Presentation on theme: "Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015."— Presentation transcript:
1Key Wrapping in KMIPMark Joseph, P6R Inc2/27/2015
2Current Situation Steps to wrap a Key in KMIP version 1.0 to 1.3 Key to wrap exists on serverWrapping key exists on serverPerform a GET operation with a Key Wrapping SpecificationWrapped key returned in GET operation is not stored on server (is not a managed object)
3Current Situation Steps to unwrap a key in KMIP version 1.0 to 1.3 Wrapping key stored on serverPerform a REGISTER operation with the wrapped key and a Key Wrapping Data structureThe server may unwrap the key on the register operation. However, the server will not inform the client either way.Perform a GET operation to get the registered key which may still be wrapped or may be unwrapped.KMIP 1.3 Query operation lets client discover if the KMIP server will unwrap a key.If key stays wrapped, then it cannot be used for on-server encryption operations.
4Proposed Wrapping Approach Add two new KMIP operations: Wrap and UnwrapUse a PKCS 11-like model on what these operations meanGoal : allow unwrapped keys to be used in on-server encryption operations
5Wrap Operation The wrapping key must be on the server This operation requests the server to create a new managed object by wrapping an existing key pointed to by a unique identifier. The new wrapped object’s unique identifier will be returned in the operation’s response.No object value is returned by this operation. To get the wrapped key a GET operation with the unique identifier returned form the WRAP operation must be performed.An error is returned to the client if the WRAP operation failed
6Unwrap Operation The wrapping key must be on the server This operation requests the server to create a new managed object by unwrapping an existing key pointed to be the unique identifier in the request. The new unwrapped key’s unique identifier is retuned in the operation’s response.No object value is returned by this operation. To get the unwrapped key a GET operation with the unique identifier returned from the UNWRAP operation must be performed.Each server defines a policy determining whether an unwrapped key can be returned by a GET operation.
7Unwrap OperationKey can now be used for on-server encryption operationsAn error is returned if the UNWRAP operation failed or is not allowed