Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles

This document specifies a set of algorithm profiles for PKSC, namely OCRA (OATH Challenge Response Algorithm) TOTP (OATH Time based OTP) SecurID-AES SecurID-AES-Counter SecurID-ALGOR ActivIdentity-3DES ActivIdentity-AES ActivIdentity-DES ActivIdentity-EVENT [Editor's Note: The content of this document was created by moving a number of PSKC algorithm profiles from draft-ietf-keyprov-portable-symmetric-key-container-06.txt into this document. Since draft-ietf-keyprov-portable-symmetric-key-container-07.txt had experienced a number of changes the description and the examples in this document are likely to be out-of-sync. Re-alignment will be provided in a future version.]

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

OCRA OTP http://www.ietf.org/keyprov/pskc#OCRA-1:(ocra_suite_parameters) - e.g. http://www.ietf.org/keyprov/pskc#OCRA-1:HOTP-SHA512-8:C-QN08 http://www.ietf.org/internet-drafts/draft-mraihi-mutual-oath-hotp-variants-07.txt (this RFC) IESG For a <Key> of this algorithm, the <Usage> subelements MUST be present. The "CR" attribute of the <Usage> MUST be set "true" and it MUST be the only attribute set. The element <ChallengeFormat> and <ResponseFormat> of the <Usage> MUST be present. For the <Data> elements of a <Key> of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Counter Time If the element <Time> is present, the following elements MUST be also present. TimeInterval The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a lengthy of at least 16 octets (128 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Length' attribute MUST be between 6 and 9. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

TokenVendorAcme 987654322 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 ]]>

TOTP OTP http://www.ietf.org/keyprov/pskc#totp http://www.ietf.org/internet-drafts/draft-mraihi-totp-timebased-00.txt (this RFC) IESG For a <Key> of this algorithm, the <Usage> subelements MUST be present. The "OTP" attribute of the <Usage> MUST be set "true" and it MUST be the only attribute set. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length and the value format. For the <Data> elements of a <Key> of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Time TimeInterval The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a lengthy of at least 16 octets (128 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Length' attribute MUST be between 6 and 9. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

TokenVendorAcme 987654323 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 30 4 ]]>

SecurID-AES OTP http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-AES http://www.rsa.com/rsalabs/node.asp?id=2821 http://www.rsa.com/rsalabs/node.asp?id=2821 Andrea Doherty, RSA the Security Division of EMC, <andrea.doherty@rsa.com> For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and <Usage> sub-elements MUST be present. The "OTP" attribute of <Usage> MUST be set to "true" and it MUST be the only attribute set. The <ResponseFormat> sub-element of <Usage> MUST be used to indicate the OTP length and the value format. The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a lengthy of at least 16 octets (128 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Length' attribute MUST be set to a minimum value of 6. - The <StartDate> and <ExpiryDate> elements MUST be of type <xs:dateTime>. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

RSA, The Security Division of EMC 123456798 Issuer 2006-04-14T00:00:00Z 2010-09-30T00:00:00Z ]]>

SecurID-AES-Counter OTP http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter http://www.rsa.com/names/2008/04/algorithms/SecurID/SecurID-AES128-Counter Andrea Doherty, RSA the Security Division of EMC, <andrea.doherty@rsa.com> For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and <Usage> sub-elements MUST be present. The "OTP" attribute of <Usage> MUST be set to "true" and it MUST be the only attribute set. The <ResponseFormat> sub-element of <Usage> MUST be used to indicate the OTP length and the value format. For the Data elements of a <Key> of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Counter The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a lengthy of at least 16 octets (128 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Length' attribute MUST be set to a minimum value of 6. - The <StartDate> and <ExpiryDate> elements MUST be of type <xs:dateTime>. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

RSA, The Security Division of EMC 123456798 Issuer 2006-04-14T00:00:00Z 2010-09-30T00:00:00Z MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 ]]>

SecurID-ALGOR OTP http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/otps-wst#SecurID-ALGOR http://www.rsa.com/rsalabs/node.asp?id=2821 http://www.rsa.com/rsalabs/node.asp?id=2821 Andrea Doherty, RSA the Security Division of EMC, <andrea.doherty@rsa.com> For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and <Usage> sub-elements MUST be present. The "OTP" attribute of <Usage> MUST be set to "true" and it MUST be the only attribute set. The <ResponseFormat> sub-element of <Usage> MUST be used to indicate the OTP length and the value format. The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a lengthy of at least 8 octets (64 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Length' attribute MUST be set to a value of 6 through 8. - The <StartDate> and <ExpiryDate> elements MUST be of type <xs:dateTime>. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

RSA, The Security Division of EMC 123456798 Issuer 2006-04-14T00:00:00Z 2010-09-30T00:00:00Z ]]>

