Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Key Management Interoperability Protocol (KMIP) www.oasis-open.org.

Published byNancy Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Key Management Interoperability Protocol (KMIP) www.oasis-open.org."— Presentation transcript:

1 1 Key Management Interoperability Protocol (KMIP) www.oasis-open.org

2 2 Agenda n The Need for Interoperable Key Management n KMIP Overview n KMIP Specification n KMIP Use Cases n KMIP Interoperability Demonstration

3 3 The Need for Interoperable Key Management n Today’s enterprises operate in increasingly complex, multi- vendor environments. n Enterprises need to deploy better encryption across the enterprise. n A key hurdle in IT managers deploying encryption is their ability to recover the encrypted data. n Today, many companies deploy separate encryption systems for different business uses – laptops, storage, databases and applications – resulting in: l Cumbersome, often manual efforts to manage encryption keys l Increased costs for IT l Challenges meeting audit and compliance requirements l Lost data

4 4 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database ReplicaStaging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLANVPN Key Management System CRM Often, Each Cryptographic Environment Has Its Own Key Management System Email

5 5 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database ReplicaStaging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLANVPN Key Management System CRM Often, Each Cryptographic Environment Has Its Own Protocol Email Disparate, Often Proprietary Protocols

6 6 KMIP Overview

7 7 What is KMIP The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for encryption client and key- management server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

8 8 Enterprise Cryptographic Environments Enterprise Key Management Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Key Management Interoperability Protocol Enterprise Applications Email eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM KMIP: Single Protocol Supporting Enterprise Cryptographic Environments

9 9 Storage Array Tape Library SAN Application Server Application KMIP: Symmetric Encryption Keys Key Management Interoperability Protocol Enterprise Key Manager

10 10 KMIP: Asymmetric Keys Public Key KMIP

11 11 KMIP to Commercial Meter Utility KMIP: Digital Certificates KMIP to low-end Residential Meter KMIP to Industrial Meter

12 12 Encrypting Storage Host Enterprise Key Manager @!$%!%!%!%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%#@ Request Header Get Unique Identifier Symmetric Key Response Header Unique Identifier Key Value KMIP Request / Response Model Unencrypted data Encrypted data Name: XYZ SSN: 1234567890 Acct No: 45YT-658 Status: Gold

13 13 Encrypting Storage Host Enterprise Key Manager @!$%!%!%!%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%#@ Supporting Multiple Operations per Request Unencrypted data Encrypted data Name: XYZ SSN: 1234567890 Acct No: 45YT-658 Status: Gold Request Header LocateNameGet ID Placeholder Symmetric Key Response Header Unique Identifier Key Value

14 14 … TagLenValueTagLenValue … TagLenValueTagLenValue Messages in TTLV Format Type

15 15 Transport-Level Encoding Key Client Key Server API Internal representation Transport Internal representation Transport KMIP Encode KMIP Decode API KMIP

16 16 OASIS KMIP Technical Committee n OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. n KMIP Technical Committee chartered in March 2009 l “The KMIP TC will develop specification(s) for the interoperability of Enterprise Key Management (EKM) services with EKM clients. The specifications will address anticipated customer requirements for key lifecycle management (generation, refresh, distribution, tracking of use, life-cycle policies including states, archive, and destruction), key sharing, and long-term availability of cryptographic objects of all types (public/private keys and certificates, symmetric keys, and other forms of “shared secrets”) and related areas.” KMIP TC IPR mode is Royalty Free on RAND

17 17 KMIP status n KMIP Technical Committee was established in OASIS in April 2009 l Submissions included at the time of TC creation included draft specification, usage guide and use cases l Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. n KMIP V1.0 standard approved end-September 2010 l Revision of initial submissions April-October 2009 l First public review Nov/Dec 2009 l Revision of documents Jan-April 2010 l Second public review May/June 2010. l Approval of KMIP V1.0 docs as OASIS standard Sept 2010

18 18 KMIP V2.0 n Work currently underway for KMIP V2.0 l Committee Draft targeted for Q2 2011 l Public review anticipated to start in Q3 2011 l Final KMIP V2.0 standard expected early Q4 2011 l Additions to protocol include additional attributes (permissions and groups) and operations (client registration) l May include enhancements related to server-to-server use cases. l Additions to profiles include asymmetric key use cases. l Additions to authentication methods under discussion, l Enhanced interoperability testing through cooperation with SNIA.

