1 / 10

The Cryptographic Token Key Initialization Protocol (CT-KIP)

A client-server protocol for initializing cryptographic tokens with shared keys, providing a secure method that is easy to administer and scales well.

dpeck
Download Presentation

The Cryptographic Token Key Initialization Protocol (CT-KIP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Cryptographic Token Key Initialization Protocol (CT-KIP) Dave Mitton, RSA Security for Magnus Nyström IETF SAAG IETF 65 - Dallas

  2. CT-KIP Primer • A client-server protocol for initialization (and configuration) of cryptographic tokens with shared keys • Intended for general use within computer and communications systems employing connected cryptographic tokens IETF 65 - Dallas

  3. Objectives • To provide a secure and interoperable method of initializing cryptographic tokens with secret keys • To provide a solution that is easy to administer and scales well • To provide a solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure IETF 65 - Dallas

  4. Client Hello Server Hello (Server Trigger) Client Nonce Server Finished Message flow CT-KIP server CT-KIP client IETF 65 - Dallas

  5. Principle of Operation IETF 65 - Dallas

  6. Current status • Version 1.0 finalized in December 2005 • Describes a 4-pass protocol for the initialization of cryptographic tokens with secret keys • Includes a public-key variant as well as a shared-key variant • Public-key variant assumes completely “blank” token (i.e. totally un-initialized) IETF 65 - Dallas

  7. The One-Time Password Specifications (OTPS) • CT-KIP was developed as one of several OTPS documents • The OTPS effort was launched one year ago, to simplify the use and integration of OTP technology • Analogous to the PKCS process, documents developed through an open process (no membership required) IETF 65 - Dallas

  8. Transport Validation Retrieval Provisioning OTPS Documents (EAP-POTP, OTP-TLS) (OTP-WSS-Token, (OTP-Validation Service) (OTP-PKCS#11, OTP-CAPI) Authentication Server (CT-KIP, CT-KIP-PKCS#11) IETF 65 - Dallas

  9. Future work • A 1- and 2-pass version of CT-KIP is available in draft form from the OTPS pages • Internet draft: draft-nystrom-ct-kip-00 • Going forward, intent is to submit, and develop, this in IETF I-D form in parallel with the OTPS process IETF 65 - Dallas

  10. More information • Internet draft: • http://www.ietf.org/internet-drafts/draft-nystrom-ct-kip-00.txt • OTPS documents: • http://www.rsasecurity.com/rsalabs/otps • Mailing list (ordinary majordomo): • mailto:majordomo@majordomo.rsasecurity.com • Editors: • mailto:otps-editor@rsasecurity.com IETF 65 - Dallas

More Related