the trusted security provider to your trusted … · • kmip rkm/dpm c client sdk • kmip c...

R

THE TRUSTED SECURITY PROVIDER TO YOUR TRUSTED SECURITY PROVIDER CRYPTSOFT is a privately held Australian company that operates worldwide in the enterprise key management security market. Cryptsoft’s Key Management Interoperability Protocol (KMIP) and PKCS#11 software development kits (SDKs) are the market’s preferred OEM solutions.

Cryptsoft’s solutions have been selected by prominent global companies for interoperable enterprise key management and encryption technology in their storage, infrastructure & security and cloud products. Cryptsoft is committed to the development of standards based security software and is an OASIS Foundational Sponsor, SNIA and SSIF Voting Member.

STANDARDS AND ASSOCIATIONS

The Cryptsoft Quality Management System is certified to ISO 9001:2015

Cryptsoft is an OASIS Foundational Sponsor and an active member and contributor to the KMIP and PKCS#11 technical committees

KMIP STANDARD PKCS#11 STANDARD

Cryptsoft is a voting member of the Storage Networking Industry Association (SNIA) and the Storage Security Industry Forum (SSIF)

R

KMIP ADOPTION – KMIP EMBEDDED IN MAJOR ENTERPRISE PRODUCTS

“I DIDN’T KNOW YOU DID THAT?”

STORAGE INFRASTRUCTURE AND SECURITY

CLOUD

• Disk Arrays, Flash Storage Arrays

• NAS Appliances

• Tape Libraries, Virtual Tape Libraries

• Encrypting Switches

• Storage Key Managers

• Storage Controllers

• Storage Operating Systems

• Key Managers

• Hardware Security �odules

• Encryption Gateways

• Virtualization Managers

• Virtual Storage Controllers

• Network Computing Appliances

• Secure Application Development

• Key Managers

• Compliance Platforms

• Information Managers

• Enterprise Gateways and Security

• Enterprise Authentication

• Endpoint Security

• Financial Services Applications

• Banking Applications

R

• Full OASIS KMIP compliance versions: 1.0, 1.1, 1.2, 1.3, 1.4˖

• Guaranteed interoperability With all released KMIP products

• Cross-Language Support ▫ Clients in C, C++, C#, Java

and Python ▫ Servers in C and Java

KEY FEATURESKEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEY MANAGEMENT SOLUTION Cryptsoft’s Key Management SDKs enable rapid addition of interoperable key management functionality to your existing products.

Providing both Client and Server SDKs, Cryptsoft KMIP SDKs have been integrated into the majority of all KMIP products on the market today, eliminating the need for rework to interact with another vendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptsoft has the technology and the relationships to ensure your product delivers its maximum potential.

Using the Cryptsoft SDKs in ANSI C, C++, C#, Java and Python, you cansupport KMIP key management protocols with a single, consistentinterface and provide your customers with a complete vendor independent key management solution to manage all of the points of encryption within your enterprise.

POINTS OF ENCRYPTION

1 1 3

3

3

2

4

4

1

1 2

1 Application Level

2 Filesystem Level

LEGEND

3 Network Level

4 Device LevelSource: ISO/IEC 27040 - Information technology- Security techniques - Storage securityPCPC Server

File ServerServer Network NASStorage ArrayTape LibraryApplianceApplianceAppliance

R

Features• Comprehensive example code• Source licence option• Supports KMIP v1.0, v1.1, v1.2, v1.3, 1.4˖

• Supports proprietary key management protocols (optional plugins to C SDK)

Supported Databases• Oracle MySQL• Oracle Database• Microsoft SQL Server• SQLite

• IBM DB2• PostgreSQL• Embedded (lightweight) • HSQLDB java

Supported Hardware Security Modules and Random Number Generators• SafeNet - Luna PCI (RNG/HSM) [PKCS#11]• SafeNet - Protect Server (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Connect (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Edge (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Solo (RNG/HSM) [PKCS#11] • Utimaco CryptoServer CSe10 PCIe/LAN (RNG/HSM) [PKCS#11] • Utimaco CryptoServer CSe100 PCIe/LAN (RNG/HSM) [PKCS#11]• Whitewood EntropyEngine (RNG)

• ID Quantique - Quantis USB (RNG) [Vendor]• ID Quantique - Quantis PCI (RNG) [Vendor]• ID Quantique - Quantis PCIe (RNG) [Vendor]• Feitian - ePass [PKCS#11]• Oracle - SCA6000 [PKCS#11]• SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11] • SafeNet - Luna CA (RNG/HSM) [PKCS#11]

• Android [OATH-TOTP] [Soft Token]• Cryptsoft [OATH-TOTP]• Feitian [OATH-HOTP/TOTP] • Apple [OATH-TOTP] [Soft Token]

Supported One Time Password Devices• Mi-Token [OATH-TOTP] [Soft Token]• RSA Security SecurID [SecurID]• Litheware Tombé [OATH-HOTP] [YubiKey]• Yubico [OATH-HOTP/TOTP] [YubiKey]

Client SDK Products Server SDK Products• KMIP C Client SDK• KMIP C++ Client SDK• KMIP C# Client SDK • KMIP KMIP Java Client SDK• KMIP Python Client SDK• KMIP C Client Layered Protocol SDKs for Proprietary Protocols• KMIP C Client PKCS11 Adapter • KMIP RKM/DPM C Client SDK• KMIP C Client Oracle TDE & Microsoft BitLocker • KMIP C Client Layered Protocol SDK• KMIP C Interoperability Test Suite• KMIP Java Interoperability Test Suite• Online Test Service (XML/JSON)

