1. 1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty

2. 2 CT-KIP Primer A client-server protocol for initialization and configuration of cryptographic tokens with shared keys Intended for general use within computer and communications systems employing connected cryptographic tokens Objectives are to provide a: –Secure and interoperable method of initializing cryptographic tokens with secret keys –Solution that is easy to administer and scales well –Solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure

3. 3 Current Status RFC 4758 approved by IESG November 2006 –Describes a 4-pass protocol for the initialization of cryptographic tokens with secret keys. Includes a public-key variant as well as a shared-key variant. 3rd draft of CT-KIP Extensions for 1-, 2-pass variant published as KEYPROV IETF I-D: –draft-nyström-keyprov-ct-kip-two-pass-00.txt –Relatively stable; broad review solicited CT-KIP SOAP binding recently resubmitted as KEYPROV IETF I-D: –draft-doherty-keyprov-ct-kip-ws-00.txt

4. 4 CT-KIP 1, 2, 4-pass Comparison CT-KIP server CT-KIP client Client Hello (2, 4-pass) Server Finished (1, 2, 4-pass) Smart Device Client Nonce (4-pass) Server Hello (4-pass)

5. 5 CT-KIP 1- and 2-pass New variants introduced to meet the needs of deployment scenarios with constraints, e.g., –No direct communication possible between cryptographic token and CT-KIP server –Network latency –Design limited to existing seeds from legacy systems 1-, 2-pass CT-KIP are essentially a transport of key material from CT-KIP server to CT-KIP client These variants maintain the property that no other entity than the token and the server will have access to generated / distributed keys

6. 6 CT-KIP 1- and 2-pass Profiles ProfileKey transport and derivationUsage Key Transport Using a public key, K_CLIENT, whose private key part resides in the token Ideal for PKI- capable devices Key WrapUsing a symmetric key- wrapping key, K_SHARED, known in advance by both the token and the CT-KIP server Ideal for pre-keyed devices, e.g., SIM cards Passphrase- based Key Wrap Using a passphrase-derived key-wrapping key, K_DERIVED, known in advance by both the token user and the CT-KIP server Ideal for constrained devices with key- pads, e.g., mobile phones

7. 7 Cryptographic properties (2- and 1-pass) Key confirmation –In both variants via MAC on exchanged data (and counter in 1-pass) Replay protection –In 2-pass through inclusion of client-provided data in MAC –Suggested method for 1-pass based on counter Server authentication –In both variants through MAC in ServerFinished message when replacing existing key Protection against MITM –In both variants through use of shared keys, client certificates, or server public key usage User authentication –Enabled in both variants through trigger message –Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00 Device authentication –In both variants if based on shared secret key –In 2-pass if device sends a client certificate –Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00

8. 8 Bindings (2- and 1-pass) SOAP Binding –Present in both variants –WS interface defined in draft-doherty-keyprov-ct-kip-ws-00 HTTP Binding –Present in both variants –Examples provided Security Binding –Transport level encryption (e.g., TLS) is not required for seed protection in both variants –TLS/SSL is required if other parameters/attributes must be protected in transit

9. 9 Next steps Broader review of IETF Internet Drafts Discuss CT-KIP/DSKPP convergence plan wherein CT-KIP constitutes the basis for a KEYPROV spec –Rationale: Implementation experience and maturity