, J., "YubiKey Manual", WWW http:// static.yubico.com/var/uploads/pdfs/ YubiKey_Manual_2010-09-16.pdf. [YUBIKEY-SECURITY-ANALYSIS] Josefsson, S., "YubiKey Security Evaluation", WWW http:// static.yubico.com/var/uploads/pdfs/ Security_Evaluation_2009-09-09.pdf. Author's Address Simon Josefsson Yubico Hagagatan 24 Stockholm 113 47 Sweden Email: simon@yubico.com URI: http://www.yubico.com/ Josefsson Expires May 15, 2011 [Page 8]