ActivIdentity-3DES OTP http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-3DES Philip Hoyer, ActivIdentity Inc, <philip.hoyer@actividentity.com> For a <Key> of this algorithm, the <Usage> subelements MUST be present. This algorithm can be used for otp, challenge response, parameter based MACing (integrity) and to generate a device unlock code (n case of devices where there is local PIN management and the devce has been locked after a specific amount of wrong PIN entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" attribute of the <Usage> can be set to "true", but at least one of the above MUST be set to true. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length, the value format and optionally if a check digit is being used. If the use is challenge-response then the <ChallengeFormat> of the <Usage> MUST be used to indicate the challenge minimum and maximum length, its format and optionally if a check digit is being used. For the <Data> elements of a <Key> of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Secret Counter Time TimeInterval The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a length of at least 16 octets (Double DES keys 128 bits including parity) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute MUST be between 6 and 16. - The <ChallengeFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be between 4 and 16 (The Min attribute MUST be equal or less than the Max). - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a Key of this algorithm is as follows.

ActivIdentity 34567890 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 0 32 0 ]]>

ActivIdentity-AES OTP http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-AES Philip Hoyer, ActivIdentity Inc, <philip.hoyer@actividentity.com> For a <Key> of this algorithm, the <Usage> subelements MUST be present. This algorithm can be used for otp, challenge response, parameter based MACing (integrity) and to generate a device unlock code (n case of devices where there is local PIN management and the devce has been locked after a specific amount of wrong PIN entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" attribute of the <Usage> can be set to "true", but at least one of the above MUST be set to true. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length, the value format and optionally if a check digit is being used. If the use is challenge-response then the <ChallengeFormat> of the <Usage> MUST be used to indicate the challenge minimum and maximum length, its format and optionally if a check digit is being used. For the <Data> elements of a key of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Secret Counter Time TimeInterval The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a length of at least 16 octets (128 bits) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute MUST be between 6 and 16. - The <ChallengeFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be between 4 and 16 (The Min attribute MUST be equal or less than the Max). - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

ActivIdentity 34567890 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 0 32 0 ]]>

ActivIdentity-DES OTP http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-DES Philip Hoyer, ActivIdentity Inc, <philip.hoyer@actividentity.com> For a <Key> of this algorithm, the <Usage> subelements MUST be present. This algorithm can be used for otp, challenge response, parameter based MACing (integrity) and to generate a device unlock code (n case of devices where there is local PIN management and the devce has been locked after a specific amount of wrong PIN entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" attribute of the <Usage> can be set to "true", but at least one of the above MUST be set to true. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length, the value format and optionally if a check digit is being used. If the use is challenge-response then the <ChallengeFormat> of the <Usage> MUST be used to indicate the challenge minimum and maximum length, its format and optionally if a check digit is being used. For the <Data> elements of a key of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Counter Time TimeInterval The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a length of at least 8 octets (56 bits + parity) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute MUST be between 6 and 16. - The <ChallengeFormat> element MUST have the 'Format' attribute set to "DECIMAL", and the 'Min' and 'Max' attributes be between 4 and 16 (The Min attribute MUST be equal or less than the Max). - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

ActivIdentity 34567890 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 0 32 0 ]]>

ActivIdentity-EVENT OTP http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT http://www.actividentity.com/2008/04/algorithms/algorithms#ActivIdentity-EVENT Philip Hoyer, ActivIdentity Inc, <philip.hoyer@actividentity.com> For a <Key> of this algorithm, the <Usage> subelements MUST be present. This algorithm can be used for otp, challenge response, parameter based MACing (integrity) and to generate a device unlock code (n case of devices where there is local PIN management and the device has been locked after a specific amount of wrong PIN entry attempts). Hence the "OTP", "CR","Integrity" and "Unlock" attribute of the <Usage> can be set to "true", but at least one of the above MUST be set to true. The element <ResponseFormat> of the <Usage> MUST be used to indicate the OTP length, the value format and optionally if a check digit is being used. If the use is challenge-response then the <ChallengeFormat> of the <Usage> MUST be used to indicate the challenge minimum and maximum length, its format and optionally if a check digit is being used. For the <Data> elements of a key of this algorithm, the following subelements MUST be present in either the <Key> element itself or an commonly shared <KeyProperties> element. Counter The following additional constraints apply: - The value of the <Secret> element MUST contain key material with a length of at least 8 octets (56 bits + parity) if it is present. - The <ResponseFormat> element MUST have the 'Format' attribute set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute MUST be between 6 and 16. - The <PINPolicy> element MAY be present but the <Format> child element of the <PINPolicy> element cannot be set to "Algorithmic". An example of a <Key> of this algorithm is as follows.

ActivIdentity 34567890 Issuer MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= 0 ]]>

[Editor's Note: Security considerations regarding the algorithms go in here.]

[Editor's Note: The registration of the algorithm profiles goes in here.]

Add your name here.