19 19 OASIS KMIP l Reading material: n http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf n http://docs.oasis-open.org/kmip/ug/v1.0/ http://docs.oasis-open.org/kmip/ug/v1.0/

20 20 KMIP Specification http://docs.oasis-open.org/kmip/spec/v1.0/

21 21 Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate Query Cancel Poll Notify Put Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific ID Contact Information Last Change Date Custom Attribute Certificate Symmetric Key Public Key Private Key Split Key Template Policy Template Secret Data Opaque Object Managed ObjectsProtocol OperationsObject Attributes Key Block (for keys) or Value (for certificates) KMIP defines a set of Operations that apply to Managed Objects that consist of Attributes and possibly cryptographic material

22 22 KMIP Base Objects n Base Objects are: l Components of Managed Objects: n Attribute, identified by its Attribute Name n Key Block, containing the Key Value, either in the clear, either in raw format, or as a transparent structure or “wrapped” using Encrypt, MAC/Sign, or combinations thereof possibly together with some attribute values l Elements of protocol messages: n Credential, used in protocol messages l Parameters of operations: n Template-Attribute, containing template names and/or attribute values, used in operations

23 23 KMIP Managed Objects n Managed Cryptographic Objects l Certificate, with type and value l Symmetric Key, with Key Block l Public Key, with Key Block l Private Key, with Key Block l Split Key, with parts and Key Block l Secret Data, with type and Key Block n Managed Objects l Template and Policy Template: n Template has a subset of Attributes that indicate what an object created from such a template is n Policy Template has a subset of Attributes that indicate how an object created from such a template can be used n Note that (Policy) Templates have nothing except Attributes: for convenience these Attributes are included in the (Policy) Template structure too. l Opaque Object, without Key Block Certificate Symmetric Key Public Key Private Key Split Key Template Policy Template Secret Data Opaque Object Managed Objects Key Block (for keys) or value (for certificates)

24 24 KMIP Attributes n Attributes contain the “meta data” of a Managed Object l Its Unique Identifier, State, etc l Attributes can be searched with the Locate operation, as opposed to the content of the Managed Object n Setting/modifying/deleting Attributes l Only some of the Attributes are set with specific values at object creation, depending on the object type n For instance, the Certificate Type Attribute only exists for Certificate objects l Some Attributes are implicitly set by certain operations n Certificate Type is implicitly set by Register, Certify, and Re-certify l Client can set explicitly some of the Attributes n Certificate Type cannot be set by the client l Not all Attributes can be added, or subsequently modified or deleted once set n Certificate Type cannot added, modified or deleted l Some Attributes can have multiple values (or instances) organized with indices n For instance, a Symmetric Key object may belong to multiple groups, hence its Object Group Attribute will have multiple values

25 25 KMIP Attributes cont’d n 33 Attributes defined Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific ID Contact Information Last Change Date Custom Attribute Describes what “is” the object Describes how to “use” the object Describes other features of the object

26 26 Key Lifecycle States and Transitions

27 27 Symmetric key: Activation Date Deactivation Date Protect Stop Date Process Start Date Protect Process Asymmetric key pair: Activation Date Deactivation Date Protect Stop Date = Protect Activation Date Deactivation Date Process Start Date = Process Public key for encryption Private key for digital signature Illustration of the Lifecycle Dates Private key for decryption Public key for digital signature

28 28 Symmetric Key 2 Symmetric Key 1 Symmetric Key 3 Secret Data Object 1Object 2 Derivation: Re-key or re-certify: Private Key Public Key Certificate 1 Certificate 3 Public/Private/Cert: Certificate 2 Object 3 Derived Key Base Object Replaced Object Replacement Object Public Key Private Key Certificate Public Key Certificate Illustrations of the Link Attribute

29 29 Client-to-server Operations n Operation consists of a request from client followed by server response n Multiple operations can be batched in a single request-response pair l ID Placeholder can be used to propagate the value of the object’s Unique Identifier among operations in the same batch l Can be used to implement atomicity n Requests may contain Template-Attribute structures with the desired values of certain attributes n Responses contain the attribute values that have been set differently than as requested by the client

