Presentation is loading. Please wait.

Presentation is loading. Please wait.

KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1.

Published byMark Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1."— Presentation transcript:

1 KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – cwhite@semper-fortis.com 1

2 Thoughts on NIST SP 800-130, 800-152 2 Client needs to be able to wrap/unwrap attributes Server needs to be able to wrap/unwrap attributes Needs Link to a wrapping key Need to know the difference between Sensitive and Non-Sensitive attributes Same key for key material wrapping and sensitive attributes must be possible Separate key for key material wrapping and sensitive attributes must be possible Need a digest across both the key material and the sensitive attributes (one of the NIST requirements) Today’s focus in on discussing options to designate and secure security attributes

3 Where to start on Security Attributes Given the need for protecting security attributes, how do we go about implementing security metadata? (NIST SP 800-130 2.4 Framework Topics and Requirements) – What is a method to designate what metadata needs to be secure – What method should be used to associate wrapping keys with metadata.

4 What is a method to designate what metadata needs to be secure: Introducing the “z” Custom Attribute Current Custom attributes denote either client or server information z attribute is a custom security attribute z–”CustomSecurityAttribute” – could be client, server, or neither – z-x for Client – z-y for Server – z for generic or key specific security attribute

5 z-Attributes continued Note that have the “z” in front is to be able to quickly differentiate a custom security attribute from custom client and server attributes. Also require an association wrapping keys associated with encrypting the security attributes – Wrapping keys is a smart move and provides traceability with the Framework requirement for SP 800-130 (FR: 2.4) – Should work within the current Key Wrap specification This is a slight twist from Tim Hudson’s Recommendation at the F2F, main difference is that z becomes a custom attribute type of its own. – Mainly because some security attributes will be independent of the current client and server nomenclature. – For example, attributes associated with the security classification of the key

6 What Method should be used to associate wrapping keys with metadata: Security Attribute Security Options Wrapping is a good strategy and is an accepted form of security information in transit – so it’s a good starting point. Currently the Key Wrapping Specification can cover securing all the attributes associated with a Wrapped Key (KMIP 1.2 2.1.6) – This provides a means of moving to a NIST compliant approach with no additional effort – its already there

7 Additional Commands for Wrapped Attributes Need to account for registering Wrapped Attributes – Unwrap on register? – Unwrap on command after register? – Never Unwrap? What to do on Get and Get Attributes? – Do we need a wrap key attribute for Get Attributes?

8 KMIP 1.3 and NIST What is next? Defining the “mostly complete” set of z-attributes – Think along the lines classifications, authorized users, source information, security levels, etc. – With this model we could create a security attribute construct and work with profiles for implementation – Are there existing attributes that need to be considered sensitive: ie Cryptographic Algorithm, Cryptographic Length Defining commands to register keys with wrapped attributes Defining Commands for getting wrapped attributes Determining use cases and profiles – Hint: KMIP isn’t just for storage anymore.

Download ppt "KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1."

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

PKCS-11 Protocol for Enterprise Key Management
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.
Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.
KMIP 1.3 SP800-130 Issues Joseph Brand / Chuck White / Tim Hudson December 12th, 2013 1.

KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 10 September, 2010 Encoding Options for Key Wrap.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 10 September, 2010 Encoding Options for Key Wrap.
Crypto Agility and Key Wrap Attributes for RADIUS Glen Zorn Joe Salowey Hao Zhou Dan Harkins.

Crypto Agility and Key Wrap Attributes for RADIUS Glen Zorn Joe Salowey Hao Zhou Dan Harkins.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.

Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Introduction Cloud characteristics Security and Privacy aspects Principal parties in the cloud Trust in the cloud 1. Trust-based privacy protection 2.Subjective.

Introduction Cloud characteristics Security and Privacy aspects Principal parties in the cloud Trust in the cloud 1. Trust-based privacy protection 2.Subjective.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.

Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
Archival Prototypes and Lessons Learned Mike Smorul UMIACS.

Archival Prototypes and Lessons Learned Mike Smorul UMIACS.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Similar presentations

Ads by Google