Key Management Interoperability Protocol (KMIP)
description
Transcript of Key Management Interoperability Protocol (KMIP)
1
Key Management Interoperability
Protocol (KMIP)
www.oasis-open.org
2
Agenda
The Need for Interoperable Key Management
KMIP Overview KMIP Specification KMIP Use Cases KMIP Interoperability Demonstration
3
The Need for Interoperable Key Management
Today’s enterprises operate in increasingly complex, multi-vendor environments.
Enterprises need to deploy better encryption across the enterprise.
A key hurdle in IT managers deploying encryption is their ability to recover the encrypted data.
Today, many companies deploy separate encryption systems for different business uses – laptops, storage, databases and applications – resulting in:
Cumbersome, often manual efforts to manage encryption keys Increased costs for IT Challenges meeting audit and compliance requirements Lost data
4
Enterprise Cryptographic Environments
Key Management
System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
CRM
Often, Each Cryptographic Environment Has Its Own Key Management System
5
Enterprise Cryptographic Environments
Key Management
System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
CRM
Often, Each Cryptographic Environment Has Its Own Protocol
Disparate, Often Proprietary Protocols
6
KMIPOverview
7
What is KMIP The Key Management Interoperability Protocol (KMIP)
enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications.
KMIP defines the protocol for encryption client and key-management server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.
8
Enterprise Cryptographic Environments
Enterprise Key Management
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
Key Management Interoperability Protocol
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
CRM
KMIP: Single Protocol Supporting Enterprise Cryptographic Environments
9
Storage Array
TapeLibrary
SANApplication
Server
Application
Application
Application
KMIP: Symmetric Encryption Keys
Key Management Interoperability Protocol
Enterprise Key Manager
10
KMIP: Asymmetric Keys
Public Key
Public Key
Public Key
Public Key
Public Key
KMIP
11
KMIP to Commercial Meter
Utility
KMIP: Digital Certificates
KMIP to low-end Residential Meter
KMIP to Industrial Meter
12
Encrypting Storage
Host
Enterprise Key Manager
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Request Header
Get Unique Identifier
Symmetric Key
Response Header
Unique Identifier
Key Value
KMIP Request / Response Model
Unencrypted data Encrypted data
Name: XYZSSN: 1234567890Acct No: 45YT-658Status: Gold
13
Encrypting Storage
Host
Enterprise Key Manager
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Supporting Multiple Operations per Request
Unencrypted data Encrypted data
Name: XYZSSN: 1234567890Acct No: 45YT-658Status: Gold
Request Header
Locate Name Get ID Placeholder
Symmetric Key
Response Header
Unique Identifier
Key Value
14
…Tag Len Value Tag Len Value
… TagLenValueTagLenValue
Messages in TTLV Format
Type Type
TypeType
15
Transport-Level EncodingKey Client Key Server
API
Internal representation
Transport
Internal representation
Transport
KMIP Encode
KMIP Encode
KMIP Decode
KMIP Decode
API
KMIP
16
OASIS KMIP Technical Committee OASIS (Organization for the Advancement of Structured
Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society.
KMIP Technical Committee chartered in March 2009 “The KMIP TC will develop specification(s) for the interoperability
of Enterprise Key Management (EKM) services with EKM clients. The specifications will address anticipated customer requirements for key lifecycle management (generation, refresh, distribution, tracking of use, life-cycle policies including states, archive, and destruction), key sharing, and long-term availability of cryptographic objects of all types (public/private keys and certificates, symmetric keys, and other forms of “shared secrets”) and related areas.”
KMIP TC IPR mode is Royalty Free on RAND
17
KMIP status KMIP Technical Committee was established in OASIS in
April 2009 Submissions included at the time of TC creation included draft
specification, usage guide and use cases Initial membership included most significant vendors in
cryptographic solutions and key management and has continued to grow.
KMIP V1.0 standard approved end-September 2010 Revision of initial submissions April-October 2009 First public review Nov/Dec 2009 Revision of documents Jan-April 2010 Second public review May/June 2010. Approval of KMIP V1.0 docs as OASIS standard Sept 2010
18
KMIP V2.0 Work currently underway for KMIP V2.0
Committee Draft targeted for Q2 2011 Public review anticipated to start in Q3 2011 Final KMIP V1.1 standard expected early Q4 2011 Additions to protocol include additional attributes
(permissions and groups) and operations (client registration)
May include enhancements related to server-to-server use cases.
