1 / 6

OTP-PKCS #11

OTP-PKCS #11. Magnus Nyström, RSA Security OTPS Workshop, October 2005. Objectives & Principle. Scope Describes general PKCS #11 mechanisms, objects, attributes, and procedures for retrieval and verification of OTPs

aspen
Download Presentation

OTP-PKCS #11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OTP-PKCS #11 Magnus Nyström, RSA Security OTPS Workshop, October 2005

  2. Objectives & Principle • Scope • Describes general PKCS #11 mechanisms, objects, attributes, and procedures for retrieval and verification of OTPs • Intended to meet the needs of applications wishing to access connected OTP tokens in an interoperable manner • Eases the task for vendors of OTP-consuming applications • Enables a better user experience • Design Principles • Retains existing v2.20 function set • General approach is to use C_Sign and C_Verify (follows PKCS #11 HMAC approach) • Does not require application to be aware of specific OTP mechanisms

  3. Principles of Operation

  4. Recent Modifications – Draft 5 and 6 • Draft 5, published June 27 • Introduced generic approach for retrieving OTPs • Does not require mechanism-specific knowledge • Draft 6, published September 8 • Stabilized on the generic approach • Added a "CK_OTP_FORMAT_BINARY" option to the CKA_OTP_FORMAT key attribute • Introduced new OTP key attribute, CKA_OTP_DUAL_MODE, which informs an application whether a given OTP token (key) can produce OTP values more suitable for user consumption • Added CKF_PRINTABLE_OTP as a parameter flag, to indicate that an application wishes to receive the printable OTP value (applies when CKA_DUAL_MODE is CK_TRUE)

  5. Recent Modifications – Draft 6 (cont.) and 7 • Draft 6: • Added a note to implementers regarding the possibility of CKA_OTP_PIN_REQUIREMENT changing its value dynamically • Stated that CKA_ALLOWED_MECHANISMS should be set for OTP keys • Clarified that the method of delivering extra information pertaining to a computed OTP value applies to all OTP mechanisms • Updated and corrected examples and added example of dual-mode usage • Draft 7, published September 27 • For clarity, renamed CKA_OTP_DUAL_MODE to CKA_OTP_USER_FRIENDLY_MODE and CKF_PRINTABLE_OTP to CKF_USER_FRIENDLY_OTP • Removed CKA_OTP_LENGTH_{MIN,MAX} mechanism object attributes • Removed the CK_OTP_OUTPUT_FORMAT parameter per mailing list discussion (obsoleted by the CKF_USER_FRIENDLY_OTP flag)

  6. For Discussion • Agreement on current design, content • New mechanisms for other OTP algorithms can be added later on • Similar to how new mechanisms can be added to PKCS #11 in general • This document provides a framework – and defines some initial mechanisms using the framework • Proposed schedule • Produce final draft version (with assignments of identifiers) within a month from this workshop • Only editorial comments on final draft! • Publish Version 1.0 about two weeks after that

More Related