1 / 5

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP). Mingliang Pei Salah Machani IETF68 KeyProv WG Prague. Overview. Joint effort from OATH community A protocol to dynamically issue a symmetric key to a device Specify use cases and requirements

austin
Download Presentation

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague

  2. Overview • Joint effort from OATH community • A protocol to dynamically issue a symmetric key to a device • Specify use cases and requirements • Explicitly use PSKC as the default key container • Support web service • Keep it simple and extensible • RFC Draft submitted to KeyProv WG • http://www.ietf.org/internet-drafts/draft-pei-keyprov-dynamic-symkey-prov-protocol-00.txt

  3. Protocol Overview • XML message based • HTTP / SOAP binding • One request and response over a secure channel • GetSharedSecret • GetSharedSecretResponse • Two round trips for a client to use non-secure channel • Acquire a server nonce • GetAuthNonce • GetAuthNonceResponse • Acquire shared secret • GetSharedSecret • GetSharedSecretResponse

  4. Protocol Feature • Client authentication • Either a shared secret (called activation code) or device certificate • Authentication Data = HASH (activation code) • Acquire a random server nonce to send keyed authentication data • Authentication Data = HMAC(activation code, serverNonce) • Used over a non-secure channel to achieve data confidentiality • Server authentication • Server certificate or shared secret • Client capabilities in request • Requested key type • Requested algorithm type • Crypto-algorithm negotiation (Supported encryption algorithm) • Response delivery method (HTTP/S or SMS) • Device Information • Supported logo types • Supported delivery user interface attributes • Extensible to support future new attributes

  5. Protocol Feature • Credential container in server response • Portable Symmetric Key Container (PSKC) as the default • Allow others such as PKCS#12, PKCS#5 XML format • Opaque structure is used for other formats • Service provider documents its format profile for a client to consume • Encryption key for credential data • Shared secret (activation code derived key) that the user has had • Server pre-loaded shared secret with a device (Smart Card) • Public key of device certificate • Encryption methods • List of PBE • List of symmetric key encryption methods (e.g, 3DES) • Asymmetric keys • Extensions fields • allowing additional parameters needed by future key types or organization specific extension

More Related