addressing the new complexities in key management interoperability kmip v.next
DESCRIPTION
Addressing the New Complexities in Key Management Interoperability KMIP V.Next. www.oasis-open.org. Presenters. John Leiseboer CTO, Quintessence Labs Nathan Turajski Senior Product Manager, Thales e-Security Robert Griffin Chief Security Architect, RSA/EMC - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/1.jpg)
1
Addressing the New Complexities in Key
Management Interoperability
KMIP V.Next
www.oasis-open.org
![Page 2: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/2.jpg)
Presenters John Leiseboer
CTO, Quintessence Labs
Nathan TurajskiSenior Product Manager, Thales e-Security
Robert GriffinChief Security Architect, RSA/EMC
Saikat Saha Senior Product Manager, Data Encryption & Control, SafeNet
Tony Cox Technical Director, Cryptsoft
2
![Page 3: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/3.jpg)
Agenda What KMIP has accomplished New challenges in key management Addressing the challenges
3
![Page 4: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/4.jpg)
4
KMIP V1.0 / V1.1
![Page 5: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/5.jpg)
Prior to KMIP each application had to support each vendor protocol
![Page 6: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/6.jpg)
With KMIP each application only requires support for one protocol
![Page 7: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/7.jpg)
Prior to KMIP each application had to integrate each vendor SDK
![Page 8: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/8.jpg)
With KMIP each application only requires one vendor SDK integration
![Page 9: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/9.jpg)
9
Encrypting Storage
Host
Enterprise Key Manager
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Request Header
Get Unique Identifier
Symmetric Key
Response Header
Unique Identifier
Key Value
KMIP Request / Response Model
Unencrypted data Encrypted data
Name: XYZSSN: 1234567890Acct No: 45YT-658Status: Gold
![Page 10: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/10.jpg)
10
Create
Create Key Pair
Register
Re-key
Derive Key
Certify
Re-certify
Locate
Check
Get
Get Attributes
Get Attribute List
Add Attribute
Modify Attribute
Delete Attribute
Obtain Lease
Get Usage Allocation
Activate
Revoke
Destroy
Archive
Recover
Validate
Query
Cancel
Poll
Notify
Put
Unique Identifier
Name
Object Type
Cryptographic Algorithm
Cryptographic Length
Cryptographic Parameters
Cryptographic Domain Parameters
Certificate Type
Certificate Identifier
Certificate Issuer
Certificate Subject
Digest
Operation Policy Name
Cryptographic Usage Mask
Lease Time
Usage Limits
State
Initial Date
Activation Date
Process Start Date
Protect Stop Date
Deactivation Date
Destroy Date
Compromise Occurrence Date
Compromise Date
Revocation Reason
Archive Date
Object Group
Link
Application Specific ID
Contact Information
Last Change Date
Custom Attribute
Certificate
Symmetric Key
Public Key
Private Key
Split Key
Template
Policy Template
Secret Data
Opaque Object
Managed ObjectsProtocol Operations Object Attributes
Key Block (for keys)
or
Value (for certificates)
KMIP defines a set of Operations that apply to Managed Objects that consist of Attributes and possibly cryptographic material
![Page 11: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/11.jpg)
11
Transport-Level EncodingKey Client Key Server
API
Internal representation
Transport
Internal representation
Transport
KMIP Encode
KMIP Encode
KMIP Decode
KMIP Decode
API
KMIP TTLV encoding
…Tag Len Val
ueTag Len Val
ue
…TagLenVal
ueTagLenVal
ue
Type
Type
Type
Type
![Page 12: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/12.jpg)
12
Message Encoding In a TTLV-encoded message, Attributes are
identified either by tag value or by their name, depending on the context:
When the operation lists the attribute name among the objects part of the request/response (such as Unique Identifier), its tag is used in the encoded message
When the operation does not list the attribute name explicitly, but instead includes Template-Attribute (such as in the Create operation) or Attribute (such as in Add Attribute) objects as part of the request/response, its name is used in the encoded message
tag
…
type length value
operation 04 4 0000000A
tag type length value
Unique Identifier
06 24 1f165d65-cbbd-4bd6-9867-80e0b390acf9
Get Unique identifier
![Page 13: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/13.jpg)
13
Authentication Authentication is external to the protocol All servers should support at least
TLS V1.0 Authentication message field contains the
Credential Base Object Client or server certificate in the case of TLS
Host
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Enterprise Key Manager
Identity certificate
Identity certificate
SSL/TLS
![Page 14: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/14.jpg)
KMIP Interop at RSAC 2012
Interop Network
Server Server2 x Server
2 x Server
3 x Client
Server
ClientClient Client3 x Client
Client
![Page 15: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/15.jpg)
15
KMIP Test Cases Purpose: provide examples of message exchanges
for common key management requirements basic functionality (create, get, register, delete of sym. keys
and templates) life-cycle support (key states) auditing and reporting key exchange asymmetric keys key roll-over archival vendor-specific message extensions
Details of the message composition and TTLV encoding
![Page 16: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/16.jpg)
16
KMIP Profiles Purpose: define what any implementation of the
specification must adhere to in order to claim conformance to the specification
1. Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction.