• KMIP C Server SDK• KMIP Java Server SDK• KMIP Alert Server SDK• KMIP Server VM Subscription (Annual - C or Java)• KMIP Server Administration Interface (for C or Java Server SDK)• KMIP C Proxy Servers for Proprietary Protocols• KMIP C Server Integration Modules (PKCS11, HSM, RNG) • KMIP C Server Integration Module (RKM/DPM)• KMIP C Server Integration Module

(Audit/Analytics/Compliance)• KMIP C Server OTP Server Module

KEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEY MANAGEMENT SOLUTION

R


• Guaranteed interoperability With all released KMIP server

products

• Extensive range of supported platforms ▫ Custom platform ports on request

• Available as a binary SDK ▫ Source license option

• Comprehensive example code ▫ Custom examples available -

rapid integration

• Supported on over 35 different platforms ▫ Including Linux, Windows, Embedded ▫ https://www.cryptsoft.com

/platforms/

KEY FEATURESKMIP CLIENT SDKSC, C++, C#, JAVA, PYTHONA complete range of vendor-independent key management solutions

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKs let you rapidly add interoperable, standards-based, enterprise key management capability to your existing applications.

Reduce time to market, KMIP-enable your solution within days, not months, using our comprehensive collection of example code provided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole of enterprise solutions, your KMIP SDK license is backed by a global support network, offering a total key management solution.

KMIP Server SDK javac

java pythonc++ #ccKMIP Client SDK

KMIPHSM

R

KMIP CLIENT SDKSC, C++, C#, JAVA, PYTHON

KMIP Client Examples

KMIP Object Types Supported Cryptographic Providers• Certificate• Opaque Object• PGP Key

• OpenSSL 1.0.x • OpenSSL FIPS 2.0 • OpenSSL 0.9.8 (option) • Sun/Oracle JCE • IBM JCE

• RSA BSAFE MES 3.x, 4.x (option) • RSA BSAFE Share-C (option) • RSA BSAFE Crypto-J • Bouncy Castle JCE • wolfSSL

• Private Key• Public Key • Secret Key

• Split Key • Symmetric Key• Template

Supported KMIP Operations• Activate• Add Attribute• Archive• Cancel• Certify• Check• Create

• Create Key Pair• Create Split Key1.2

• Decrypt1.2

• Delete Attribute• Derive Key• Destroy• Discover Versions1.1

• Encrypt1.2

• Get• Get Attribute List• Get Attributes• Get Usage Allocation• Hash1.2

• Join Split Key1.2

• Locate• MAC1.2

• MAC Verify1.2

• Modify Attribute• Notify• Obtain Lease• Poll

• Put • Register• Register Query• Re-certify• Recover• Re-key• Re-key Key Pair1.1

• Revoke • RNG Retrieve1.2

• RNG Seed1.2

• Sign1.2

• Signature Verify1.2

• Validate

• Simple Protocol Format Parsing TTLV, HEX, BIN, JSON, XML• Simple Servers Query, Notify, Put• Simple Clients Locate Objects, Create and Return Objects • Locating Managed Objects Simple, Extended, IBM TKLM/SKLM, XML• KMIP Standard Operations Create, Register, Destroy, Get, Get Attribute List, Get Attributes, Create Key Pair, Re-key, Re-key Key Pair1.1, Archive, Recover, Activate, Derive Key• Creating Keys Simple, Advanced, Extensions

• Managing Attributes Add, Modify, Delete Attribute• Linear Tape Open (LTO) LTO-4 Key Management, LTO-5/6 Key Management, KAD, AKAD, UKAD naming, Generic LTO-4• Random Number Generator (RNG)1.2

Retrieve Server RNG, Seed Server RNG• Server Cryptographic Operations1.2

Encrypt, Decrypt, Sign, Signature Verify MAC, MAC Verify, Hash• Determine Capabilities Server SDK Version, Discover Protocol Versions1.1, Query Server Basic , Query Server Extensions1.1, Query Advanced Capabilities1.3

• Split Key (Multi-Party Controls)1.2

Create Split Key, Join Split Key• Cryptsoft Vendor Extensions SQL Insert, SQL Update, SQL Delete• Generic Multi-protocol Key Handling c Get Key, Put Key, Del Key• Request/Response Handling Recording, Replaying, Batching,

Bulk Data Loading• Client Credential Handling Password-protected TLS Credentials Device Credentials, IBM TKLM/SKLM

Supported KMIP Profiles• Advanced Cryptographic Client1.2

• Advanced Symmetric Key Foundry Client • Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B MinLOS_128 Client• Suite-B MinLOS_192 Client• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

Supported Encodings

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

Supported KMIP Servers

• IBM• RSA• MarkLogic• Thales• Trend Micro• Vormetric

• Cryptsoft • Dell• Fornetix• Hewlett Packard

Enterprise• HyTrust

R

• Full OASIS KMIP complianceversions: 1.0, 1.1, 1.2, 1.3, 1.4˖

• Guaranteed interoperability With all released KMIP serverproducts

• Extensive range of supportedplatforms▫ Custom platform ports on request

• Available as a binary SDK▫ Source license option

• Comprehensive example code▫ Custom examples available -

rapid integration

• Supported on over 35 differentplatforms▫ Including Linux, Windows,

Embedded▫ https://www.cryptsoft.com

/platforms/

KEY FEATURESKMIP SERVER SDKSC, JAVAA complete range of vendor-independent key management solutions

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKs let you rapidly add interoperable, standards-based, enterprise key management capability to your existing applications.

