1

The Cryptographic Token Key Initialization Protocol (CT-KIP)

KEYPROV WGIETF-68 Prague

March 2007Andrea Doherty

2

CT-KIP Primer• A client-server protocol for initialization and

configuration of cryptographic tokens with shared keys

• Intended for general use within computer and communications systems employing connected cryptographic tokens

• Objectives are to provide a:

– Secure and interoperable method of initializing cryptographic tokens with secret keys

– Solution that is easy to administer and scales well

– Solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure

3

Current Status• RFC 4758 approved by IESG November 2006

– Describes a 4-pass protocol for the initialization of cryptographic tokens with secret keys. Includes a public-key variant as well as a shared-key variant.

• 3rd draft of CT-KIP Extensions for 1-, 2-pass variant published as KEYPROV IETF I-D:– draft-nyström-keyprov-ct-kip-two-pass-00.txt

– Relatively stable; broad review solicited

• CT-KIP SOAP binding recently resubmitted as KEYPROV IETF I-D:– draft-doherty-keyprov-ct-kip-ws-00.txt

4

CT-KIP 1, 2, 4-pass Comparison

CT-KIP serverCT-KIP client

Client Hello (2, 4-pass)

Server Finished (1, 2, 4-pass)

Smart Device

Client Nonce (4-pass)

Server Hello (4-pass)

5

CT-KIP 1- and 2-pass

• New variants introduced to meet the needs of deployment scenarios with constraints, e.g., – No direct communication possible between cryptographic token

and CT-KIP server– Network latency– Design limited to existing seeds from legacy systems

• 1-, 2-pass CT-KIP are essentially a transport of key material from CT-KIP server to CT-KIP client

• These variants maintain the property that no other entity than the token and the server will have access to generated / distributed keys

6

CT-KIP 1- and 2-pass Profiles

Profile Key transport and derivation Usage

Key Transport

Using a public key, K_CLIENT, whose private key part resides in the token

Ideal for PKI-capable devices

Key Wrap Using a symmetric key-wrapping key, K_SHARED, known in advance by both the token and the CT-KIP server

Ideal for pre-keyed devices, e.g., SIM cards

Passphrase-based Key Wrap

Using a passphrase-derived key-wrapping key, K_DERIVED, known in advance by both the token user and the CT-KIP server

Ideal for constrained devices with key-pads, e.g., mobile phones

7

Cryptographic properties (2- and 1-pass)• Key confirmation

– In both variants via MAC on exchanged data (and counter in 1-pass)

• Replay protection– In 2-pass through inclusion of client-provided data in MAC– Suggested method for 1-pass based on counter

• Server authentication– In both variants through MAC in ServerFinished message when

replacing existing key

• Protection against MITM– In both variants through use of shared keys, client certificates, or

server public key usage

• User authentication– Enabled in both variants through trigger message– Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00

• Device authentication– In both variants if based on shared secret key– In 2-pass if device sends a client certificate– Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00

8

Bindings (2- and 1-pass)• SOAP Binding

– Present in both variants– WS interface defined in draft-doherty-keyprov-ct-kip-ws-00

• HTTP Binding– Present in both variants– Examples provided

• Security Binding– Transport level encryption (e.g., TLS) is not required for seed

protection in both variants– TLS/SSL is required if other parameters/attributes must be

protected in transit

9

Next steps

• Broader review of IETF Internet Drafts• Discuss CT-KIP/DSKPP convergence plan wherein

CT-KIP constitutes the basis for a KEYPROV spec– Rationale: Implementation experience and maturity