30 30 Client-to-server Operations cont’d n 26 client-to-server operations defined Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate (optional) Query Cancel (optional) Poll (optional) Notify (optional) Put (optional) Generate objects Set/get attributes Use the objects Support for asynchronous responses Support of optional operations Search and obtain objects Server-to-client operations

31 31 Server-to-client Operations n Unsolicited messages from the server to the client with the following operations: l Notify operation, used by server to inform client about attribute-value changes l Push operation, used by server to provide an object and attributes to client, indicating whether the new object is replacing an existing object or not l Batching can be used l Support is optional

32 32 Message Contents and Format n Protocol messages consist of requests and responses, each with a header and one or more batch items with operation payloads and message extensions n Header: l Protocol version l Maximum response size (optional, in request) l Time Stamp (optional in request, required in response) l Authentication (optional) l Asynchronous Indicator (optional, in request, no support for asynchronous response is default) l Asynchronous Correlation Value (optional, in response). Used later on for asynchronous polling l Result Status: Success, Pending, Undone, Failure (required, in response) l Result Reason (required in response if Failure, optional otherwise) l Result Message (optional, in response) l Batch Order Option (optional, in request, in-order processing is default). Support at server is optional l Batch Error Continuation Option: Undo, Stop, Continue. Stop (optional, in request, Stop is default). Support at server is optional l Batch Count n Batch Item: l Operation (enumeration) l Unique Message ID (required if more than one batch item in message) l Payload (the actual operation request or response) l Message Extension (optional, for vendor-specific extensions)

33 33 Message Encoding n Example of TTLV encoding of the Application Specific ID Attribute l Attribute identified by its name “Application Specific ID” l Shows value at index 2 TagTypeLengthValue AttributeStructure TagTypeLengthValue Attribute Name String “Application Specific ID” Attribute Index Integer42 Attribute Value Structure TagTypeLengthValue App. Name String “ssl” App. ID String “www.example.com”

34 34 Message Encoding cont’d n In a TTLV-encoded message, Attributes are identified either by tag value or by their name (see previous slide), depending on the context: l When the operation lists the attribute name among the objects part of the request/response (such as Unique Identifier), its tag is used in the encoded message l When the operation does not list the attribute name explicitly, but instead includes Template-Attribute (such as in the Create operation) or Attribute (such as in Add Attribute) objects as part of the request/response, its name is used in the encoded message tag … typelengthvalue operation0440000000A tagtypelengthvalue Unique Identifier 0624 1f165d65-cbbd-4bd6-9867-80e0b390acf9 Get Unique identifier

35 35 Authentication n Authentication is external to the protocol n All servers should support at least l SSL/TLS n Authentication message field contains the Credential Base Object l Client or server certificate in the case of SSL/TLS Host @!$%!%!%!%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%#@ @!$%!%!%!%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%#@ Enterprise Key Manager Identity certificate SSL/TLS

36 36 KMIP Use Cases http://docs.oasis-open.org/kmip/usecases/v1.0/

37 37 KMIP Use Cases n Purpose: provide examples of message exchanges for common use cases n Categories l basic functionality (create, get, register, delete of sym. keys and templates) l life-cycle support (key states) l auditing and reporting l key exchange l asymmetric keys l key roll-over l archival l vendor-specific message extensions n Details of the message composition and TTLV encoding (encoded bytes included)

38 38 KMIP Use Cases: Example n Request containing a Get payload The operation (object type) and payload parameter Get (symmetric key) In: uuidKey Fields and structure of the message (length not shown) Tag: Request Message (0x42000073), Type: Structure (0x80), Data: Tag: Request Header (0x42000072), Type: Structure (0x80), Data: Tag: Protocol Version (0x42000065), Type: Structure (0x80), Data: Tag: Protocol Version Major (0x42000066), Type: Integer (0x01), Data: 0x00000000 (0) Tag: Protocol Version Minor (0x42000067), Type: Integer (0x01), Data: 0x00000062 (98) Tag: Batch Count (0x4200000D), Type: Integer (0x01), Data: 0x00000001 (1) Tag: Batch Item (0x4200000F), Type: Structure (0x80), Data: Tag: Operation (0x42000057), Type: Enumeration (0x04), Data: 0x0000000A (Get) Tag: Request Payload (0x42000074), Type: Structure (0x80), Data: Tag: Unique Identifier (0x4200008F), Type: Text String (0x06), Data: 96789141-62bf-4352-b1c4-9d48dac4b77d TTLV byte encoding of the message 42000073800000008542000072800000003042000065800000001A4200006601000000040000000042000067010000000400000062 4200000D0100000004000000014200000F80000000434200005704000000040000000A42000074800000002D4200008F0600000024 39363738393134312D363262662D343335322D623163342D396434386461633462373764