Reduce time to market, KMIP-enable your solution within days, not months, using our comprehensive collection of example code provided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole of enterprise solutions, your KMIP SDK license is backed by a global support network, offering a total key management solution.

KMIP Server SDK javac

java pythonc++ #ccKMIP Client SDK

KMIPHSM

R

KMIP SERVER SDKSC, JAVA

KMIP Server Examples• Simple Protocol Format Parsing

TTLV, HEX, BIN, JSON, XML• Simple Clients Operations

Locate Objects, Create and Return Objects• Locating Managed Objects

Simple, Extended, IBM TKLM/SKLM,XML

• KMIP Standard Operations Create, Register, Destroy, Get, Get Attribute List, Get Attributes, Create Key Pair, Re-key, Re-key Key Pair1.1, Archive, Recover, Activate, Derive Key

• Server Cryptographic Operations1.2

Encrypt, Decrypt, Sign, Signature Verify,MAC, MAC Verify, Hash

Supported Databases Supported Cryptographic Providers Supported Encodings• HSQLDB• SQLite3• MySQL 5.x• Oracle 11.x, 12.x

• OpenSSL 1.0.x• OpenSSL 0.9.8 (option)• OpenSSL FIPS 2.0• Sun/Oracle JCE• IBM JCE• RSA BSAFE Crypto-J• Bouncy Castle JCE

• SQL Server 2003+• IBM DB2 9 & 10• PostgreSQL 8 & 9

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

Supported KMIP Operations• Activate• Add Attribute• Archive• Cancel• Certify• Check• Create

• Create Key Pair• Create Split Key1.2

• Decrypt1.2

• Delete Attribute• Derive Key• Destroy• Discover Versions1.1

• Encrypt1.2

• Get• Get Attribute List• Get Attributes• Get Usage Allocation• Hash1.2

• Join Split Key1.2

• Locate

• MAC1.2

• MAC Verify1.2

• Modify Attribute• Notify• Obtain Lease• Poll• Put

• Register• Register Query• Re-certify• Recover• Re-Key• Re-key Key Pair1.1

• Revoke

• RNG Retrieve1.2

• RNG Seed1.2

• Sign1.2

• Signature Verify1.2

• Validate

• Managing AttributesAdd, Modify, Delete Attribute

• Random Number Generator (RNG)1.2

Retrieve Server RNG, Seed Server RNG• Split Key (Multi-Party Controls)1.2

Create Split Key, Join Split Key• Creating Keys

Simple, Advanced, Extensions• Determine Capabilities

Server SDK Version, Discover ProtocolVersions1.1, Query Server Basic, Query Server Extensions1.1, Query Advanced Capabilities1.3

• Cryptsoft Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Request/Response Handling Recording, Replaying, Batching,Bulk Data Loading

• Administration Create, Modify, Delete Users, Partitions,Groups, Manage Group Privileges, Serialize, Deserialize Managed Objects

• Database Schema Management and Migration Fixture Loading, SQL Replay

• Simple ServersQuery, Notify, Put

• JCE ExamplesKey Store Provider

Supported KMIP Profiles• Advanced Cryptographic Server1.2

• Advanced Symmetric Key Foundry Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Basic Symmetric Key Foundry Server• HTTPS Server• Intermediate Symmetric Key Foundry Server• JSON Server• Opaque Managed Object Store Server• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B MinLOS_128 Server• Suite-B MinLOS_192 Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

Supported KMIP Clients

• Dell• ETI-NET• Fornetix• Hewlett Packard

Enterprise

• Hitachi DataSystems

• IBM• IR• Iskraemeco

• MarkLogic• NetApp• Netskope• Panzura• Quantum

• RSD• Sepaton• Spectra Logic• Trend Micro

• BDT• Brocade• Cryptsoft• DataStax

R

Cryptsoft’s Key Management Interoperability Protocol (KMIP) Test Suites let you rapidly confirm the interoperability status of your product. Designed to support the different test cases and profiles in the KMIP standard you can ensure that your application’s design can be thoroughly tested to deliver interoperability with a range of other KMIP clients and servers.

The Cryptsoft KMIP Test Suites provide full coverage for each version of KMIP (1.0, 1.1. 1.2. 1.3 and 1.4) that can be configured to support the level of KMIP required for your application. In addition if your application is based on one of the 15 KMIP profiles then you can apply only the relevant profiles to fully support your requirements.

Reduce time to market and release with the confidence provided by data driven testing.

Backed by a global support network, Cryptsoft’s KMIP SDKs offer a total key management solution.

• Full OASIS KMIP compliance Versions: 1.0, 1.1, 1.2, 1.3, 1.4˖

• Available as a binary SDK or as a service ▫ Source license option

• Comprehensive test cases ▫ KMIP Test Cases ▫ KMIP Profile Test Cases

KEY FEATURES

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

Test Report

SKFF-M-1-101

SKFF-M-2-10

SKFF-M-3-10

SKFF-M-4-10

SKFF-M-5-10

SKFF-M-6-10

SKFF-M-7-10

SKFF-M-8-10

SKFF-M-9-10

SKFF-M-10-10

2

3

4

5

6

7

8

9

10

15%

25%

5%

12%

15%

20%

18%

5%

20%

10%

--

--

--

--

--

--

--

--

--

--

Test ID %&#

DefineTransform

ExecuteAnalyse

R

ProfileTestCases

AsymmetricKeyLifecycle

CryptographicServices(AdvancedCryptographic)

CryptographicServices(Advanced-OAEP)

CryptographicServices(BasicCryptographic)

CryptographicServices(RNG)

HTTPS(MessageEncoding)