2. Define a set of normative constraints for employing KMIP within a particular environment or context of use.
3. Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors.
Examples of KMIP profiles Secret data Symmetric key store Symmetric key foundry
Profiles are further qualified by authentication suite TLS V1.0 / V1.1 TLS V1.2
![Page 17: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/17.jpg)
17
KMIP Usage Guide Purpose: provide detailed guidance on how to
implement KMIP functionality Using Notify and Put operations Key states and times Using KMIP templates Using vendor-specific extensions Using batch for multiple operations Canceling asynchronous operations
![Page 18: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/18.jpg)
18
New Challenges in Key Management
![Page 19: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/19.jpg)
Business & IT are evolving rapidly…
![Page 20: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/20.jpg)
Cloud Service Provider
App Data
Enterprise IT
Key Server
HSM
Cloud Key ManagementApplication
Users CSPAdministrators
EnterpriseAdministrators
Enterprise App
Key DBvSphere
![Page 21: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/21.jpg)
Backup HSM and Key Archive
HSM With Multiple Partitions
Audit Log
Key Secure
Application + HSM with EKM Client Database + HSM with EKM Client
InitializationActivation
EKM Web Browser
Complex Enterprise Security Requirements
EKM• Centrally see all keys created and used
by HSM
• Stores and manages key attributes
• Centralized audit for compliance
![Page 22: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/22.jpg)
22
PGP Key Management
![Page 23: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/23.jpg)
Quantum Key Distribution
23Raw key: True randomFinal key: Secure, secret, replicated, synchronised true random
QKD
![Page 24: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/24.jpg)
Changes in the Threat Landscape
24
Nation state actors
PII, government, defense industrial base, IP rich organizations
Criminals
Petty criminals
Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
TerroristsAnti-establishment
vigilantes“Hacktivists”Targets of opportunity
PII, Government, critical infrastructure
![Page 25: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/25.jpg)
25
Addressing the New Challenges in Key Management
![Page 26: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/26.jpg)
Use Cases• Define user stories and sequence for both existing and
new areas of functionalityEnhanced Protocol
• Provided objects, attributes and/or operations as needed for in-scope use cases
Testing Program• Establish formal and on-going program for KMIP
interoperability testingTest Cases
• Enhanced suite of test cases to support interoperability testing as well as protocol validation
Profiles• Establish simpler model for conformance, supported by
profile-specific test cases
KMIP V.Next
![Page 27: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/27.jpg)
Cloud Service Provider
App Data
Enterprise IT
Key Server
HSM
Use Cases for Hybrid CloudApplication
Users CSPAdministrators
EnterpriseAdministrators
Enterprise App
Key DBvSphere
Use Cases• Tenant administration• Key migration• Policy distribution
Implications• Tenant
granularity• Key export/import• Policy
distribution• Client
registration
![Page 28: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/28.jpg)
Divisional ApplicationsEnterprise IT
HSM
Use Cases for Hardware Security ModulesApplication
Users ApplicationAdministrators
HSMAdministrators
App Data
Divisional App
vSphere
Key Server
Key DB
Use Case• Trust
establishment
• Protection of keys in transit
Implications• Devices
types• Vendor
extensions
![Page 29: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/29.jpg)
Use Cases for PGP Keys
29
Use Cases• User registration• Key lookup• Key signing• Trust validation
Implications• Key structures• User identifiers• Signature sets
![Page 30: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/30.jpg)
Use Cases for Quantum Key Distribution
30Server: Replicated, synchronised keys across domain boundariesClient: KMIP operations with key server in same domain
Use Case• QKD trust
establishment
Implications• Stream objects,
operations and attributes
![Page 31: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/31.jpg)
KMIP Interoperability Program KMIP conformance testing program
Design, implementation, management, measurement, and reporting
Test Specification Mentoring and Review Revision tracking Test environment architecture Test case specifics
Test Harness Development Mentoring and Review Revision tracking Delivery mechanisms Peer review and sign-off Website for access (per OASIS requirements) of test results
![Page 32: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/32.jpg)
New members welcome
32
interoperability DRIVE KMIP adoption
Be heard a) business reqs b) use cases
Grow global markets: bigger pie = BIGGER SLICE
Tap into the KMIP
brain trust
You belong here
Contribute to KMIP test cases and profiles
![Page 33: Addressing the New Complexities in Key Management Interoperability KMIP V.Next](https://reader035.vdocuments.mx/reader035/viewer/2022062521/56814b91550346895db87531/html5/thumbnails/33.jpg)
33
Thank You!
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip