One document matched: draft-josefsson-keyprov-pskc-yubikey-00.txt
Network Working Group S. Josefsson
Internet-Draft Yubico
Intended status: Informational November 11, 2010
Expires: May 15, 2011
Yubico YubiKey Portable Symmetric Key Container (PSKC) Profile
draft-josefsson-keyprov-pskc-yubikey-00
Abstract
This document specify how to provision the YubiKey using the Portable
Symmetric Key Container (PSKC) format. The YubiKey is a small
portable device that generate One-Time-Passwords.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 15, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Josefsson Expires May 15, 2011 [Page 1]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
Table of Contents
1. Introduction and Background . . . . . . . . . . . . . . . . . . 3
2. YubiKey-AES PSKC Profile Definition . . . . . . . . . . . . . . 3
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
Josefsson Expires May 15, 2011 [Page 2]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
1. Introduction and Background
The YubiKey is a small portable device that generate One-Time-
Passwords. In its default mode, the One-Time-Password consists of a
static identifier concatenated with a never-repeating AES-128
encrypted part. Personalization of the device consumes several data
fields, including a public identifier, an internal identifier and a
AES-128 key.
This document specify a PSKC [RFC6030] algorithm profile called
"YubiKey-AES" for the Yubico [YUBICO] YubiKey in the default AES-
based one-time-password mode. The intent is to provide a standard
format for transporting provisiong information.
2. YubiKey-AES PSKC Profile Definition
Following the template laid out in section 12.4 of [RFC6030] we
specify a new PSKC Profile.
Common Name: YubiKey-AES
Class: OTP
URI: http://www.yubico.com/#yubikey-aes
Identifier Definition: This document.
Algorithm Definition: [YUBICO]
Registrant Contact: Simon Josefsson, Yubico, <simon@yubico.com>.
Deprecated: FALSE.
PSKC Profiling:
- The <Manufacturer> element will hold a value of "oath.UB" to
indicate Yubico.
- The <SerialNo> element will hold the serial number of the unique
device. For example, "283599". Valid reasons to omit the <SerialNo>
field is when the information does not belong to a unique physical
device.
- The <StartDate> element (inside a <DeviceInfo> element) holds the
creation time of the key which is the same as the start date of the
device. For example, "2010-11-10T07:14:22Z".
Josefsson Expires May 15, 2011 [Page 3]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
- The <CryptoModuleInfo> element can be used to indicate which key
slot in the YubiKey is intended. The <Id> element holds the name of
the key slot. The values "1" and "2" denote the first and second key
slot respectively.
- The <UserId> element of the <Key> element can hold the static
YubiKey public prefix associated with the key using a CN
AttributeType name string. The YubiKey is using 0-16 characters for
this field, for example, "CN=ekhgjhbctrgn". The UID AttributeType
name string can be used to associate the internal YubiKey identity,
and it is always 12 hex characters, for example "UID=ca62baca62ba".
- The value of the <Secret> element contain key material, normally
with a length of 16 octets (128 bits).
- The <ResponseFormat> element will have the "Encoding" attribute set
to "ALPHANUMERIC" and the "Length" attribute set to indicate the
length of generated OTPs including the YubiKey public prefix. For
example, if a YubiKey will have a 12 character prefix, the total
length of the OTP will be 44 alpha-numeric characters.
- The <KeyUsage> element can be used to indicate the purpose of the
key, normally this will be "OTP".
- The <Extensions> element (in the <Key> element) will hold one
<YubiKey> element with additional YubiKey specific parameters. Three
elements are provided: 1) The <YubiKeyConfig> with an attribute
"Flag" containing a string denoting a YubiKey configuration/ticket
flag, 2) The <YubiKeyLock> with an attribute "Code" to hold a write
protect locking code to use for the new configuration, and 3) The
<YubiKeyUnlock> with an attribute "Code" to hold the locking code
required to unlock the YubiKey before writing. The semantics of
flags and write protection codes are described in [YUBIKEY-MANUAL].
3. Examples
A simple example follows illustrating how slot 1 of the YubiKey with
serial number 283599 is provisioned with public identifier
"ekhgjhbctrgn", internal identity "ca62baca62ba" and the indicated
encryption key.
Josefsson Expires May 15, 2011 [Page 4]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
Id="yk-pskc-283599"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<KeyPackage>
<DeviceInfo>
<Manufacturer>oath.UB</Manufacturer>
<SerialNo>283599</SerialNo>
<StartDate>2009-01-22T00:25:11Z</StartDate>
</DeviceInfo>
<CryptoModuleInfo>
<Id>1</Id>
</CryptoModuleInfo>
<Key Id="283599:1"
Algorithm="http://www.yubico.com/#yubikey-aes">
<Issuer>ACME Inc.</Issuer>
<AlgorithmParameters>
<ResponseFormat Encoding="ALPHANUMERIC" Length="44"/>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>
K34VFiiu0qar9xWICc9PPA==
</PlainValue>
</Secret>
</Data>
<UserId>CN=ekhgjhbctrgn, UID=ca62baca62ba</UserId>
</Key>
</KeyPackage>
</KeyContainer>
Another example to illustrate how both slots can be programmed at the
same time.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
Id="yk-pskc-283598"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<KeyPackage>
<DeviceInfo>
<Manufacturer>oath.UB</Manufacturer>
<SerialNo>283598</SerialNo>
<StartDate>2009-01-22T00:25:10Z</StartDate>
</DeviceInfo>
<CryptoModuleInfo>
<Id>1</Id>
</CryptoModuleInfo>
<Key Id="283598:1"
Josefsson Expires May 15, 2011 [Page 5]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
Algorithm="http://www.yubico.com/#yubikey-aes">
<Issuer>ACME Inc.</Issuer>
<AlgorithmParameters>
<ResponseFormat Encoding="ALPHANUMERIC" Length="44"/>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>
Vpg1bTCGjEIB4m9mxYK7RQ==
</PlainValue>
</Secret>
</Data>
<UserId>CN=ekhgjhbctrgn, UID=ca62baca62ba</UserId>
</Key>
</KeyPackage>
<KeyPackage>
<DeviceInfo>
<Manufacturer>oath.UB</Manufacturer>
<SerialNo>283598</SerialNo>
<StartDate>2009-01-22T00:25:10Z</StartDate>
</DeviceInfo>
<CryptoModuleInfo>
<Id>2</Id>
</CryptoModuleInfo>
<Key Id="283598:2"
Algorithm="http://www.yubico.com/#yubikey-aes">
<Issuer>ACME Inc.</Issuer>
<AlgorithmParameters>
<ResponseFormat Encoding="ALPHANUMERIC" Length="44"/>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>
OIkrgqvxgHeIRY/FpRZcgA==
</PlainValue>
</Secret>
</Data>
<UserId>CN=ekhgjhbctrgn, UID=ca62baca62ba</UserId>
</Key>
</KeyPackage>
</KeyContainer>
One example to illustrate how additional parameters, locking code and
unlocking code, can be provided through an extension.
Josefsson Expires May 15, 2011 [Page 6]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0"
Id="yk-pskc-283597"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<KeyPackage>
<DeviceInfo>
<Manufacturer>oath.UB</Manufacturer>
<SerialNo>283597</SerialNo>
<StartDate>2009-01-22T00:25:09Z</StartDate>
</DeviceInfo>
<CryptoModuleInfo>
<Id>1</Id>
</CryptoModuleInfo>
<Key Id="283597:1"
Algorithm="http://www.yubico.com/#yubikey-aes">
<Issuer>ACME Inc.</Issuer>
<AlgorithmParameters>
<ResponseFormat Encoding="ALPHANUMERIC" Length="40"/>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>
K34VFiiu0qar9xWICc9PPA==
</PlainValue>
</Secret>
</Data>
<UserId>CN=ekhgjhbctrgn, UID=ca62baca62ba</UserId>
<Extensions>
<YubiKey xmlns="http://www.yubico.com/#yubikey-aes-ext">
<YubiKeyConfig Flag="TKTFLAG_APPEND_DELAY1"/>
<YubiKeyConfig Flag="TKTFLAG_APPEND_CR"/>
<YubiKeyConfig Flag="CFGFLAG_PACING_10MS"/>
<YubiKeyLock Code="98566d358630"/>
<YubiKeyUnlock Code="45bb428ce201"/>
</YubiKey>
</Extensions>
</Key>
</KeyPackage>
</KeyContainer>
4. Acknowledgements
This definition is based on earlier formats used internally at
Yubico.
Josefsson Expires May 15, 2011 [Page 7]
Internet-Draft Yubico YubiKey PSKC Profile November 2010
5. Security Considerations
Data using this format is typically highly sensitive and needs
integrity and confidentiality protection, which is provided by and
discussed further in the core PSKC document.
A security analysis of the YubiKey itself is available from
[YUBIKEY-SECURITY-ANALYSIS].
6. References
6.1. Normative References
[RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container (PSKC)", RFC 6030, October 2010.
6.2. Informative References
[YUBICO] "Yubico Company Web Page", WWW http://www.yubico.com/.
[YUBIKEY-MANUAL]
Ehrensvard, J., "YubiKey Manual", WWW http://
static.yubico.com/var/uploads/pdfs/
YubiKey_Manual_2010-09-16.pdf.
[YUBIKEY-SECURITY-ANALYSIS]
Josefsson, S., "YubiKey Security Evaluation", WWW http://
static.yubico.com/var/uploads/pdfs/
Security_Evaluation_2009-09-09.pdf.
Author's Address
Simon Josefsson
Yubico
Hagagatan 24
Stockholm 113 47
Sweden
Email: simon@yubico.com
URI: http://www.yubico.com/
Josefsson Expires May 15, 2011 [Page 8]
| PAFTECH AB 2003-2026 | 2026-04-21 08:41:48 |