One document matched: draft-hoyer-keyprov-pskc-algorithm-profiles-01.xml
<?xml version="1.0" encoding="UTF-8"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc compact="no" ?>
<?rfc sortrefs="yes" ?>
<?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
]>
<rfc category="info" ipr="trust200902" docName="draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt">
<front>
<title abbrev="Additional PSKC Algorithm Profiles">Additional Portable Symmetric Key
Container (PSKC) Algorithm Profiles</title>
<author initials="P." surname="Hoyer" fullname="Philip Hoyer">
<organization abbrev="ActivIdentity"> ActivIdentity, Inc. </organization>
<address>
<postal>
<street>117 Waterloo Road</street>
<city>London</city>
<region>SE1</region>
<code>8UL</code>
<country>UK</country>
</postal>
<phone>+44 (0) 20 7744 6455</phone>
<email>Philip.Hoyer@actividentity.com</email>
</address>
</author>
<author initials="M." surname="Pei" fullname="Mingliang Pei">
<organization abbrev="VeriSign"> VeriSign, Inc. </organization>
<address>
<postal>
<street>487 E. Middlefield Road</street>
<city>Mountain View</city>
<region>CA</region>
<code>94043</code>
<country>USA</country>
</postal>
<phone>+1 650 426 5173</phone>
<email>mpei@verisign.com</email>
</address>
</author>
<author initials="S." surname="Machani" fullname="Salah Machani">
<organization abbrev="Diversinet"> Diversinet, Inc. </organization>
<address>
<postal>
<street>2225 Sheppard Avenue East</street>
<street>Suite 1801</street>
<city>Toronto</city>
<region>Ontario</region>
<code>M2J 5C2</code>
<country>Canada</country>
</postal>
<phone>+1 416 756 2324 Ext. 321</phone>
<email>smachani@diversinet.com</email>
</address>
</author>
<author fullname="Andrea Doherty" initials="A." surname="Doherty">
<organization>RSA, The Security Division of EMC</organization>
<address>
<postal>
<street>174 Middlesex Tpk.</street>
<city>Bedford</city>
<region>MA</region>
<code>01730</code>
<country>USA</country>
</postal>
<email>adoherty@rsa.com</email>
</address>
</author>
<date month="May" year="2010"/>
<workgroup>keyprov</workgroup>
<abstract>
<t>The Portable Symmetric Key Container (PSKC) contains a number of XML elements and XML
attributes carrying keys and related information. Not all algorithms, however, are
able to use all elements and for other algorithm certain information is mandatory.
This lead to the introduction of PSKC algorithm profiles that provide further
description about the mandatory and optional information elements and their
semantic, including extensions that may be needed. The main PSKC specification
defines two PSKC algorithm profiles, namely "HOTP" and "PIN". This document extends
the initial set and specifies nine further algorithm profiles for PKSC.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document specifies a set of algorithm profiles for PKSC, namely <list
style="empty">
<t>OCRA (OATH Challenge Response Algorithm)</t>
<t>TOTP (OATH Time based OTP)</t>
<t>SecurID-AES</t>
<t>SecurID-AES-Counter</t>
<t>SecurID-ALGOR</t>
<t>ActivIdentity-3DES</t>
<t>ActivIdentity-AES</t>
<t>ActivIdentity-DES</t>
<t>ActivIdentity-EVENT</t>
</list></t>
<t>[Editor's Note: The content of this document was created by moving a number of PSKC
algorithm profiles from draft-ietf-keyprov-portable-symmetric-key-container-06.txt
into this document. Since draft-ietf-keyprov-portable-symmetric-key-container-07.txt
had experienced a number of changes the description and the examples in this
document are likely to be out-of-sync. Re-alignment will be provided in a future
version.]</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as
described in <xref target="RFC2119"/>.</t>
</section>
<section title="OCRA (OATH Challenge Response Algorithm)" anchor="OCRA-1">
<t>
<list style="hanging">
<t hangText="Common Name:"> OCRA </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:(ocra_suite_parameters) - e.g.
urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08 </t>
<t hangText="Algorithm Definition:">
http://tools.ietf.org/id/draft-mraihi-mutual-oath-hotp-variants-11.txt</t>
<t hangText="Identifier Definition"> (this RFC) </t>
<t hangText="Registrant Contact:"> IESG </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "CR" attribute of the <Usage> MUST be set "true" and it
MUST be the only attribute set. The element <ChallengeFormat> and
<ResponseFormat> of the <Usage> MUST be present.</t>
<t>For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element. <list
style="symbols">
<t>Counter</t>
<t>Time</t>
</list> If the element <Time> is present, the following elements MUST
be also present. <list style="symbols">
<t>TimeInterval</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Length' attribute MUST be
between 6 and 9.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654322</SerialNo>
</DeviceInfo>
<Key KeyId="12345678"
KeyAlgorithm=
"urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08">
<Issuer>Issuer</Issuer>
<Usage CR="true">
<ChallengeFormat Min="8" Max="8" Format="DECIMAL"/>
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="TOTP (OATH Time based OTP)" anchor="totp">
<t>
<list style="hanging">
<t hangText="Common Name:"> TOTP </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">urn:ietf:params:xml:ns:keyprov:pskc#totp </t>
<t hangText="Algorithm Definition:">
http://tools.ietf.org/id/draft-mraihi-totp-timebased-05.txt</t>
<t hangText="Identifier Definition"> (this RFC) </t>
<t hangText="Registrant Contact:"> IESG </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. The "OTP" attribute of the <Usage> MUST be set "true" and it
MUST be the only attribute set. The element <ResponseFormat> of the
<Usage> MUST be used to indicate the OTP length and the value format.</t>
<t>For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element. <list
style="symbols">
<t>Time</t>
<t>TimeInterval</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Length' attribute MUST be
between 6 and 9.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>TokenVendorAcme</Manufacturer>
<SerialNo>987654323</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp"
KeyId="987654323">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>30</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>4</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="SecurID-AES">
<t>
<list style="hanging">
<t hangText="Common Name:"> SecurID-AES </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES </t>
<t hangText="Algorithm Definition:"> http://www.rsa.com/rsalabs/node.asp?id=2821 </t>
<t hangText="Identifier Definition:">
http://www.rsa.com/rsalabs/node.asp?id=2821 </t>
<t hangText="Registrant Contact:"> Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <StartDate>,
<ExpiryDate>, and <Usage> sub-elements MUST be present. The
"OTP" attribute of <Usage> MUST be set to "true" and it MUST be the
only attribute set. The <ResponseFormat> sub-element of
<Usage> MUST be used to indicate the OTP length and the value format.</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Length' attribute MUST be set
to a minimum value of 6.</t>
<t> - The <StartDate> and <ExpiryDate> elements MUST be of
type <xs:dateTime>.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/2005
/09/otps-wst#SecurID-AES
KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="SecurID-AES-Counter">
<t>
<list style="hanging">
<t hangText="Common Name:"> SecurID-AES-Counter </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter </t>
<t hangText="Algorithm Definition:">
http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter </t>
<t hangText="Identifier Definition">
http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter </t>
<t hangText="Registrant Contact:"> Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <StartDate>,
<ExpiryDate>, and <Usage> sub-elements MUST be present. The
"OTP" attribute of <Usage> MUST be set to "true" and it MUST be the
only attribute set. The <ResponseFormat> sub-element of
<Usage> MUST be used to indicate the OTP length and the value format.</t>
<t>For the Data elements of a <Key> of this algorithm, the following
subelements MUST be present in either the <Key> element itself or an
commonly shared <KeyProperties> element. <list style="symbols">
<t>Counter</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a lengthy of at least 16 octets (128 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Length' attribute MUST be set
to a minimum value of 6.</t>
<t> - The <StartDate> and <ExpiryDate> elements MUST be of
type <xs:dateTime>.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsa.com/names/2008/04/algorithms/
SecurID/SecurID-AES128-Counter
KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="SecurID-ALGOR">
<t>
<list style="hanging">
<t hangText="Common Name:"> SecurID-ALGOR </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-ALGOR </t>
<t hangText="Algorithm Definition:"> http://www.rsa.com/rsalabs/node.asp?id=2821 </t>
<t hangText="Identifier Definition:">
http://www.rsa.com/rsalabs/node.asp?id=2821 </t>
<t hangText="Registrant Contact:"> Andrea Doherty, RSA the Security Division of
EMC, <andrea.doherty@rsa.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <StartDate>,
<ExpiryDate>, and <Usage> sub-elements MUST be present. The
"OTP" attribute of <Usage> MUST be set to "true" and it MUST be the
only attribute set. The <ResponseFormat> sub-element of
