OTP-WSS-Token

John Linn, RSA Laboratories DRAFT: 24 May 2005

OTP-WSS-Token

• • • • Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded object carries OTP-based authenticator data Functionally analogous to OASIS Web Services Security TC's UsernameToken Profile, but tailored to support OTP authentication methods Can be applied to support token devices operating in multiple modes, including time-based, challenge-response, counter-based — Challenges may be client-generated or obtained from verifier through out of-band means

OTP-WSS-Token: Operational Context

• OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as: — Directly, using the OTPToken type proposed in this draft — Indirectly, using SAML message token with assertion based on OTP authentication — At a stream level, as by using OTP to authenticate WS SecureConversation or SASL • This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials

OTP-WSS-Token: Recent and Potential Changes

• Technical changes in 1-0d2 draft, 8 April 2005 — Namespace now "otps-wst" — No default algorithm identifier • Potential changes to consider — Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration — Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide) • To identify OTPToken(s) used for authentication • Possibly to identify OTPToken(s) used to provide key derivation inputs?

Proposals for Referencing OTPTokens in WSS:SMS

• Recommended placement: direct descendant of header, not Embedded — Working assumption: in the usual case, OTPTokens will be carried within the messages they authenticate, not referenced from external sources — Can reference using OTPToken's identifier value • • Can qualify reference with ValueType of #OTPToken Perhaps use KeyIdentifier reference to obtain OTPToken's OTP value as input for key derivation?

— Q: Define a key derivation algorithm within the document?

OTP-WSS-Token: OTPToken Elements

• • • • • • •

All optional except which carries the value being presented for OTP-based authentication

— Use of other elements may vary for different algorithms and use cases

carries time for time-based OTP algorithms and/or acts as a replay countermeasure carries a challenge, acts as a replay countermeasure, and/or enables use of multiple OTP results within a single time quantum carries additional state elements as needed

— e.g., counter for counter-based OTP algorithms

carries user's PIN data identifies target service for OTP authentication

— Q: priority for support within token vs. externally?

provides in-band linkage to continue multi-step authentication transactions

— Q: priority for support within token vs. externally?

OTP-WSS-Token: OTPToken Attributes

• TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial) — Must provide at least one form to construct valid OTPToken • • Optional TokID attribute supports linkage to data object from other message elements Optional TokAlg attribute identifies token device's OTP algorithm — Must provide value unless unambiguous from context • Optional TokOTPTransform attribute identifies preprocessing performed on token device output before inclusion in

OTP-WSS-Token: Exception Cases

• In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry — If New PIN needed, can contact separate PIN change service, then generate new and make a new request — If additional OTP needed for resynchronization, can generate new with next value and retry using — Additional cases and recovery actions can be profiled separately

OTP-WSS-Token: OTPToken Schema

Type definition for token-based authentication

OTP-WSS-Token: Example OTPToken

2005-02 15T20:25:42Z VXUzoS1a4r7kQQ5c/Iua4LqKeq3ciF zEv/MbZhA== 876123 142857

OTP-WSS-Token: Next Steps

• • Consensus and stabilization on document content Proceed towards contribution derived from content, likely to OASIS WSS TC?