JSON(MessageEncoding)

XML(MessageEncoding)

OpaqueManagedObjectStore

StorageArraywithSelfEncryptingDrive

SymmetricKeyFoundryforFIPS140

SymmetricKeyLifecycle

SuiteBminLOS_128Authentication

SuiteBminLOS_192Authentication

TapeLibrary

KMIP 1.0AKLC-M-1-10 SKFF-M-11-10 SKFF-O-5-10 TC-313-10 TC-94-10AKLC-M-2-10 SKFF-M-12-10 SKFF-O-6-10 TC-314-10 TC-95-10AKLC-M-3-10 SKFF-M-2-10 SKLC-M-1-10 TC-315-10 TC-ECC-1-10AKLC-O-1-10 SKFF-M-3-10 SKLC-M-2-10 TC-32-10 TC-ECC-2-10MSGENC-HTTPS-1-10 SKFF-M-4-10 SKLC-M-3-10 TC-41-10 TC-ECC-3-10MSGENC-JSON-1-10 SKFF-M-5-10 SKLC-O-1-10 TC-51-10 TC-NP-1-10MSGENC-XML-1-10 SKFF-M-6-10 TC-101-10 TC-61-10 TC-NP-2-10OMOS-M-1-10 SKFF-M-7-10 TC-111-10 TC-71-10 TL-M-1-10OMOS-O-1-10 SKFF-M-8-10 TC-121-10 TC-72-10 TL-M-2-10SASED-M-1-10 SKFF-M-9-10 TC-131-10 TC-81-10 TL-M-3-10SASED-M-2-10 SKFF-O-1-10 TC-132-10 TC-82-10SASED-M-3-10 SKFF-O-2-10 TC-134-10 TC-91-10SKFF-M-1-10 SKFF-O-3-10 TC-311-10 TC-92-10SKFF-M-10-10 SKFF-O-4-10 TC-312-10 TC-93-10

KMIP 1.1AKLC-M-1-11 SKFF-M-2-11 SKLC-M-3-11 TC-152-11 TC-72-11AKLC-M-2-11 SKFF-M-3-11 SKLC-O-1-11 TC-153-11 TC-81-11AKLC-M-3-11 SKFF-M-4-11 SUITEB-128-M-1-11 TC-161-11 TC-82-11AKLC-O-1-11 SKFF-M-5-11 SUITEB-192-M-1-11 TC-171-11 TC-91-11MSGENC-HTTPS-1-11 SKFF-M-6-11 TC-101-11 TC-181-11 TC-92-11MSGENC-JSON-1-11 SKFF-M-7-11 TC-111-11 TC-182-11 TC-93-11MSGENC-XML-1-11 SKFF-M-8-11 TC-112-11 TC-311-11 TC-94-11OMOS-M-1-11 SKFF-M-9-11 TC-121-11 TC-312-11 TC-95-11OMOS-O-1-11 SKFF-O-1-11 TC-122-11 TC-313-11 TC-ECC-1-11SASED-M-1-11 SKFF-O-2-11 TC-131-11 TC-314-11 TC-ECC-2-11SASED-M-2-11 SKFF-O-3-11 TC-132-11 TC-315-11 TC-ECC-3-11SASED-M-3-11 SKFF-O-4-11 TC-133-11 TC-32-11 TC-NP-1-11SKFF-M-1-11 SKFF-O-5-11 TC-134-11 TC-41-11 TC-NP-2-11SKFF-M-10-11 SKFF-O-6-11 TC-141-11 TC-51-11 TL-M-1-11SKFF-M-11-11 SKLC-M-1-11 TC-142-11 TC-61-11 TL-M-2-11SKFF-M-12-11 SKLC-M-2-11 TC-151-11 TC-71-11 TL-M-3-11

KMIP 1.2AKLC-M-1-12 CS-RNG-M-1-12 SKFF-M-8-12 TC-142-12 TC-AESXTS-1-12AKLC-M-2-12 CS-RNG-O-1-12 SKFF-M-9-12 TC-151-12 TC-DERIVEKEY-1-12AKLC-M-3-12 CS-RNG-O-2-12 SKFF-O-1-12 TC-152-12 TC-DERIVEKEY-2-12AKLC-O-1-12 CS-RNG-O-3-12 SKFF-O-2-12 TC-153-12 TC-DERIVEKEY-3-12CS-AC-M-1-12 CS-RNG-O-4-12 SKFF-O-3-12 TC-161-12 TC-DERIVEKEY-4-12CS-AC-M-2-12 MSGENC-HTTPS-1-12 SKFF-O-4-12 TC-171-12 TC-DERIVEKEY-5-12CS-AC-M-3-12 MSGENC-HTTPS-M-1-12 SKFF-O-5-12 TC-181-12 TC-ECC-1-12CS-AC-M-4-12 MSGENC-JSON-1-12 SKFF-O-6-12 TC-182-12 TC-ECC-2-12CS-AC-M-5-12 MSGENC-JSON-M-1-12 SKLC-M-1-12 TC-311-12 TC-ECC-3-12CS-AC-M-6-12 MSGENC-XML-1-12 SKLC-M-2-12 TC-312-12 TC-I18N-1-12CS-AC-M-7-12 MSGENC-XML-M-1-12 SKLC-M-3-12 TC-313-12 TC-I18N-2-12CS-AC-M-8-12 OMOS-M-1-12 SKLC-O-1-12 TC-314-12 TC-I18N-3-12CS-BC-M-1-12 OMOS-O-1-12 SUITEB_128-M-1-12 TC-315-12 TC-MDO-1-12CS-BC-M-10-12 SASED-M-1-12 SUITEB_192-M-1-12 TC-32-12 TC-MDO-2-12CS-BC-M-11-12 SASED-M-2-12 SUITEB-128-M-1-12 TC-41-12 TC-MDO-3-12CS-BC-M-12-12 SASED-M-3-12 SUITEB-192-M-1-12 TC-51-12 TC-NP-1-12CS-BC-M-13-12 SKFF-M-1-12 TC-101-12 TC-61-12 TC-NP-2-12CS-BC-M-14-12 SKFF-M-10-12 TC-111-12 TC-71-12 TC-PGP-1-12CS-BC-M-2-12 SKFF-M-11-12 TC-112-12 TC-72-12 TC-REKEY-1-12CS-BC-M-3-12 SKFF-M-12-12 TC-121-12 TC-81-12 TC-SJ-1-12CS-BC-M-4-12 SKFF-M-2-12 TC-122-12 TC-82-12 TC-SJ-2-12CS-BC-M-5-12 SKFF-M-3-12 TC-131-12 TC-91-12 TC-SJ-3-12CS-BC-M-6-12 SKFF-M-4-12 TC-132-12 TC-92-12 TC-SJ-4-12CS-BC-M-7-12 SKFF-M-5-12 TC-133-12 TC-93-12 TL-M-1-12CS-BC-M-8-12 SKFF-M-6-12 TC-134-12 TC-94-12 TL-M-2-12CS-BC-M-9-12 SKFF-M-7-12 TC-141-12 TC-95-12 TL-M-3-12

