otp wss token n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 11

OTP-WSS-Token - PowerPoint PPT Presentation

  • Uploaded on

OTP-WSS-Token. John Linn, RSA Laboratories DRAFT: 24 May 2005. OTP-WSS-Token. Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'OTP-WSS-Token' - beau-johnson

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
otp wss token


John Linn, RSA Laboratories

DRAFT: 24 May 2005

otp wss token1
  • Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments
  • XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data
  • Functionally analogous to OASIS Web Services Security TC's UsernameToken Profile, but tailored to support OTP authentication methods
  • Can be applied to support token devices operating in multiple modes, including time-based, challenge-response, counter-based
    • Challenges may be client-generated or obtained from verifier through out-of-band means
otp wss token operational context
OTP-WSS-Token: Operational Context
  • OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as:
    • Directly, using the OTPToken type proposed in this draft
    • Indirectly, using SAML message token with assertion based on OTP authentication
    • At a stream level, as by using OTP to authenticate WS-SecureConversation or SASL
  • This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials
otp wss token recent and potential changes
OTP-WSS-Token: Recent and Potential Changes
  • Technical changes in 1-0d2 draft, 8 April 2005
    • Namespace now "otps-wst"
    • No default algorithm identifier
  • Potential changes to consider
    • Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration
    • Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide)
      • To identify OTPToken(s) used for authentication
      • Possibly to identify OTPToken(s) used to provide key derivation inputs?
proposals for referencing otptokens in wss sms
Proposals for Referencing OTPTokens in WSS:SMS
  • Recommended placement: direct descendant of <wsse:Security> header, not Embedded
    • Working assumption: in the usual case, OTPTokens will be carried within the messages they authenticate, not referenced from external sources
    • Can reference using OTPToken's identifier value
  • Can qualify reference with ValueType of #OTPToken
  • Perhaps use KeyIdentifier reference to obtain OTPToken's OTP value as input for key derivation?
    • Q: Define a key derivation algorithm within the document?
otp wss token otptoken elements
OTP-WSS-Token: OTPToken Elements
  • All optional except <otps-wst:OTP> which carries the value being presented for OTP-based authentication
    • Use of other elements may vary for different algorithms and use cases
  • <otps-wst:TokTimestamp> carries time for time-based OTP algorithms and/or acts as a replay countermeasure
  • <otps-wst:TokNonce> carries a challenge, acts as a replay countermeasure, and/or enables use of multiple OTP results within a single <otps-wst:TokTimestamp> time quantum
  • <otps-wst:TokState> carries additional state elements as needed
    • e.g., counter for counter-based OTP algorithms
  • <otps-wst:TokPIN> carries user's PIN data
  • <otps-wst:ServID> identifies target service for OTP authentication
    • Q: priority for support within token vs. externally?
  • <otps-wst:ContID> provides in-band linkage to continue multi-step authentication transactions
    • Q: priority for support within token vs. externally?
otp wss token otptoken attributes
OTP-WSS-Token: OTPToken Attributes
  • TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial)
    • Must provide at least one form to construct valid OTPToken
  • Optional TokID attribute supports linkage to <otps-wst:OTPToken> data object from other message elements
  • Optional TokAlg attribute identifies token device's OTP algorithm
    • Must provide value unless unambiguous from context
  • Optional TokOTPTransform attribute identifies preprocessing performed on token device output before inclusion in <otps-wst:OTP>
otp wss token exception cases
OTP-WSS-Token: Exception Cases
  • In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry
    • If New PIN needed, can contact separate PIN change service, then generate new <otps-wst:OTPToken> and make a new request
    • If additional OTP needed for resynchronization, can generate new <otps-wst:OTPToken> with next value and retry using <otps-wst:ContID>
    • Additional cases and recovery actions can be profiled separately
otp wss token otptoken schema
OTP-WSS-Token: OTPToken Schema

<complexType name="OTPToken">



Type definition for token-based authentication




<element name="TokTimestamp" type="dateTime" minOccurs="0"/>

<element name="TokNonce" type="base64Binary" minOccurs="0"/>

<element name="TokState" type="base64Binary" minOccurs="0"/>

<element name="TokPIN" type="string" minOccurs="0"/>

<element name="ServID" type="string" minOccurs="0"/>

<element name="ContID" type="integer" minOccurs="0"/>

<element name="OTP" type="string"/>


<attributeGroup ref="otps-wst:TokQual"/>

<attribute name="TokID" type="ID" use="optional"/>

<attribute name="TokAlg" type="anyURI" use="optional"/>

<attribute name="TokOTPTransform" type="anyURI" use="optional"/>


otp wss token example otptoken
OTP-WSS-Token: Example OTPToken

<otps-wst:OTPToken TokID="AnExampleToken" TokUser="J. Sample User">

<otps-wst:TokTimestamp>2005-02- 15T20:25:42Z</rsawst:TokTimestamp>

<otps-wst:TokNonce>VXUzoS1a4r7kQQ5c/Iua4LqKeq3ciF zEv/MbZhA==</rsawst:TokNonce>




otp wss token next steps
OTP-WSS-Token: Next Steps
  • Consensus and stabilization on document content
  • Proceed towards contribution derived from content, likely to OASIS WSS TC?