Otp wss token
1 / 11

OTP-WSS-Token - PowerPoint PPT Presentation

  • Uploaded on

OTP-WSS-Token. John Linn, RSA Laboratories DRAFT: 24 May 2005. OTP-WSS-Token. Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' OTP-WSS-Token' - beau-johnson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Otp wss token


John Linn, RSA Laboratories

DRAFT: 24 May 2005

Otp wss token1

  • Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments

  • XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data

  • Functionally analogous to OASIS Web Services Security TC's UsernameToken Profile, but tailored to support OTP authentication methods

  • Can be applied to support token devices operating in multiple modes, including time-based, challenge-response, counter-based

    • Challenges may be client-generated or obtained from verifier through out-of-band means

Otp wss token operational context
OTP-WSS-Token: Operational Context

  • OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as:

    • Directly, using the OTPToken type proposed in this draft

    • Indirectly, using SAML message token with assertion based on OTP authentication

    • At a stream level, as by using OTP to authenticate WS-SecureConversation or SASL

  • This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials

Otp wss token recent and potential changes
OTP-WSS-Token: Recent and Potential Changes

  • Technical changes in 1-0d2 draft, 8 April 2005

    • Namespace now "otps-wst"

    • No default algorithm identifier

  • Potential changes to consider

    • Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration

    • Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide)

      • To identify OTPToken(s) used for authentication

      • Possibly to identify OTPToken(s) used to provide key derivation inputs?

Proposals for referencing otptokens in wss sms
Proposals for Referencing OTPTokens in WSS:SMS

  • Recommended placement: direct descendant of <wsse:Security> header, not Embedded

    • Working assumption: in the usual case, OTPTokens will be carried within the messages they authenticate, not referenced from external sources

    • Can reference using OTPToken's identifier value

  • Can qualify reference with ValueType of #OTPToken

  • Perhaps use KeyIdentifier reference to obtain OTPToken's OTP value as input for key derivation?

    • Q: Define a key derivation algorithm within the document?

Otp wss token otptoken elements
OTP-WSS-Token: OTPToken Elements

  • All optional except <otps-wst:OTP> which carries the value being presented for OTP-based authentication

    • Use of other elements may vary for different algorithms and use cases

  • <otps-wst:TokTimestamp> carries time for time-based OTP algorithms and/or acts as a replay countermeasure

  • <otps-wst:TokNonce> carries a challenge, acts as a replay countermeasure, and/or enables use of multiple OTP results within a single <otps-wst:TokTimestamp> time quantum

  • <otps-wst:TokState> carries additional state elements as needed

    • e.g., counter for counter-based OTP algorithms

  • <otps-wst:TokPIN> carries user's PIN data

  • <otps-wst:ServID> identifies target service for OTP authentication

    • Q: priority for support within token vs. externally?

  • <otps-wst:ContID> provides in-band linkage to continue multi-step authentication transactions

    • Q: priority for support within token vs. externally?

Otp wss token otptoken attributes
OTP-WSS-Token: OTPToken Attributes

  • TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial)

    • Must provide at least one form to construct valid OTPToken

  • Optional TokID attribute supports linkage to <otps-wst:OTPToken> data object from other message elements

  • Optional TokAlg attribute identifies token device's OTP algorithm

    • Must provide value unless unambiguous from context

  • Optional TokOTPTransform attribute identifies preprocessing performed on token device output before inclusion in <otps-wst:OTP>

Otp wss token exception cases
OTP-WSS-Token: Exception Cases

  • In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry

    • If New PIN needed, can contact separate PIN change service, then generate new <otps-wst:OTPToken> and make a new request

    • If additional OTP needed for resynchronization, can generate new <otps-wst:OTPToken> with next value and retry using <otps-wst:ContID>

    • Additional cases and recovery actions can be profiled separately

Otp wss token otptoken schema
OTP-WSS-Token: OTPToken Schema

<complexType name="OTPToken">



Type definition for token-based authentication




<element name="TokTimestamp" type="dateTime" minOccurs="0"/>

<element name="TokNonce" type="base64Binary" minOccurs="0"/>

<element name="TokState" type="base64Binary" minOccurs="0"/>

<element name="TokPIN" type="string" minOccurs="0"/>

<element name="ServID" type="string" minOccurs="0"/>

<element name="ContID" type="integer" minOccurs="0"/>

<element name="OTP" type="string"/>


<attributeGroup ref="otps-wst:TokQual"/>

<attribute name="TokID" type="ID" use="optional"/>

<attribute name="TokAlg" type="anyURI" use="optional"/>

<attribute name="TokOTPTransform" type="anyURI" use="optional"/>


Otp wss token example otptoken
OTP-WSS-Token: Example OTPToken

<otps-wst:OTPToken TokID="AnExampleToken" TokUser="J. Sample User">

<otps-wst:TokTimestamp>2005-02- 15T20:25:42Z</rsawst:TokTimestamp>

<otps-wst:TokNonce>VXUzoS1a4r7kQQ5c/Iua4LqKeq3ciF zEv/MbZhA==</rsawst:TokNonce>




Otp wss token next steps
OTP-WSS-Token: Next Steps

  • Consensus and stabilization on document content

  • Proceed towards contribution derived from content, likely to OASIS WSS TC?