KMIP 1.3AKLC-M-1-13 CS-BC-M-8-13 SKFF-M-7-13 TC-MDO-1-13 TC-Q-RNGS-6-13AKLC-M-2-13 CS-BC-M-9-13 SKFF-M-8-13 TC-MDO-2-13 TC-Q-S2C-1-13AKLC-M-3-13 CS-RNG-M-1-13 SKFF-M-9-13 TC-MDO-3-13 TC-Q-S2C-2-13AKLC-O-1-13 CS-RNG-O-1-13 SKLC-M-1-13 TC-NP-1-13 TC-Q-S2C-PROF-1-13CS-AC-M-1-13 CS-RNG-O-2-13 SKLC-M-2-13 TC-NP-2-13 TC-Q-S2C-PROF-2-13CS-AC-M-2-13 CS-RNG-O-3-13 SKLC-M-3-13 TC-OFFSET-1-13 TC-Q-VAL-1-13CS-AC-M-3-13 CS-RNG-O-4-13 SKLC-O-1-13 TC-OFFSET-2-13 TC-Q-VAL-2-13CS-AC-M-4-13 MSGENC-HTTPS-M-1-13 SUITEB_128-M-1-13 TC-OTP-1-13 TC-REKEY-1-13CS-AC-M-5-13 MSGENC-JSON-M-1-13 SUITEB_192-M-1-13 TC-OTP-2-13 TC-RNG-ATTR-1-13CS-AC-M-6-13 MSGENC-XML-M-1-13 TC-AESXTS-1-13 TC-OTP-3-13 TC-RNG-ATTR-2-13CS-AC-M-7-13 OMOS-M-1-13 TC-CREG-1-13 TC-OTP-4-13 TC-SJ-1-13CS-AC-M-8-13 OMOS-O-1-13 TC-CREG-2-13 TC-OTP-5-13 TC-SJ-2-13CS-BC-M-1-13 SASED-M-1-13 TC-CREG-3-13 TC-PGP-1-13 TC-SJ-3-13CS-BC-M-10-13 SASED-M-2-13 TC-DERIVEKEY-1-13 TC-Q-CAP-1-13 TC-SJ-4-13CS-BC-M-11-13 SASED-M-3-13 TC-DERIVEKEY-2-13 TC-Q-CAP-2-13 TC-STREAM-ENC-1-13CS-BC-M-12-13 SKFF-M-1-13 TC-DERIVEKEY-3-13 TC-Q-CREG-1-13 TC-STREAM-ENC-2-13CS-BC-M-13-13 SKFF-M-10-13 TC-DERIVEKEY-4-13 TC-Q-PROF-1-13 TC-STREAM-ENCDEC-1-13CS-BC-M-14-13 SKFF-M-11-13 TC-DERIVEKEY-5-13 TC-Q-PROF-2-13 TC-STREAM-ENCDEC-13CS-BC-M-2-13 SKFF-M-12-13 TC-ECC-1-13 TC-Q-PROF-3-13 TC-STREAM-HASH-1-13CS-BC-M-3-13 SKFF-M-2-13 TC-ECC-2-13 TC-Q-RNGS-1-13 TC-STREAM-HASH-2-13CS-BC-M-4-13 SKFF-M-3-13 TC-ECC-3-13 TC-Q-RNGS-2-13 TC-STREAM-HASH-3-13CS-BC-M-5-13 SKFF-M-4-13 TC-I18N-1-13 TC-Q-RNGS-3-13 TL-M-1-13CS-BC-M-6-13 SKFF-M-5-13 TC-I18N-2-13 TC-Q-RNGS-4-13 TL-M-2-13CS-BC-M-7-13 SKFF-M-6-13 TC-I18N-3-13 TC-Q-RNGS-5-13 TL-M-3-13

