The Cryptographic Token Key Initialization Protocol (CT-KIP)

1
The Cryptographic Token Key Initialization
Protocol (CT-KIP)

• KEYPROV WG
• IETF-68 Prague
• March 2007
• Andrea Doherty

2
CT-KIP Primer

• A client-server protocol for initialization and
  configuration of cryptographic tokens with shared
  keys
• Intended for general use within computer and
  communications systems employing connected
  cryptographic tokens
• Objectives are to provide a
• Secure and interoperable method of initializing
  cryptographic tokens with secret keys
• Solution that is easy to administer and scales
  well
• Solution which does not require private-key
  capabilities in tokens, nor the existence of a
  public-key infrastructure

3
Current Status

• RFC 4758 approved by IESG November 2006
• Describes a 4-pass protocol for the
  initialization of cryptographic tokens with
  secret keys. Includes a public-key variant as
  well as a shared-key variant.
• 3rd draft of CT-KIP Extensions for 1-, 2-pass
  variant published as KEYPROV IETF I-D
• draft-nyström-keyprov-ct-kip-two-pass-00.txt
• Relatively stable broad review solicited
• CT-KIP SOAP binding recently resubmitted as
  KEYPROV IETF I-D
• draft-doherty-keyprov-ct-kip-ws-00.txt

4
CT-KIP 1, 2, 4-pass Comparison
CT-KIP server
CT-KIP client
Smart Device
5
CT-KIP 1- and 2-pass

• New variants introduced to meet the needs of
  deployment scenarios with constraints, e.g.,
• No direct communication possible between
  cryptographic token and CT-KIP server
• Network latency
• Design limited to existing seeds from legacy
  systems
• 1-, 2-pass CT-KIP are essentially a transport of
  key material from CT-KIP server to CT-KIP client
• These variants maintain the property that no
  other entity than the token and the server will
  have access to generated / distributed keys

6
CT-KIP 1- and 2-pass Profiles
Profile Key transport and derivation Usage
Key Transport Using a public key, K_CLIENT, whose private key part resides in the token Ideal for PKI-capable devices
Key Wrap Using a symmetric key-wrapping key, K_SHARED, known in advance by both the token and the CT-KIP server Ideal for pre-keyed devices, e.g., SIM cards
Passphrase-based Key Wrap Using a passphrase-derived key-wrapping key, K_DERIVED, known in advance by both the token user and the CT-KIP server Ideal for constrained devices with key-pads, e.g., mobile phones
7
Cryptographic properties (2- and 1-pass)

• Key confirmation
• In both variants via MAC on exchanged data (and
  counter in 1-pass)
• Replay protection
• In 2-pass through inclusion of client-provided
  data in MAC
• Suggested method for 1-pass based on counter
• Server authentication
• In both variants through MAC in ServerFinished
  message when replacing existing key
• Protection against MITM
• In both variants through use of shared keys,
  client certificates, or server public key usage
• User authentication
• Enabled in both variants through trigger message
• Alternative methods rely on draft-doherty-keyprov-
  ct-kip-ws-00
• Device authentication
• In both variants if based on shared secret key
• In 2-pass if device sends a client certificate
• Alternative methods rely on draft-doherty-keyprov-
  ct-kip-ws-00

8
Bindings (2- and 1-pass)

• SOAP Binding
• Present in both variants
• WS interface defined in draft-doherty-keyprov-ct-k
  ip-ws-00
• HTTP Binding
• Present in both variants
• Examples provided
• Security Binding
• Transport level encryption (e.g., TLS) is not
  required for seed protection in both variants
• TLS/SSL is required if other parameters/attributes
  must be protected in transit

9
Next steps

• Broader review of IETF Internet Drafts
• Discuss CT-KIP/DSKPP convergence plan wherein
  CT-KIP constitutes the basis for a KEYPROV spec
• Rationale Implementation experience and maturity