march 2006ietf 65 - dallas1 the cryptographic token key initialization protocol (ct-kip) dave...
TRANSCRIPT
March 2006 IETF 65 - Dallas 1
The Cryptographic Token Key Initialization Protocol (CT-KIP)
Dave Mitton, RSA Securityfor Magnus Nyström
IETF SAAG
March 2006 IETF 65 - Dallas 2
CT-KIP Primer
A client-server protocol for initialization (and configuration) of cryptographic tokens with shared keys
Intended for general use within computer and communications systems employing connected cryptographic tokens
March 2006 IETF 65 - Dallas 3
Objectives To provide a secure and interoperable
method of initializing cryptographic tokens with secret keys
To provide a solution that is easy to administer and scales well
To provide a solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure
March 2006 IETF 65 - Dallas 4
Message flowCT-KIP serverCT-KIP client
Client Hello
Server Hello
Client Nonce
Server Finished
(Server Trigger)
March 2006 IETF 65 - Dallas 5
Principle of Operation
March 2006 IETF 65 - Dallas 6
Current status
Version 1.0 finalized in December 2005
Describes a 4-pass protocol for the initialization of cryptographic tokens with secret keys Includes a public-key variant as well as a
shared-key variant Public-key variant assumes completely
“blank” token (i.e. totally un-initialized)
March 2006 IETF 65 - Dallas 7
The One-Time Password Specifications (OTPS) CT-KIP was developed as one of
several OTPS documents The OTPS effort was launched one
year ago, to simplify the use and integration of OTP technology
Analogous to the PKCS process, documents developed through an open process (no membership required)
March 2006 IETF 65 - Dallas 8
Provisioning
Retrieval
Validation
Transport
OTPS Documents
AuthenticationServer
(EAP-POTP,OTP-TLS)
(OTP-WSS-Token,(OTP-Validation Service)
(CT-KIP, CT-KIP-PKCS#11)
(OTP-PKCS#11,OTP-CAPI)
March 2006 IETF 65 - Dallas 9
Future work
A 1- and 2-pass version of CT-KIP is available in draft form from the OTPS pages
Internet draft: draft-nystrom-ct-kip-00
Going forward, intent is to submit, and develop, this in IETF I-D form in parallel with the OTPS process
March 2006 IETF 65 - Dallas 10
More information Internet draft:
http://www.ietf.org/internet-drafts/draft-nystrom-ct-kip-00.txt
OTPS documents: http://www.rsasecurity.com/rsalabs/otps
Mailing list (ordinary majordomo): mailto:[email protected].
com Editors:
mailto:[email protected]