Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on
  • Presentation posted in: General

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning. Philip Hoyer Senior Architect – CTO Office. Agenda. Brief History of IETF Key p rov W orking Group Dynamic Symmetric Key Provisioning Protocol (DSKPP) Overview Protocol Variants

Download Presentation

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning

Philip HoyerSenior Architect – CTO Office


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

Agenda

  • Brief History of IETF Keyprov Working Group

  • Dynamic Symmetric Key Provisioning Protocol (DSKPP)

    • Overview

    • Protocol Variants

    • Two- and Four-Pass Comparison

    • Cryptographic Properties

    • Binding

  • Portable Symmetric Key Container (PSKC)


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov Working Group: Why?

  • No current standard to provision symmetric keys and related meta data

    • over the wire

    • over the air

    • or offline (bulk)


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov Working Group: Why?

  • No standard payload container for keys


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov Working Group: Why?

  • No interoperability between

    • key clients

    • and key servers

Key protocol /

format A

Application

Vendor A

Key server

Vendor A

No Interoperability!

Key protocol /

format B

Key server

Vendor B

Application

Vendor B


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov Working Group: Objectives

  • Standards

    • Protocol

    • Payload

  • Interoperability between

    • key clients

    • and key servers

PSKC

DSKPP

Interoperability!

Application

Vendor A

Key server

Vendor A

PSKC

DSKPP

Key server

Vendor B

Application

Vendor B


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov Working Group

  • Description

  • Current developments in deployment of Shared Symmetric Key (SSK) tokens have highlighted the need for a standard protocol for provisioning symmetric keys.The need for provisioning protocols in PKI architectures has been recognized for some time. Although the existence and architecture of these protocols provides a feasibility proof for the KEYPROV work assumptions built into these protocols mean that it is not possible to apply them to symmetric key architectures without substantial modification.In particular the ability to provision symmetric keys and associated attributes dynamically to already issued devices such as cell phones and USB drives is highly desirable.

  • Founded in February 2007 with input from VeriSign (DSKPP), RSA (CT-KIP), and OATH (PSKC).


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

IETF Keyprov WG: Scope and Deliverables

  • Scope

    • The scope of the working group shall be to define protocols and data formats necessary for provisioning of symmetric cryptographic keys and associated attributes.The group shall consider use cases related to use of Shared Symmetric Key Tokens. Other use cases may be considered for the purpose of avoiding unnecessary restrictions in the design and ensure the potential for future extensibility.

  • Deliverables:

    • Dynamic Symmetric Key Provisioning Protocol

      • (https://datatracker.ietf.org/doc/draft-ietf-keyprov-dskpp/)

    • Portable Symmetric Key Container (XML)

      • (https://datatracker.ietf.org/doc/draft-ietf-keyprov-pskc/ )

    • Symmetric Key Package Content Type (ASN.1)

      • (https://datatracker.ietf.org/doc/draft-ietf-keyprov-symmetrickeyformat/)


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP: Overview

  • DSKPP is a client-server protocol for initialization (and configuration) of symmetric keys to cryptographic modules.

  • Intended for use within computer and communications systems employing symmetric cryptographic modules that are locally (over-the-wire) or remotely (over-the-air) accessible.

  • Can be run with or without private-key capabilities in the cryptographic modules, and with or without an established public key infrastructure.