39 39 KMIP Interoperability Demonstration

40 40 KMIP Interop Demo n Demonstrate protocol functionality using multiple independent implementations n Scenarios from the KMIP Use Cases document n Scenarios from Vendor Products

41 41 KMIP Interoperability Demo Interop Network Server hdd High Density Devices Client Server Client

42 42 KMIP Interop Demo http://docs.oasis-open.org/kmip/usecases/v1.0/ 3.1.1 - Create / Destroy 3.1.2 - Register / Create / Get attributes / Destroy 3.1.3 - Create / Locate / Get / Destroy 3.1.4 - Dual client use-case, ID Placeholder linked Locate & Get batch 3.1.5 - Register / Destroy Secret Data 3.2 - Asynchronous Locate 4.1 - Revoke scenario 5.1 - Get usage allocation scenario 6.1 - Import of a Third-party Key 7.1 - Unrecognized Message Extension with Criticality Indicator false 7.2 - Unrecognized Message Extension with Criticality Indicator true 8.1 - Create a Key Pair 8.2 - Register Both Halves of a Key Pair

43 43 KMIP Interop Demo 9.1 - Create a Key, Re-key 9.2 - Existing Key Expired, Re-key with Same lifecycle 9.3 - Existing Key Compromised, Re-key with same lifecycle 9.4 - Create key, Re-key with new lifecycle 9.5 - Obtain Lease for Expired Key 10.1 - Create a Key, Archive and Recover it 11.1 - Credential, Operation Policy, Destroy Date 12.1 - Query, Maximum Response Size Additional Use Cases 13.1 - Asymmetric Register PKCS#1 13.2 - Asymmetric Register Certificate 13.3 - Asymmetric Create / Re-Key 13.4 - Asymmetric Register / Certify3.1.1 - Create / Destroy

44 44 Use Case 3.1.1 (1/3) n The client asks the server to create a 128-bit symmetric key, using the AES algorithm, to be used for encryption and decryption n After the key has been created, the client asks the server to destroy the created key

45 45 Use Case 3.1.1 (2/3) n Create-request, Attributes: { Algorithm=AES, Length=128, Usage Mask=encrypt&decrypt } n Create-response: Success, Unique Identifier of created key Client Server

46 46 Use Case 3.1.1 (3/3) n Destroy-request, Unique Identifier of previously created key n Destroy-response: Success, Unique Identifier of destroyed key

47 47 Use Case 3.1.2 (1/4) n The client registers a template with attributes n The client asks the server to create a symmetric key with the attributes specified in the previously registered template n The client retrieves a subset of the attributes of the key to verify they were set according to the template n Note: Operations already shown previous are not illustrated

48 48 Use Case 3.1.2 (2/4) n Register-request, ObjectType=Template, Attributes (e.g.): { Name=Template1, ObjectGroup=Group1 } n Register-response: Success, Unique Identifier of registered template

49 49 Use Case 3.1.2 (3/4) n Create-request, TemplateName=Template1 n Create-response: Success, Unique Identifier of created key

50 50 Use Case 3.1.2 (4/4) n Get Attributes-request, Attribute Names: { ObjectGroup, AppSpecificInfo, ContactInfo, x-Purpose } n Get Attributes-response: Success, Attributes { ObjectGroup=Group1 etc. } ?

51 51 Use Case 3.1.3 (1/3) n The client asks the server to create a key and specifies a Name attribute value n The client then performs a Locate operation, supplying the Name, to which the server responds with the Unique Identifier of the created key n The client retrieves the created key using its Unique Identifier

52 52 Use Case 3.1.3 (2/3) n Locate-request, Attribute: { Name=Key1 } n Locate-response: Success, Unique Identifier of created key Previously created Key with Name attribute set

53 53 Use Case 3.1.3 (3/3) n Get-request, Unique Identifier of previously created key n Get-response: Success, key material of the previously created key

54 54 Use Case 3.1.4 n This use-case has two clients performing operations on the same key. n The first client registers a template and creates a symmetric key using that template. n The second client then does a batched Locate and Get using the ID Placeholder to retrieve the key.