<Usage> MUST be used to indicate the OTP length and the value format.</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a lengthy of at least 8 octets (64 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Length' attribute MUST be set
to a value of 6 through 8.</t>
<t> - The <StartDate> and <ExpiryDate> elements MUST be of
type <xs:dateTime>.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
<Device>
<DeviceInfo>
<Manufacturer>RSA, The Security Division of EMC</Manufacturer>
<SerialNo>123456798</SerialNo>
</DeviceInfo>
<Key
KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/
2005/09/otps-wst#SecurID-ALGOR KeyId="23456789">
<Issuer>Issuer</Issuer>
<Usage OTP="true>
<ResponseFormat Length="6" Format="DECIMAL"/>
</Usage>
<StartDate>2006-04-14T00:00:00Z</StartDate>
<ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="ActivIdentity-3DES">
<t>
<list style="hanging">
<t hangText="Common Name:"> ActivIdentity-3DES </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES </t>
<t hangText="Algorithm Definition:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES </t>
<t hangText="Identifier Definition">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES </t>
<t hangText="Registrant Contact:"> Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response, parameter
based MACing (integrity) and to generate a device unlock code (n case of
devices where there is local PIN management and the devce has been locked
after a specific amount of wrong PIN entry attempts). Hence the "OTP",
"CR","Integrity" and "Unlock" attribute of the <Usage> can be set to
"true", but at least one of the above MUST be set to true. The element
<ResponseFormat> of the <Usage> MUST be used to indicate the
OTP length, the value format and optionally if a check digit is being used.
If the use is challenge-response then the <ChallengeFormat> of the
<Usage> MUST be used to indicate the challenge minimum and maximum
length, its format and optionally if a check digit is being used. </t>
<t>For the <Data> elements of a <Key> of this algorithm, the
following subelements MUST be present in either the <Key> element
itself or an commonly shared <KeyProperties> element. <list
style="symbols">
<t>Secret</t>
<t>Counter</t>
<t>Time</t>
<t>TimeInterval</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a length of at least 16 octets (Double DES keys 128 bits
including parity) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length'
attribute MUST be between 6 and 16.</t>
<t>- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be
between 4 and 16 (The Min attribute MUST be equal or less than the
Max).</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a Key of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-3DES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="ActivIdentity-AES">
<t>
<list style="hanging">
<t hangText="Common Name:"> ActivIdentity-AES </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES </t>
<t hangText="Algorithm Definition:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES </t>
<t hangText="Identifier Definition">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES </t>
<t hangText="Registrant Contact:"> Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response, parameter
based MACing (integrity) and to generate a device unlock code (n case of
devices where there is local PIN management and the devce has been locked
after a specific amount of wrong PIN entry attempts). Hence the "OTP",
"CR","Integrity" and "Unlock" attribute of the <Usage> can be set to
"true", but at least one of the above MUST be set to true. The element
<ResponseFormat> of the <Usage> MUST be used to indicate the
OTP length, the value format and optionally if a check digit is being used.
If the use is challenge-response then the <ChallengeFormat> of the
<Usage> MUST be used to indicate the challenge minimum and maximum
length, its format and optionally if a check digit is being used. </t>
<t>For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or an
commonly shared <KeyProperties> element. <list style="symbols">
<t>Secret</t>
<t>Counter</t>
<t>Time</t>
<t>TimeInterval</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a length of at least 16 octets (128 bits) if it is present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length'
attribute MUST be between 6 and 16.</t>
<t>- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be
between 4 and 16 (The Min attribute MUST be equal or less than the
Max).</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-AES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="ActivIdentity-DES">
<t>
<list style="hanging">
<t hangText="Common Name:"> ActivIdentity-DES </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES </t>
<t hangText="Algorithm Definition:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES </t>
<t hangText="Identifier Definition">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES </t>
<t hangText="Registrant Contact:"> Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response, parameter
based MACing (integrity) and to generate a device unlock code (n case of
devices where there is local PIN management and the devce has been locked
after a specific amount of wrong PIN entry attempts). Hence the "OTP",
"CR","Integrity" and "Unlock" attribute of the <Usage> can be set to
"true", but at least one of the above MUST be set to true. The element
<ResponseFormat> of the <Usage> MUST be used to indicate the
OTP length, the value format and optionally if a check digit is being used.