KMIP 1.4AKLC-M-1-14 CS-BC-M-3-14 SKFF-M-8-14 TC-MDO-1-14 TC-Q-S2C-1-14AKLC-M-2-14 CS-BC-M-4-14 SKFF-M-9-14 TC-MDO-2-14 TC-Q-S2C-2-14AKLC-M-3-14 CS-BC-M-5-14 SKLC-M-1-14 TC-MDO-3-14 TC-Q-S2C-PROF-1-14CS-AC-M-1-14 CS-BC-M-6-14 SKLC-M-2-14 TC-NP-1-14 TC-Q-S2C-PROF-2-14CS-AC-M-2-14 CS-BC-M-7-14 SKLC-M-3-14 TC-NP-2-14 TC-Q-VAL-1-14CS-AC-M-3-14 CS-BC-M-8-14 SUITEB_128-M-1-14 TC-OFFSET-1-14 TC-Q-VAL-2-14CS-AC-M-4-14 CS-BC-M-9-14 SUITEB_192-M-1-14 TC-OFFSET-2-14 TC-REKEY-1-14CS-AC-M-5-14 CS-BC-M-GCM-1-14 TC-AESXTS-1-14 TC-OTP-1-14 TC-RNG-ATTR-1-14CS-AC-M-6-14 CS-BC-M-GCM-2-14 TC-CERTATTR-1-14 TC-OTP-2-14 TC-RNG-ATTR-2-14CS-AC-M-7-14 CS-BC-M-GCM-3-14 TC-CREATE-SD-1-14 TC-OTP-3-14 TC-RSA-SIGN-DIGESTEDDATA-1-14CS-AC-M-8-14 CS-RNG-M-1-14 TC-CREG-1-14 TC-OTP-4-14 TC-SJ-1-14CS-AC-OAEP-1-14 MSGENC-HTTPS-M-1-14 TC-CREG-2-14 TC-OTP-5-14 TC-SJ-2-14CS-AC-OAEP-10-14 MSGENC-JSON-M-1-14 TC-CREG-3-14 TC-PGP-1-14 TC-SJ-3-14CS-AC-OAEP-2-14 MSGENC-XML-M-1-14 TC-CS-CORVAL-1-14 TC-PKCS12-1-14 TC-SJ-4-14CS-AC-OAEP-3-14 OMOS-M-1-14 TC-DERIVEKEY-1-14 TC-PKCS12-2-14 TC-STREAM-ENC-1-14CS-AC-OAEP-4-14 SASED-M-1-14 TC-DERIVEKEY-2-14 TC-Q-CAP-1-14 TC-STREAM-ENC-2-14CS-AC-OAEP-5-14 SASED-M-2-14 TC-DERIVEKEY-3-14 TC-Q-CAP-2-14 TC-STREAM-ENCDEC-1-14CS-AC-OAEP-6-14 SASED-M-3-14 TC-DERIVEKEY-4-14 TC-Q-CAP-3-14 TC-STREAM-HASH-1-14CS-AC-OAEP-7-14 SKFF-M-1-14 TC-DERIVEKEY-5-14 TC-Q-CREG-1-14 TC-STREAM-HASH-2-14CS-AC-OAEP-8-14 SKFF-M-10-14 TC-DERIVEKEY-6-14 TC-Q-PROF-1-14 TC-STREAM-HASH-3-14CS-AC-OAEP-9-14 SKFF-M-11-14 TC-ECC-1-14 TC-Q-PROF-2-14 TC-STREAM-SIGN-1-14CS-BC-M-1-14 SKFF-M-12-14 TC-ECC-2-14 TC-Q-PROF-3-14 TC-STREAM-SIGNVFY-1-14CS-BC-M-10-14 SKFF-M-2-14 TC-ECC-3-14 TC-Q-RNGS-1-14 TC-WRAP-1-14CS-BC-M-11-14 SKFF-M-3-14 TC-ECDSA-SIGN-14 TC-Q-RNGS-2-14 TC-WRAP-2-14CS-BC-M-12-14 SKFF-M-4-14 TC-ECDSA-SIGN-DIGESTEDDATA-1-14 TC-Q-RNGS-3-14 TC-WRAP-3-14CS-BC-M-13-14 SKFF-M-5-14 TC-I18N-1-14 TC-Q-RNGS-4-14 TL-M-1-14CS-BC-M-14-14 SKFF-M-6-14 TC-I18N-2-14 TC-Q-RNGS-5-14 TL-M-2-14CS-BC-M-2-14 SKFF-M-7-14 TC-I18N-3-14 TC-Q-RNGS-6-14 TL-M-3-14

KMIP v1.0 KMIP v1.1 KMIP v1.2 KMIP v1.3 KMIP v1.4

The Cryptsoft KMIP Test Suites provide full coverage of the various versions of KMIP as well as all of the currently defined profiles as defined in each of the available versions of the KMIP Standard as used in OASIS KMIP Interoperability testing. Ensure that your application has full coverage and interoperability by using the Cryptsoft KMIP Test Suite today.

Profile Test Cases

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

R

KEY FEATURES

KEY BENEFITS

SOLUTION: STORAGEModern enterprises can have a wide array of storage technologies distributed throughout their organizations, this may be because of adoption of new technology or the many acquisitions and mergers of business units that have taken place over time. The one common requirement that most modern enterprises all have is storage.

The obvious solution to managing a secure storage solution is to ensure that all data is encrypted at rest or in transmission. For many organizations this may be a regulatory requirement or based on sound business and risk management reasons. With increasing volumes of data that an organization stores, the need to encrypt that data with a similarly increasing volume of encryption keys introduces a new problem. For these data assets to be used, those keys need to be available. In many large enterprises, this means millions of keys under management with many thousands of keys in use at any given time.