55 55 Use Case 3.1.4 (cont) n The second client thereafter performs a number of operations on the key before the first client finally destroys the key and the template. n The first client also tries to Get the key and the template after they have been destroyed, but the Get operation fails in both cases.

56 56 Use Case 3.1.5 n In this use-case the client issues a Register request containing a Secret Data object, whereby the server registers the object and returns the Unique Identifier. n To clean up, the client then performs a Destroy operation to destroy the object.

57 57 Use Case 3.2 n This use-case tests the asynchronous capabilities of KMIP using the Locate operation. n A key is created and then a Locate request is sent containing the Name of the created key and with the message header Asynchronous Indicator-field set to True.

58 58 Use Case 3.2 (cont) n If the server returns an asynchronous response to the Locate, the client then polls the server until the operation is ready. n If the server responded asynchronously, a subsequent Locate operation that is also handled asynchronously is then Cancelled, before the key is finally destroyed.

59 59 Use Case 4.1 (1/4) n The client asks the server to create a key n The client gets the State attribute to confirm that the key is initially in the Pre- Active state n The client performs an Activate operation to change the state to Active n The client performs a Revoke operation to change the state to Compromised

60 60 Use Case 4.1 (2/4) n Get Attributes-request: Unique Identifier of key, Attribute Name: { State } n Get Attributes-response: Success, Unique Identifier of key, State=Pre-Active ? Previously created key in the Pre-Active state

61 61 Use Case 4.1 (3/4) n Activate-request: Unique Identifier of key n Activate-response: Success, Unique Identifier of activated key

62 62 Use Case 4.1 (4/4) n Revoke-request: Unique Identifier of key, Revocation Reason=Compromised n Revoke-response: Success, Unique Identifier of revoked key

63 63 Use Case 5.1 (1/4) n The client asks the server to create a key, activates it and sets a certain amount of Usage Allocation (1000 MB) n The client gets some Usage Allocation so that it can use the key e.g. for encrypting data n Once it has been used up, the client requests some more usage allocation n When the usage allocation has been used up, the key cannot be used for encryption anymore

64 64 Use Case 5.1 (2/4) n Get Usage Allocation-request: Unique Identifier of key, ByteCount=500 n Get Usage Allocation-response: Success, Unique Identifier of key Usage allocation

65 65 Use Case 5.1 (3/4) n Get Usage Allocation-request: Unique Identifier of key, ByteCount=500 n Get Usage Allocation-response: Success, Unique Identifier of key Usage allocation (usage allocation is used up)

66 66 Use Case 5.1 (4/4) n Get Usage Allocation-request: Unique Identifier of key, ByteCount=500 n Get Usage Allocation-response: Operation Failed, Usage Allocation requested could not be granted Usage allocation (usage allocation is used up)

67 67 Use Case 6.1 n This use-case tests the import of a foreign key using the Register operation. n To validate that the registered key is treated the same as a locally created key, an attribute is added to the key and then modified. n Finally, the key is destroyed.

68 68 Use Case 7.1 n A create request is issued and the request contains a Message Extension with the Criticality Indicator set to false. n The server does not understand the extension, but since it is non-critical, the create request is processed normally. n Subsequently, the created key is deleted.

69 69 Use Case 7.2 n A create request is issued and the request contains a Message Extension with the Criticality Indicator set to true. n The server does not understand the extension, and since it is critical, the create request fails and an error is returned.

70 70 Use Case 8.1 n Create a new private/public key pair. n Make sure they are linked correctly by issuing Locate commands with the assigned Unique Identifiers. n Finally delete both key halves.

71 71 Use Case 8.2 n Register a private key and a public key and set the Link attribute to point to each other. n Verify the links were set correctly by locating the keys based on the link attributes n Delete both objects.

72 72 Use Case 9.1 n Create a symmetric key with a specific name, and then use Locate to find the key. n After using Re-key to create a new key, verify that the name was removed from the existing key and copied to the new key. Also verify that the key material for the old key is still retrievable. n To clean up, both keys are deleted.