If the use is challenge-response then the <ChallengeFormat> of the
<Usage> MUST be used to indicate the challenge minimum and maximum
length, its format and optionally if a check digit is being used. </t>
<t>For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or an
commonly shared <KeyProperties> element. <list style="symbols">
<t>Counter</t>
<t>Time</t>
<t>TimeInterval</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a length of at least 8 octets (56 bits + parity) if it is
present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length'
attribute MUST be between 6 and 16.</t>
<t>- The <ChallengeFormat> element MUST have the 'Format'
attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be
between 4 and 16 (The Min attribute MUST be equal or less than the
Max).</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-DES"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
<Time>
<PlainValue>0</PlainValue>
</Time>
<TimeInterval>
<PlainValue>32</PlainValue>
</TimeInterval>
<TimeDrift>
<PlainValue>0</PlainValue>
</TimeDrift>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="ActivIdentity-EVENT">
<t>
<list style="hanging">
<t hangText="Common Name:"> ActivIdentity-EVENT </t>
<t hangText="Class:"> OTP </t>
<t hangText="URI:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT </t>
<t hangText="Algorithm Definition:">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT </t>
<t hangText="Identifier Definition">
http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT </t>
<t hangText="Registrant Contact:"> Philip Hoyer, ActivIdentity Inc,
<philip.hoyer@actividentity.com> </t>
<t
hangText="Profile of XML attributes and subelements of the <Key> entity:"
> </t>
</list>
</t>
<t>
<list style="empty">
<t>For a <Key> of this algorithm, the <Usage> subelements MUST be
present. This algorithm can be used for otp, challenge response, parameter
based MACing (integrity) and to generate a device unlock code (n case of
devices where there is local PIN management and the device has been locked
after a specific amount of wrong PIN entry attempts). Hence the "OTP",
"CR","Integrity" and "Unlock" attribute of the <Usage> can be set to
"true", but at least one of the above MUST be set to true. The element
<ResponseFormat> of the <Usage> MUST be used to indicate the
OTP length, the value format and optionally if a check digit is being used.
If the use is challenge-response then the <ChallengeFormat> of the
<Usage> MUST be used to indicate the challenge minimum and maximum
length, its format and optionally if a check digit is being used. </t>
<t>For the <Data> elements of a key of this algorithm, the following
subelements MUST be present in either the <Key> element itself or an
commonly shared <KeyProperties> element. <list style="symbols">
<t>Counter</t>
</list>
</t>
<t>The following additional constraints apply: <list style="empty">
<t>- The value of the <Secret> element MUST contain key material
with a length of at least 8 octets (56 bits + parity) if it is
present.</t>
<t>- The <ResponseFormat> element MUST have the 'Format'
attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length'
attribute MUST be between 6 and 16.</t>
<t>- The <PINPolicy> element MAY be present but the
<Format> child element of the <PINPolicy> element
cannot be set to "Algorithmic".</t>
</list>
</t>
<t>An example of a <Key> of this algorithm is as follows. <figure>
<preamble/>
<artwork><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
<Device>
<DeviceInfo>
<Manufacturer>ActivIdentity</Manufacturer>
<SerialNo>34567890</SerialNo>
</DeviceInfo>
<Key KeyAlgorithm="http://www.actividentity.com/
2008/04/algorithms/algorithms#ActivIdentity-EVENT"
KeyId="12345677">
<Issuer>Issuer</Issuer>
<Usage OTP="true">
<ResponseFormat Length="8" Format="DECIMAL"/>
</Usage>
<Data>
<Secret>
<PlainValue>
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</Device>
</KeyContainer>
]]></artwork>
<postamble/>
</figure>
</t>
</list>
</t>
</section>
<section title="Security Considerations">
<t>[Editor's Note: Security considerations regarding the algorithms go in here.]</t>
</section>
<section title="IANA Considerations">
<t>[Editor's Note: The registration of the algorithm profiles goes in here.]</t>
</section>
<section title="Acknowledgements">
<t>Add your name here.</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="">
<organization/>
</author>
<date month="March" year="1997"/>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="PSKC">
<front>
<title>Portable Symmetric Key Container</title>
<author initials="P." surname="Hoyer" fullname="Philip Hoyer">
<organization>ActivIdentity, Inc. </organization>
</author>
<author initials="M." surname="Pei" fullname="Mingliang Pei">
<organization>VeriSign, Inc.</organization>
</author>
<author initials="S." surname="Machani" fullname="Salah Machani">
<organization>Diversinet, Inc.</organization>
</author>
<date month="January" year="2010"/>
</front>
<seriesInfo name="Internet Draft" value="Informational"/>
<seriesInfo name="URL:"
value="http://tools.ietf.org/html/draft-ietf-keyprov-pskc-05"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:37:25 |