1 / 11

OTP-WSS-Token

OTP-WSS-Token. John Linn, RSA Laboratories DRAFT: 24 May 2005. OTP-WSS-Token. Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data

Download Presentation

OTP-WSS-Token

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OTP-WSS-Token John Linn, RSA Laboratories DRAFT: 24 May 2005

  2. OTP-WSS-Token • Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments • XML-encoded <otps-wst:OTPToken> object carries OTP-based authenticator data • Functionally analogous to OASIS Web Services Security TC's UsernameToken Profile, but tailored to support OTP authentication methods • Can be applied to support token devices operating in multiple modes, including time-based, challenge-response, counter-based • Challenges may be client-generated or obtained from verifier through out-of-band means

  3. OTP-WSS-Token: Operational Context • OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as: • Directly, using the OTPToken type proposed in this draft • Indirectly, using SAML message token with assertion based on OTP authentication • At a stream level, as by using OTP to authenticate WS-SecureConversation or SASL • This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials

  4. OTP-WSS-Token: Recent and Potential Changes • Technical changes in 1-0d2 draft, 8 April 2005 • Namespace now "otps-wst" • No default algorithm identifier • Potential changes to consider • Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration • Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide) • To identify OTPToken(s) used for authentication • Possibly to identify OTPToken(s) used to provide key derivation inputs?

  5. Proposals for Referencing OTPTokens in WSS:SMS • Recommended placement: direct descendant of <wsse:Security> header, not Embedded • Working assumption: in the usual case, OTPTokens will be carried within the messages they authenticate, not referenced from external sources • Can reference using OTPToken's identifier value • Can qualify reference with ValueType of #OTPToken • Perhaps use KeyIdentifier reference to obtain OTPToken's OTP value as input for key derivation? • Q: Define a key derivation algorithm within the document?

  6. OTP-WSS-Token: OTPToken Elements • All optional except <otps-wst:OTP> which carries the value being presented for OTP-based authentication • Use of other elements may vary for different algorithms and use cases • <otps-wst:TokTimestamp> carries time for time-based OTP algorithms and/or acts as a replay countermeasure • <otps-wst:TokNonce> carries a challenge, acts as a replay countermeasure, and/or enables use of multiple OTP results within a single <otps-wst:TokTimestamp> time quantum • <otps-wst:TokState> carries additional state elements as needed • e.g., counter for counter-based OTP algorithms • <otps-wst:TokPIN> carries user's PIN data • <otps-wst:ServID> identifies target service for OTP authentication • Q: priority for support within token vs. externally? • <otps-wst:ContID> provides in-band linkage to continue multi-step authentication transactions • Q: priority for support within token vs. externally?

  7. OTP-WSS-Token: OTPToken Attributes • TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial) • Must provide at least one form to construct valid OTPToken • Optional TokID attribute supports linkage to <otps-wst:OTPToken> data object from other message elements • Optional TokAlg attribute identifies token device's OTP algorithm • Must provide value unless unambiguous from context • Optional TokOTPTransform attribute identifies preprocessing performed on token device output before inclusion in <otps-wst:OTP>

  8. OTP-WSS-Token: Exception Cases • In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry • If New PIN needed, can contact separate PIN change service, then generate new <otps-wst:OTPToken> and make a new request • If additional OTP needed for resynchronization, can generate new <otps-wst:OTPToken> with next value and retry using <otps-wst:ContID> • Additional cases and recovery actions can be profiled separately

  9. OTP-WSS-Token: OTPToken Schema <complexType name="OTPToken"> <annotation> <documentation> Type definition for token-based authentication </documentation> </annotation> <sequence> <element name="TokTimestamp" type="dateTime" minOccurs="0"/> <element name="TokNonce" type="base64Binary" minOccurs="0"/> <element name="TokState" type="base64Binary" minOccurs="0"/> <element name="TokPIN" type="string" minOccurs="0"/> <element name="ServID" type="string" minOccurs="0"/> <element name="ContID" type="integer" minOccurs="0"/> <element name="OTP" type="string"/> </sequence> <attributeGroup ref="otps-wst:TokQual"/> <attribute name="TokID" type="ID" use="optional"/> <attribute name="TokAlg" type="anyURI" use="optional"/> <attribute name="TokOTPTransform" type="anyURI" use="optional"/> </complexType>

  10. OTP-WSS-Token: Example OTPToken <otps-wst:OTPToken TokID="AnExampleToken" TokUser="J. Sample User"> <otps-wst:TokTimestamp>2005-02- 15T20:25:42Z</rsawst:TokTimestamp> <otps-wst:TokNonce>VXUzoS1a4r7kQQ5c/Iua4LqKeq3ciF zEv/MbZhA==</rsawst:TokNonce> <otps-wst:TokPIN>876123</rsawst:TokPIN> <otps-wst:OTP>142857</rsawst:OTP> </otps-wst:OTPToken>

  11. OTP-WSS-Token: Next Steps • Consensus and stabilization on document content • Proceed towards contribution derived from content, likely to OASIS WSS TC?

More Related