Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015 1.

Similar presentations


Presentation on theme: "Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015 1."— Presentation transcript:

1 Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015 1

2 Current Situation Steps to wrap a Key in KMIP version 1.0 to 1.3 1)Key to wrap exists on server 2)Wrapping key exists on server 3)Perform a GET operation with a Key Wrapping Specification 4)Wrapped key returned in GET operation is not stored on server (is not a managed object) 2

3 Current Situation Steps to unwrap a key in KMIP version 1.0 to 1.3 1)Wrapping key stored on server 2)Perform a REGISTER operation with the wrapped key and a Key Wrapping Data structure 3)The server may unwrap the key on the register operation. However, the server will not inform the client either way. 4)Perform a GET operation to get the registered key which may still be wrapped or may be unwrapped. 5)KMIP 1.3 Query operation lets client discover if the KMIP server will unwrap a key. 6)If key stays wrapped, then it cannot be used for on-server encryption operations. 3

4 Proposed Wrapping Approach Add two new KMIP operations: Wrap and Unwrap Use a PKCS 11-like model on what these operations mean Goal : allow unwrapped keys to be used in on-server encryption operations 4

5 Wrap Operation The wrapping key must be on the server This operation requests the server to create a new managed object by wrapping an existing key pointed to by a unique identifier. The new wrapped object’s unique identifier will be returned in the operation’s response. No object value is returned by this operation. To get the wrapped key a GET operation with the unique identifier returned form the WRAP operation must be performed. An error is returned to the client if the WRAP operation failed 5

6 Unwrap Operation The wrapping key must be on the server This operation requests the server to create a new managed object by unwrapping an existing key pointed to be the unique identifier in the request. The new unwrapped key’s unique identifier is retuned in the operation’s response. No object value is returned by this operation. To get the unwrapped key a GET operation with the unique identifier returned from the UNWRAP operation must be performed. Each server defines a policy determining whether an unwrapped key can be returned by a GET operation. 6

7 Unwrap Operation Key can now be used for on-server encryption operations An error is returned if the UNWRAP operation failed or is not allowed 7


Download ppt "Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015 1."

Similar presentations


Ads by Google