With no common standard for key management a large enterprise can have a range of disparate key stores with varying levels of support for different types of equipment leading to incompatibilities and differing management and audit requirements.

OASIS KMIP provides an industry supported standards compliant interoperability protocol for key management. This allows operators of storage solutions to integrate products from multiple vendors which can make use of an interoperable way to generate, store, manage and retrieve encryption keys across all the elements in their storage solution. In addition this allows for products from different vendors to interoperate. This means that organizations are no longer locked in to storage solutions from a single vendor or may also provide a reduction in risk in their storage solution as they can grow, reduce, or update their implementation in a more flexible manner.


• Guaranteed interoperability With all released KMIP products



• Supports wide range of security objects: ▫ Symmetric keys ▫ Asymmetric keys ▫ Certificates ▫ Authentication ▫ Authorization ▫ Tokens

• Extensive example code provided

• Low risk

• Easy to use

• Extensively deployed

• Proven technology for security object management

• Public Interoperability test results

• Reduce your time to market

• Gain access to an extensive KMIP ecosystem

Figure 1 - Multiple Key Stores

PC

Server Tape Library

Network

Flash Array Key Store

Key Store

Key Store

Storage Array

R

RELATED PRODUCTSCryptsoft’s range of KMIP SDKs have been used to enable a wide

range of storage and storage infrastructure solutions with encryption and enterprise key management capability. From tape libraries to hyper-converged flash arrays, deployment of KMIP technology ensures a deployment of data at rest security solutions within a multi-vendor enterprise.

Cryptsoft’s range of SDKs ensure this can be realized in your products such that your customers can deploy them straight into their enterprises without the need to conduct multiple rounds of point to point testing – we’ve done the hard part for you.

From deployment into brand new products lines, to integration into well respected products for feature parity of compliance, our customers benefit from millions of multi-vendor test runs and a deep understanding of relevant standards. With decades of experience of implementing encryption and key management systems from embedded hardware through to software and virtualized systems, we enable our customers’ products to hit market parity for data at rest security within weeks.

• KMIP C Server SDK

• KMIP C Server Administration Interface

• KMIP C Server Integration Module (HSM)

• KMIP C Interoperability Test Suite

• KMIP Java Server SDK

• KMIP Java Server Administration Interface

• KMIP Java Interoperability Test Suite


• KMIP C Client SDK

• KMIP C++ Client SDK

• KMIP C# Client SDK

• KMIP Java Client SDK

• KMIP Python Client

PC

Server Tape Library

Network

Flash Array

Key Store

Storage Array

KMIP

Figure 2 - Oasis KMIP Key Store

SOLUTION: STORAGE (CONT)

R

SOLUTION: INTERNET OF THINGSWithout having security that guarantees the integrity and privacy of personal data created, used, modified and retained by an IoT ecosystem, IoT device manufacturers are not going to be able to build and maintain the trust in their brand that IoT purchasers will demand. Put simply, ‘Security = Privacy = Sales’.

Securing personal data will require manufacturers of IoT devices to apply suitable protection to all device relevant and user specific data (‘IoT Data’), at all times and places within the data lifecycle, whether at rest or in motion, while still maintaining accessibility and interoperability. This data will need to be secured both at-rest and in-motion. This will mean complex security in storage and over network transmission.

Securing IoT devices will entail securing IoT Data in an ever-increasing number of locations within an ever-increasing ecosystem – a problem Cryptsoft can help solve.

Cryptsoft’s KMIP SDKs and associated technologies are already in use with global vendors securing data at-rest and data in-motion; securing data on premises, in private cloud; and in public cloud; securing data on-device and data off-device.

KEY FEATURES• Full OASIS KMIP compliance versions: 1.0, 1.1, 1.2, 1.3, 1.4˖

• Guaranteed interoperability



• Supports wide range of security objects: ▫ Symmetric keys ▫ Asymmetric keys ▫ Certificates ▫ Authentication ▫ Authorization ▫ Tokens

• Available on a wide range of operating systems

• Extensive example code provided

KEY BENEFITS• Low risk

• Easy to use

• Extensively deployed

• Proven technology for security object management

• Public Interoperability test results

• Reduce your time to market

• Gain access to an extensive KMIP ecosystem

R

SOLUTION: INTERNET OF THINGS (CONT)

Cryptsoft’s expertise also extends beyond commercial solutions to bespoke engineering for specific solution requirements, think satellite; automotive; health devices; surveillance Implementations include integrating embedded mobile devices in industrial or automotive use, head-end units for smart meters in the utilities supply market; management and control of keys and security in a mixed enterprise market for securing industrial and medical devices as well as devices controlling network accessible devices in homes, schools and other locations.

Cryptsoft can also scale solutions up or down depending on specific requirements, with the increasing power of IoT device and sensor compute resources providing viable platforms for security solutions.

Cryptsoft can help you to secure IoT Data throughout the full data lifecycle, while maintaining accessibility and interoperability.

RELATED PRODUCTS• KMIP C Server SDK



• KMIP C Server OTP Server Module

• KMIP C Interoperability Test Suite


• KMIP Java Server Administration Interface

• KMIP Java Interoperability Test Suite


• KMIP C Client SDK

• KMIP C++ Client SDK

• KMIP C# Client SDK

• KMIP Java Client SDK


Figure 2 - Cryptsoft KMIP SDKs provide a common security framework for IOT

R

SOLUTION:AUTHENTICATIONCryptsoft has worked with a number of standards bodies to provide additional security options for developers building key management solutions into their products.

Options are available for Fast IDentity Online (FIDO) Universal Second Factor (U2F) and OATH compliant One Time Password (OTP) which allows developers to include this functionality in their operations as well as increase the security of the key management solution itself.

