Presentation is loading. Please wait.

Presentation is loading. Please wait.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Published byEdwina Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012."— Presentation transcript:

1 KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012

2 2 Purpose of HSM (Hardware Security Module) - Hardware based Key Storage Device - Provides High Assurance:  CC EAL 4+  FIPS 140-2 Level 2 & 3 - Full Critical Crypto key Lifecycle Protection  Symmetric Keys  Asymmetric Keys  Certificates - Provides Crypto Acceleration and root of trust (trust anchor) - Available in Multiple Form Factors:  Network Appliance  PCI Express card  USB attacked module - NIST disapproves key material leaving the FIPS boundary HW based Creation HW enforced Key Policies HW based Usage HW based backup Storage HW based Deletion

3 3 General idea behind MDO keys  Core Server Functionality = Key Mgmt + Key Usage  Where does the key usage happen?  - at the server  - at the client (HSM case)  Cryptographic Objects = Key Material + Meta Data  If key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data? Application HSM Server Key material perimeter

4 4 Enterprise Key Management for HSMs EKM Centralized Key Management Remote sites handle only IT related activities Key Archive Backup/Archive Initialization Activation Audit Log KMIP Key Management Interoperability Protocol Allows for interoperability between 1.differing device types 2.devices from different vendors EKM Management Console 4 Application HSM EKM Client HSM EKM Client

5 5 Backup HSM and Key Archive HSM With Multiple Partitions Audit Log Key Secure Application + HSM with EKM Client Database + HSM with EKM Client Initialization Activation EKM Web Browser Centralized Administration of HSMs with EKM KMIP EKM Centrally see all keys created and used by HSM Stores and manages key attributes Centralized audit for compliance

6 6 KMIP commands and MDO keys  Supported KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query  MDO KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query

7 7 Registered Object Meta-Data Regular KMIP Request  Request Message (0x420078) | 0x01 | 0000000000 |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | 0000000000 |  Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003  Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39  Request Payload (0x420079) | 0x01 | 0000000000 |  Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002  Template-Attribute (0x420091) | 0x01 | 0000000000 |  Attribute (0x420008) | 0x01 | 0000000000 |  Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007  Attribute (0x420008) | 0x01 | 0000000000 |  Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name  Attribute Value (0x42000b) | 0x01 | 0000000000 |  Name Value (0x420055) | 0x07 | 0x00000005 | mykey  Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001  Symmetric Key (0x42008f) | 0x01 | 0000000000 |  Key Block (0x420040) | 0x01 | 0000000000 |  Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001  Key Value (0x420045) | 0x01 | 0000000000 |  Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…  Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003  Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080 KMIP Register operation in detail

8 8 Regular KMIP Request  Request Message (0x420078) | 0x01 | 0000000000 |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | 0000000000 |  Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003  Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39  Request Payload (0x420079) | 0x01 | 0000000000 |  Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002  Template-Attribute (0x420091) | 0x01 | 0000000000 |  Attribute (0x420008) | 0x01 | 0000000000 |  Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007  Attribute (0x420008) | 0x01 | 0000000000 |  Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name  Attribute Value (0x42000b) | 0x01 | 0000000000 |  Name Value (0x420055) | 0x07 | 0x00000005 | mykey  Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001  Symmetric Key (0x42008f) | 0x01 | 0000000000 |  Key Block (0x420040) | 0x01 | 0000000000 |  Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001  Key Value (0x420045) | 0x01 | 0000000000 |  Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…  Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003  Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080 KMIP Register operation in detail MDO KMIP Request  Request Message (0x420078) | 0x01 | 0x00000180 |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | 0x00000128 | Re  Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003  Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 30  Request Payload (0x420079) | 0x01 | 0x00000100 |  Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002  Template-Attribute (0x420091) | 0x01 | 0x000000e8 |  Attribute (0x420008) | 0x01 | 0x00000030 |  Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm  Attribute Value (0x42000b) | 0x05 | 0x00000004 | 0x00000003  Attribute (0x420008) | 0x01 | 0x00000030 |  Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length  Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000080  Attribute (0x420008) | 0x01 | 0x00000030 |  Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007  Attribute (0x420008) | 0x01 | 0x00000038 |  Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name  Attribute Value (0x42000b) | 0x01 | 0x00000020 |  Name Value (0x420055) | 0x07 | 0x00000005 | mykey  Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

9 9 New key format  What happened to Key Format in previous request?  - Key Format is not a full-fledged attribute  - Absence of the object => custom key format  - Key Format is purely internal

10 10 KMIP Updates for MDO keys  Crypto Domain Parameters o Crypto parameters need to be a part of the Register command, not only Create Key Pair  ECC Enumeration o Need a broader set of supported curves

11 11 Questions?  Thank you.

Download ppt "KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012."

Similar presentations

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Key Management Interoperability Protocol By: Derrick Erickson.

Key Management Interoperability Protocol By: Derrick Erickson.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.

Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
Key Management in Cryptography

Key Management in Cryptography
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Tolga Acar 24 Feb. 2011 1 Distributed Key Management and Cryptographic Agility.

Tolga Acar 24 Feb Distributed Key Management and Cryptographic Agility.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.

SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas

© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas

Similar presentations

Ads by Google