otp-pkcs #11
DESCRIPTION
OTP-PKCS #11. Magnus Nyström, RSA Security 23 May 2005. Objectives. Describes general PKCS #11 objects, attributes, and procedures for retrieval and verification of OTPs Intended to meet the needs of applications wishing to access connected OTP tokens in an interoperable manner - PowerPoint PPT PresentationTRANSCRIPT
OTP-PKCS #11
Magnus Nyström, RSA Security
23 May 2005
Objectives
• Describes general PKCS #11 objects, attributes, and procedures for retrieval and verification of OTPs
• Intended to meet the needs of applications wishing to access connected OTP tokens in an interoperable manner
— Eases the task for vendors of OTP-consuming applications
— Enables a better user experience
Principles of Operation
PKCS #11 OTP Objects
• OTP key type with a defined set of new, common, attributes
— OTP Format (Hex, Decimal, …)
— OTP Length
— PIN related: PIN Pad, Default PIN, …
— Challenge/Counter/Time-based
— Service Name (Identifier)
• Common OTP mechanism object attributes
— Minimum and Maximum OTP length
— Note: Added since initial draft, based on mailing list discussions
PKCS #11 OTP Functions
• Retains existing v2.20 function set
• General approach is to use C_Sign and C_Verify
— Follows PKCS #11 HMAC approach
PKCS #11 OTP Mechanisms
• Defines five OTP mechanisms based on the foregoing
— CKM_SECURID, CKM_SECURID_TRADITIONAL, CKM_SECURID_KEY_GEN, CKM_HOTP, CKM_HOTP_KEY_GEN
— HOTP mechanisms added since initial draft
• Defines additional key attributes for keys of type CKK_SECURID and CKK_HOTP
— CKA_ACCEPT_{TIME, COUNTER}
— CKA_TIME_INTERVAL/CKA_COUNTER_VALUE
Current status
• Agreement on mailing list on current design, content— Document stable since 3rd draft (April 1st)
— Agreement also among workshop participants?
• Final Draft published on May 11— 30-day review, ending on June 9
— Intent is to publish v1.0 shortly thereafter
• New mechanisms for other OTP algorithms can be added later on— Similar to how new mechanisms can be added to PKCS #11 in
general
— This document provides a framework – and defines some initial mechanisms using the framework