OTP SUPPORT Cryptsoft’s OTP solution is based on open standards and allows the developer to create enterprise solutions to manage the full lifecycle of the seed records that underpin the security in an OTP solution. This ensures that only the enterprise has access to the seed records, and the enterprise has full control over the provisioning, usage, and de-provisioning of tokens.

Time based One Time Password (TOTP) tokens provide users with a secure and reliable hardware device to integrate standards-based hardware two-factor authentication.

Two-factor authentication with TOTP combines something you know (your password) withsomething you have (a unique number sequence generated by a hardware device). Both of these factors are required to authenticate – which substantially improves the security properties when compared to a single factor authentication solution.

The non-predictable variable length digit token output is derived from both the secret seed record and the on-board real time clock (RTC). A single hardware token can be programmed for variable output and variable time intervals (30 or 60 seconds) ensuring a solution is easily tailored to the enterprise security context that the developer is building.

Two (or more) tokens initialised with the same seed value can be used for person-to-person two-factor authentication solutions, entirely independent of any server infrastructure.

The same seed record can also be loaded into software based TOTP solutions allowing for a mixed hardware and software deployment context that can be managed by the same infrastructure.

• Strong two-factor authentication

• Support for OATH compliant time-based TOTP devices

• Support for multiple OTP hardware tokens

• Support for variable length OTP hardware tokens

• Integrated with OASIS KMIP for client authentication and seed provisioning

• Configurable seed management

• Capability for Multi-Device seeds

• OASIS KMIP Compliant

• Easy to use

• Provides configurable control of authentication

KEY FEATURES

KEY BENEFITS

945483

R

• KMIP C Server SDK


• KMIP C Server OTP Server Module



• KMIP C SDK

• KMIP C++ SDK

• KMIP C# SDK

• KMIP Java SDK


RELATED PRODUCTS

U2F SUPPORTCryptsoft’s OASIS KMIP products support the Fast IDentity Online (FIDO) Universal Second Factor (U2F) types of tokens. Cryptsoft’s Server and Client SDKS provide developers with the tools to provision and manage keys which can be used by these commonly available hardware tokens.

The FIDO U2F protocol uses standard public key cryptography techniques to provide stronger authentication. • During registration with an online service, the user’s client device

creates a new key pair. It retains the private key and registers the public key with the online service.

• Authentication is done by the client device proving possession of the private key to the service by signing a challenge.

• The client’s private keys can be used only after they are unlocked locally on the device by the user.

• The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

• The FIDO protocols are designed from the ground up to protect user privacy.

• The protocols do not provide information that can be used by different online services to collaborate and track a user across the services.

Cryptsoft’s KMIP SDKs allow the developer to fully integrate U2F tokens into their managed security solution.

SOLUTION:

R

KMIP FUNDAMENTALS

KMIP KEY MANAGEMENTINTEROPERABILITY PROTOCOL

ESTABLISH

RETRIEVE

ROTATE

SERVER

CLIENT

OTHER

CRYPTOGRAPHIC

CreateRegister Create Key Pair

Derive Key Certify

RNG Retrieve1.2

RNG Seed1.2

Encrypt1.2

Decrypt1.2

Sign1.2

Signature Verify1.2

Hash1.2

Mac1.2

MacVerify1.2

ActivateArchiveRecover

RevokeDestroy

LocateGet Attribute

Get Attribute List Get

CheckObtain Lease

Get Usage Allocation

Add AttributeModify Attribute

Delete Attribute

Re-key Re-Certify

Re-key Key Pair

QueryPoll

Cancel

NotifyPut

Discover Versions1.1

Validate

USAGE

STATE

INFO

MANAGE

OASIS KMIP is a widely accepted open standard for the management of a range of security objects including symmetric and asymmetric keys, certificates, and user or vendor defined objects. Based on a communications protocol which defines message formats for the full lifecycle of keys stored on a key management server.

Clients can request a server to perform the full key management lifecycle for key operations. These operations are grouped together in the table below in functional groups allowing for maximum flexibility for key operations. The KMIP open standard for key management allows application programmers to develop the logic of their applications for their business purpose free from the complexities of key management and to rest assured that their application can be developed once and will interoperate with key managers from a range of vendors.

R

• Storage solutions and appliances

• Network infrastructure

• Security applications

• Database management

• Embedded solutions

• Security hardware management

• Gateways and endpoints

• Financial Services and banking applications

• Auditing and compliance

TYPICAL USESCryptsoft’s Key Management SDKs have been incorporated into a wide range of products that are leading the market in interoperable key management.

Providing both Client and Server SDKs, Cryptsoft KMIP SDKs have been integrated into the majority of all KMIP products on the market today, eliminating the need for rework to interact with another vendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptsoft has the technology and the relationships to ensure your product delivers its maximum potential and can interoperate with a wide range of KMIP based products from a range of vendors allowing easy adoption of your product.

CLIENTS AND SERVERS

KMIP KEY MANAGEMENTINTEROPERABILITY PROTOCOL

CLIENTS

SERVERS

R

[email protected] WWW.CRYPTSOFT.COM+61 7 3103 0321 | US +1 650 918 4362

@CRYPTSOFT CRYPTSOFT-SECURITY-SPECIALISTS@CRYPTSOFT

Copyright © 2017 Cryptsoft Pty Ltd. All rights reserved. All trademarks, service marks, trade names, product names and logos are property of their respective owners.

the trusted security provider to your trusted … · • kmip rkm/dpm c client sdk • kmip c...

Documents