KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1.

Slides:

Advertisements

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 10 September, 2010 Encoding Options for Key Wrap.

Crypto Agility and Key Wrap Attributes for RADIUS Glen Zorn Joe Salowey Hao Zhou Dan Harkins.

Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Introduction Cloud characteristics Security and Privacy aspects Principal parties in the cloud Trust in the cloud 1. Trust-based privacy protection 2.Subjective.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

Archival Prototypes and Lessons Learned Mike Smorul UMIACS.

KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

By: Surapheal Belay ITEC ABSTRACT According to NIST SP : “ Mail servers are often the most targeted and attacked servers on an organization’s.

CSCI Research Project and Seminar Team #1 10/02/2007.

Symmetric Key Management Books Development Plan Daniel Fischer (ESA) Ignacio Aguilar Sanchez (ESA) CCSDS Spring Meeting 2010 | Portsmouth, VA.

Designing Active Directory for Security

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Special Publication : Interfaces for Personal Identity Verification Jim Dray NIST NPIVP Workshop March 3, 2006.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

HSM Management Use-case Summary KMIP F2F Sep 2012 Denis Pochuev

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

© Synergetics Portfolio Security Aspecten.

Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.

Section 12.1 Discuss the functions of a Web site Create a feedback form Compare and contrast option buttons and check boxes Section 12.2 Explain the use.

1 1 Oslo Group Ottawa 2-6 February, 2009 Official Energy Statistics IRES Olav Ljones.

Security Planning and Administrative Delegation Lesson 6.

1 NIST Key State Models SP Part 1SP (Draft)

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IBM TS7700 User Day Herbst 2015 GUI – Pablo Acevedo

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Remodelling Frida From institutional registration to common registration and responsibility across member institutions Grete Christina Lingjærde Andora.

Overview-TPV Service Delivery

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.

MudiamPCI provide the solution for SAP credit card processing, payment card and card tokenization with aes 256 encryption.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:

KMIP PKCS#12 February 2014 Tim Hudson – 1.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Locate By Value Anthony Berglas. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Let's build a VMM service template from A to Z in one hour Damien Caro Technical Evangelist Microsoft Central & Eastern Europe

Gabor Fari April 26, 2007.

Information Security, Theory and Practice.

Enabling Encryption for Data at Rest

Enabling Encryption for Data at Rest

Organization for the Advancement of Structured Information Standards

Access Control in KMIPv1.1/v2

Server Side Wrap Operations

Metadata The metadata contains

Chapter 11 Managing Databases with SQL Server 2000

GOPAS TechEd 2012 Kerberos Delegation

Presentation transcript:

KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1

Thoughts on NIST SP , Client needs to be able to wrap/unwrap attributes Server needs to be able to wrap/unwrap attributes Needs Link to a wrapping key Need to know the difference between Sensitive and Non-Sensitive attributes Same key for key material wrapping and sensitive attributes must be possible Separate key for key material wrapping and sensitive attributes must be possible Need a digest across both the key material and the sensitive attributes (one of the NIST requirements) Today’s focus in on discussing options to designate and secure security attributes

Where to start on Security Attributes Given the need for protecting security attributes, how do we go about implementing security metadata? (NIST SP Framework Topics and Requirements) – What is a method to designate what metadata needs to be secure – What method should be used to associate wrapping keys with metadata.

What is a method to designate what metadata needs to be secure: Introducing the “z” Custom Attribute Current Custom attributes denote either client or server information z attribute is a custom security attribute z–”CustomSecurityAttribute” – could be client, server, or neither – z-x for Client – z-y for Server – z for generic or key specific security attribute

z-Attributes continued Note that have the “z” in front is to be able to quickly differentiate a custom security attribute from custom client and server attributes. Also require an association wrapping keys associated with encrypting the security attributes – Wrapping keys is a smart move and provides traceability with the Framework requirement for SP (FR: 2.4) – Should work within the current Key Wrap specification This is a slight twist from Tim Hudson’s Recommendation at the F2F, main difference is that z becomes a custom attribute type of its own. – Mainly because some security attributes will be independent of the current client and server nomenclature. – For example, attributes associated with the security classification of the key

What Method should be used to associate wrapping keys with metadata: Security Attribute Security Options Wrapping is a good strategy and is an accepted form of security information in transit – so it’s a good starting point. Currently the Key Wrapping Specification can cover securing all the attributes associated with a Wrapped Key (KMIP ) – This provides a means of moving to a NIST compliant approach with no additional effort – its already there

Additional Commands for Wrapped Attributes Need to account for registering Wrapped Attributes – Unwrap on register? – Unwrap on command after register? – Never Unwrap? What to do on Get and Get Attributes? – Do we need a wrap key attribute for Get Attributes?

KMIP 1.3 and NIST What is next? Defining the “mostly complete” set of z-attributes – Think along the lines classifications, authorized users, source information, security levels, etc. – With this model we could create a security attribute construct and work with profiles for implementation – Are there existing attributes that need to be considered sensitive: ie Cryptographic Algorithm, Cryptographic Length Defining commands to register keys with wrapped attributes Defining Commands for getting wrapped attributes Determining use cases and profiles – Hint: KMIP isn’t just for storage anymore.