73 73 Use Case 9.2 n Create a new symmetric key. Then add the Activation Date and Deactivation Date attributes based on the timestamp in the response to the Create request. n The Activation Date is set to a time in the past and the Deactivation Date to a time in the near future.

74 74 Use Case 9.2 (cont) n Repeated Get Attribute calls are performed to verify that the state is first “Active”, then subsequently “Deactivated”. n Then issue a Re-key request, including an Activation Date attribute with the value set to the previously specified Deactivation Date of the existing key.

75 75 Use Case 9.2 (cont) n Verify from the response that the Activation Date and Deactivation Date attributes were set correctly (if they are not returned, issue a Get Attribute request). n Do a Get Attribute operation to verify that the state of the new key is “Active”. n To clean up, both keys are deleted.

76 76 Use Case 9.3 n Create a new symmetric key with the Activation Date in the past. n Do a Get Attribute operation on the State attribute to verify the key is “Active”. n Then revoke the key as compromised, verify that the state has changed to “Compromised”.

77 77 Use Case 9.3 (cont) n Create a replacement key using Re- key with the offset set to ‘0’ to indicate that the times are to be copied from the existing key. n Do a Get Attribute operation to verify that the state of the new key is “Active”. n To clean up, both keys are deleted.

78 78 Use Case 9.4 n Create a symmetric key with a specific name, then use Locate to find the key. n After using Re-key to create a new key, verify that the name was removed from the existing key and copied to the new key. n To clean up, both keys are deleted.

79 79 Use Case 9.5 n Create a symmetric key with a specific name and obtain a lease. Revoke the key with state “Compromised” and re-key the key. n Try to obtain a lease on the old key which fails. n Locate the new key with the original name. n Get the new key and obtain a lease.

80 80 Use Case 10.1 n Create a symmetric key with a specified name, then use Locate to find the key and get the key. n Archive the key (asynchronous operation, use Poll until it completes) and use Get and Locate on it, but both fail.

81 81 Use Case 10.1 (cont) n Add the Storage Status Mask to the Locate-command, indicating to the server to search in both online and archived storage. n The Locate finds the key. n Recover the key from the archive (also asynchronous), both Locate and Get succeed.

82 82 Use Case 11.1 n Pass a Credential object in the message header in all requests for identification purposes n Create a symmetric key and set the Operation Policy Name attribute to “default”.

83 83 Use Case 11.1 (cont) n Using another Credential, attempt to perform a Get operation batched with a Get Attribute List on the created symmetric key - both these request SHALL fail, as Batch Error Continuation Option set to “Continue”, the client gets both response payloads. n Using the initially used Credential, destroy the object and get the Destroy Date attribute.

84 84 Use Case 12.1 n Perform a Query operation, querying the Operations and Objects supported by the server, with a restriction on the Maximum Response Size set in the request header. n Since the resulting Query response is too big, an error is returned.

85 85 Use Case 12.1 n Increase the Maximum Response Size, resubmit the Query request, and get a successful response.

86 86 Use Case 13.1 n Register a public/private RSA key pair n Otherwise the same as 8.2, but with PKCS #1 format and additional Get operations to verify keys were registered correctly

87 87 Use Case 13.2 n Register a public/private RSA key pair and associated X.509 certificate n Set links between key pair and certificate n Verify certificate attributes are set correctly

88 88 Use Case 13.3 n Create a public/private RSA key pair, get the keys in PKCS #1 format n Re-key key pair (proposed v2.0 operation) n Locate on name to make sure Name attribute was transferred to new keys n Get new keys in Transparent RSA key format n Get link attributes

89 89 Use Case 13.4 n Register a public/private RSA key pair in PKCS #1 format n Set links n Certify the public key using PKCS #10 CSR n Get certificate (X.509 format), n Get certificate attributes n Get links

90 90 Conclusion

91 91 Enterprise Cryptographic Environments Enterprise Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database ReplicaStaging Key Management Interoperability Protocol Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM Email KMIP: enabling enterprise key management through standard protocol

92 92 Q&A

Download ppt "1 Key Management Interoperability Protocol (KMIP) www.oasis-open.org."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google