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP: Protocol Variants

  • DSKPP variants support multiple usage scenarios:

    • Four-pass variant enables mutual key generation by the provisioning server and cryptographic module in near real-time; provisioned keys are not transferred over-the-wire or over-the-air

    • Two-pass variant enables generation and transport of symmetric keys to a cryptographic module in environments where near real-time communication is not possible

    • Two-pass variant also enables transport of pre-generated (e.g., legacy) keys to a cryptographic module


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP: Two-Pass and Four-Pass Comparison


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP: Cryptographic Properties

  • Key confirmation

    • In both variants via MAC on exchanged data

  • Replay protection

    • In both variants through inclusion of client-provided data in MAC

  • Server authentication

    • In both variants through MAC in ServerFinished message when replacing existing key

  • Protection against MITM

    • In both variants through use of shared keys, client certificates, or server public key usage

  • User authentication

    • Enabled in both variants using authentication code

  • Device authentication

    • In both variants if based on shared secret key or if device sends a client certificate


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

DSKPP: Bindings

  • Security Binding

    • Transport level encryption (e.g., TLS) is not required for key transport

    • TLS/SSL is required if other parameters/attributes must be protected in transit

  • HTTP Binding

    • Special Content-Type header recommended

    • Examples provided in specification


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

PSKC: Overview

  • Portable Symmetric Key container (PSKC) a standardized XML-based key container for transporting symmetric keys and key related meta data

  • Allows transmission of key policies and key utilization purpose aligned with NIST SP800-57

  • Allows transmission of PIN values that protect access to keys and related PIN policy

  • Specifies the information elements that may be required when the symmetric key is utilized for specific purposes, such as the initial counter in the [HOTP] algorithm

  • Requests the creation of a IANA registries for:

    • Algorithm profiles where algorithms, their related meta-data and PSKC transmission profile can be recorded for centralized standardized reference

    • Key usages aligned with NIST SP800-57 (e.g. encrypt, decrypt, sign, verify, otp, etc)

    • (http://www.iana.org/assignments/pskc/pskc.xhtml)


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

PSKC: Main Entities

KeyContainer

EncryptionKey

Signature

….

DeviceInfo

SerialNumber

Manufacturer

….

KeyPackage

CryptoModuleInfo

ID

….

Key

KeyPolicy

Data: Secret

EncryptedValue

ValueMAC

Data: Counter

PlainValue

Data: Other


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

  • <KeyContainer Version="1.0“ xmlns="urn:ietf:params:xml:ns:keyprov:pskc“ … >

  • <EncryptionKey><ds:KeyName>Pre-shared-key</ds:KeyName></EncryptionKey>

  • <KeyPackage>

  • <DeviceInfo><Manufacturer>Manufacturer</Manufacturer><SerialNo>987654321</SerialNo>

  • </DeviceInfo>

  • <CryptoModuleInfo><Id>CM_ID_001</Id></CryptoModuleInfo>

  • <Key Id="12345678" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">

  • <Issuer>Issuer</Issuer>

  • <AlgorithmParameters><ResponseFormat Length="8" Encoding="DECIMAL"/></AlgorithmParameters>

  • <Data>

  • <Secret>

  • <EncryptedValue>

  • <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <xenc:CipherData><xenc:CipherValue>pgznhXdDh…. </xenc:CipherValue></xenc:CipherData>

  • <EncryptedValue>

  • <ValueMAC>ooo0Swn6s/myD4o05FCfBHN0560=</ValueMAC>

  • </Secret>

  • <Counter><PlainValue>0</PlainValue></Counter>

  • </Data>

  • <Policy><KeyUsage>OTP</KeyUsage></Policy>

  • </Key>

  • </KeyPackage>

  • </KeyContainer>


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

PSKC: Key Protection Mechanisms

  • Pre-shared symmetric keys

    • Including transmission of MAC key and value for algorithms without integrity check

  • Password based encryption (PBE) based on XMLEncryption 1.1 DerivedKey and PKCS#5

  • Asymmetric (PKI)

  • Signature of whole KeyContainer


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

Summary

  • DSKPP – Online symmetric key provisioning protocol

    • IETF proposed standard

  • PSKC – XML – Online/Offline Symmetric Key transport format

    • IETF proposed standard

  • Interoperable standards-based symmetric key provisioning available now!


Dskpp and pskc ietf standard protocol and payload for symmetric key provisioning

Thank You!

Question and Answers

[email protected]


  • Login