The Cryptographic Token Key Initialization Protocol (CT-KIP) Dave Mitton, RSA Security Magnus Nyström
Download ReportTranscript The Cryptographic Token Key Initialization Protocol (CT-KIP) Dave Mitton, RSA Security Magnus Nyström
The Cryptographic Token Key Initialization Protocol (CT-KIP)
Dave Mitton, RSA Security for Magnus Nyström IETF SAAG March 2006 IETF 65 - Dallas 1
CT-KIP Primer
A client-server protocol for initialization (and configuration) of cryptographic tokens with shared keys Intended employing for general connected use within computer and communications systems cryptographic tokens March 2006 IETF 65 - Dallas 2
Objectives
To provide a secure and interoperable method of initializing cryptographic tokens with secret keys To provide a solution that is easy to administer and scales well To provide a solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure March 2006 IETF 65 - Dallas 3
Message flow
CT-KIP client (Server Trigger) Client Hello Server Hello Client Nonce Server Finished
IETF 65 - Dallas March 2006
CT-KIP server
4
Principle of Operation
March 2006 IETF 65 - Dallas 5
Current status
Version 1.0 finalized in December 2005 Describes a 4-pass protocol for the initialization of cryptographic tokens with secret keys Includes a public-key variant as well as a shared-key variant Public-key variant assumes completely “blank” token (i.e. totally un-initialized) March 2006 IETF 65 - Dallas 6
The One-Time Password Specifications (OTPS)
CT-KIP was developed as one of several OTPS documents The OTPS effort was launched one year ago, to simplify the use and integration of OTP technology Analogous to the PKCS process, documents developed through an open process (no membership required) March 2006 IETF 65 - Dallas 7
OTPS Documents
Transport (EAP-POTP, OTP-TLS) Retrieval (OTP-PKCS#11, OTP-CAPI) March 2006 Provisioning (CT-KIP, CT-KIP-PKCS#11) IETF 65 - Dallas Validation (OTP-WSS-Token, (OTP-Validation Service) Authentication Server 8
Future work
A 1- and 2-pass version of CT-KIP is available in draft form from the OTPS pages Internet draft: draft-nystrom-ct-kip-00 Going forward, intent is to submit, and develop, this in IETF I-D form in parallel with the OTPS process March 2006 IETF 65 - Dallas 9
More information
Internet draft: http://www.ietf.org/internet-drafts/draft-nystrom ct-kip-00.txt
OTPS documents: http://www.rsasecurity.com/rsalabs/otps Mailing list (ordinary majordomo): mailto:[email protected]
Editors: mailto:[email protected]
March 2006 IETF 65 - Dallas 10