Transcript OTP-PKCS #11 - EMC : Global Site Selector

OTP-PKCS #11
Magnus Nyström, RSA Security
23 May 2005
Objectives
•
•
Describes general PKCS #11 objects, attributes,
procedures for retrieval and verification of OTPs
and
Intended to meet the needs of applications wishing to access
connected OTP tokens in an interoperable manner
— Eases the task for vendors of OTP-consuming applications
— Enables a better user experience
Principles of Operation
PKCS #11 OTP Objects
•
OTP key type with a defined set of new, common, attributes
— OTP Format (Hex, Decimal, …)
— OTP Length
— PIN related: PIN Pad, Default PIN, …
— Challenge/Counter/Time-based
— Service Name (Identifier)
•
Common OTP mechanism object attributes
— Minimum and Maximum OTP length
— Note: Added since initial draft, based on mailing list discussions
PKCS #11 OTP Functions
•
•
Retains existing v2.20 function set
General approach is to use C_Sign and C_Verify
— Follows PKCS #11 HMAC approach
PKCS #11 OTP Mechanisms
•
Defines five OTP mechanisms based on the foregoing
— CKM_SECURID, CKM_SECURID_TRADITIONAL,
CKM_SECURID_KEY_GEN, CKM_HOTP,
CKM_HOTP_KEY_GEN
— HOTP mechanisms added since initial draft
•
Defines additional key attributes for keys of type
CKK_SECURID and CKK_HOTP
— CKA_ACCEPT_{TIME, COUNTER}
— CKA_TIME_INTERVAL/CKA_COUNTER_VALUE
Current status
•
Agreement on mailing list on current design, content
— Document stable since 3rd draft (April 1st)
— Agreement also among workshop participants?
•
Final Draft published on May 11
— 30-day review, ending on June 9
— Intent is to publish v1.0 shortly thereafter
•
New mechanisms for other OTP algorithms can be added
later on
— Similar to how new mechanisms can be added to PKCS #11 in
general
— This document provides a framework – and defines some initial
mechanisms using the framework