RE: [wss] WSS One Time Password

["Linn, John" <jlinn@rsasecurity.com>]

Following Jamie's note and the discussion on today's call, I think the
specific tasking steps would be follow-on questions to consider if and
only if the TC chooses to pursue the work item.  As input to this
decision, I think it's important to get a sense of the extent of
constituency within the TC that would have active interest in discussion
of the OTP topic, so as to assess whether a motivating level of
"critical mass" exists.  

Pending that determination, I'd like to offer some thoughts on Hal's
technical points:

Re (1), many OTPs are designed to fit in similar "form and function" to
passwords, in the sense of being easily entered by users.  This limits
their size, and hence their entropy; as such, it's often desirable to
incorporate some computational measures (e.g., iterated hashing) and/or
added randomness when deriving keys from OTPs instead of using the OTP
values directly for keying purposes.  

Re (2), it should be possible for a claimant and verifier sharing an OTP
value to apply it (via derivation as above) to protect the integrity of
an associated message; this form of secret-key protection based on a
shared OTP secret would not, however, provide signing (and associated
non-repudiation support) in the sense of public-key signatures.  Since
OTPs are commonly generated and processed on a single-use basis, it may
not always be straightforward to apply this method for post-facto
validation outside the realm of real-time interactions, but this isn't a
universal requirement. 

Re (3), I think most aspects are independent of particular OTP method
characteristics; one possible exception concerns challenge-response
methods where a challenge must be obtained from a verifier before an OTP
value can be generated.  

Re (4), I'd be surprised if a scheme layered over an OTP method
introduced otherwise-absent vulnerabilities into that method (vs.
demonstrating possible flaws at the scheme layer itself), but this is an
interesting question; did you have possible examples in mind here?

--jl

-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com] 
Sent: Monday, January 23, 2006 11:07 AM
To: Granqvist, Hans; wss@lists.oasis-open.org
Subject: RE: [wss] WSS One Time Password

The way to get this going is for one or two people to volunteer to be
editor. The first task is to produce a consolidated document based on
the submissions using the OASIS template. This will require a little
work to decide what material to use from each submission. How to do this
is not completely clear to me.

It seems to me that this work would be significantly more valuable if it
could be used for integrity protection at least and perhaps
confidentiality as well.

1. Is it technologically feasible, for example to use a OTP as the
secret in an HMAC? Or could some key derivation scheme be applied?

2. Is it even feasible, to support signing and verification securely by
two parties using an OTP?

3. Can a single scheme be used for all the types of OTP cited, or do we
need a scheme per type or even per OTP algorithm?

4. Would the use of such a scheme weaken the OTP in some way?

Hal

> -----Original Message-----
> From: Granqvist, Hans [mailto:hgranqvist@verisign.com]
> Sent: Tuesday, November 08, 2005 4:29 PM
> To: wss@lists.oasis-open.org
> Subject: [wss] WSS One Time Password
> 
> We voted on doing it so we should track it.
> 
> I'd like to get started on this work. What's holding
> us up?
> 
> Hans
> 
> > -----Original Message-----
> > From: Linn, John [mailto:jlinn@rsasecurity.com]
> > Sent: Wednesday, November 02, 2005 10:41 AM
> > To: mgudgin@microsoft.com; wss@lists.oasis-open.org
> > Subject: RE: [wss] Groups - OASIS WSS Issues List 81 (OASIS
> > Web Services Security Issues List 81.htm) uploaded
> >
> > Per the TC vote on 4 October supporting work on an OTP
> > profile, and subsequent submission of input documents, would
> > it now be appropriate to add an item to the issues list to
> > begin tracking this activity,
> > comparable to entry #338?
> >
> > --jl
> >
> > -----Original Message-----
> > From: mgudgin@microsoft.com [mailto:mgudgin@microsoft.com]
> > Sent: Tuesday, November 01, 2005 5:24 PM
> > To: wss@lists.oasis-open.org
> > Subject: [wss] Groups - OASIS WSS Issues List 81 (OASIS Web
> > Services Security Issues List 81.htm) uploaded
> >
> > The document named OASIS WSS Issues List 81 (OASIS Web
> > Services Security Issues List 81.htm) has been submitted by
> > Mr Martin Gudgin to the OASIS Web Services Security (WSS) TC
> > document repository.
> >
> > Document Description:
> > Covers decisions made during 2005-11-01 meeting.
> >
> > View Document Details:
> > http://www.oasis-open.org/apps/org/workgroup/wss/document.php?
> > document_i
> > d=15151
> >
> > Download Document:
> > http://www.oasis-open.org/apps/org/workgroup/wss/download.php/
> 15151/OASI
> > S%20Web%20Services%20Security%20Issues%20List%2081.htm
> >
> >
> > PLEASE NOTE:  If the above links do not work for you, your
> > email application may be breaking the link into two pieces.
> > You may be able to copy and paste the entire link address
> > into the address field of your web browser.
> >
> > -OASIS Open Administration
> >
> >
---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS
> > TC that generates this mail.  You may a link to this group
> > and all your TCs in OASIS
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php