Additions to profiles include asymmetric key use cases.
Additions to authentication methods under discussion, Enhanced interoperability testing through cooperation
with SNIA.
19
OASIS KMIP
Reading material: http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf http://docs.oasis-open.org/kmip/ug/v1.0/
20
KMIPSpecification
http://docs.oasis-open.org/kmip/spec/v1.0/
21
CreateCreate Key PairRegisterRe-keyDerive KeyCertifyRe-certifyLocateCheckGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeObtain LeaseGet Usage AllocationActivateRevokeDestroyArchiveRecoverValidateQueryCancelPollNotifyPut
Unique IdentifierNameObject TypeCryptographic AlgorithmCryptographic LengthCryptographic ParametersCryptographic Domain ParametersCertificate TypeCertificate IdentifierCertificate IssuerCertificate SubjectDigestOperation Policy NameCryptographic Usage MaskLease TimeUsage LimitsStateInitial DateActivation DateProcess Start DateProtect Stop DateDeactivation DateDestroy DateCompromise Occurrence DateCompromise DateRevocation ReasonArchive DateObject GroupLinkApplication Specific IDContact InformationLast Change DateCustom Attribute
CertificateSymmetric KeyPublic KeyPrivate KeySplit KeyTemplatePolicy TemplateSecret DataOpaque Object
Managed ObjectsProtocol Operations Object Attributes
orValue (for certificates)
KMIP defines a set of Operations that apply to Managed Objects that consist of Attributes and possibly cryptographic material
22
KMIP Base Objects Base Objects are:
Components of Managed Objects: Attribute, identified by its Attribute Name Key Block, containing the Key Value, either
• in the clear, either in raw format, or as a transparent structure • or “wrapped” using Encrypt, MAC/Sign, or combinations
thereof• possibly together with some attribute values
Elements of protocol messages: Credential, used in protocol messages
Parameters of operations: Template-Attribute, containing template names and/or
attribute values, used in operations
23
KMIP Managed Objects Managed Cryptographic Objects
Certificate, with type and value Symmetric Key, with Key Block Public Key, with Key Block Private Key, with Key Block Split Key, with parts and Key Block Secret Data, with type and Key Block
Managed Objects Template and Policy Template:
Template has a subset of Attributes that indicate what an object created from such a template is
Policy Template has a subset of Attributes that indicate how an object created from such a template can be used
Note that (Policy) Templates have nothing except Attributes: for convenience these Attributes are included in the (Policy) Template structure too.
Opaque Object, without Key Block
CertificateSymmetric KeyPublic KeyPrivate KeySplit KeyTemplatePolicy TemplateSecret DataOpaque Object
Managed Objects
Key Block (for keys)orvalue (for certificates)
24
KMIP Attributes Attributes contain the “meta data” of a Managed Object
Its Unique Identifier, State, etc Attributes can be searched with the Locate operation, as opposed to the
content of the Managed Object
Setting/modifying/deleting Attributes Only some of the Attributes are set with specific values at object creation,
depending on the object type For instance, the Certificate Type Attribute only exists for Certificate objects
Some Attributes are implicitly set by certain operations Certificate Type is implicitly set by Register, Certify, and Re-certify
Client can set explicitly some of the Attributes Certificate Type cannot be set by the client
Not all Attributes can be added, or subsequently modified or deleted once set Certificate Type cannot added, modified or deleted
Some Attributes can have multiple values (or instances) organized with indices
For instance, a Symmetric Key object may belong to multiple groups, hence its Object Group Attribute will have multiple values
25
KMIP Attributes cont’d
33 Attributes defined Unique IdentifierNameObject TypeCryptographic AlgorithmCryptographic LengthCryptographic ParametersCryptographic Domain ParametersCertificate TypeCertificate IdentifierCertificate IssuerCertificate SubjectDigestOperation Policy NameCryptographic Usage MaskLease TimeUsage LimitsStateInitial DateActivation DateProcess Start DateProtect Stop DateDeactivation DateDestroy DateCompromise Occurrence DateCompromise DateRevocation ReasonArchive DateObject GroupLinkApplication Specific IDContact InformationLast Change DateCustom Attribute
Describes what “is” the object
Describes how to “use” the object
Describes other features of the object
26
Key Lifecycle States and Transitions
27
Symmetric key:
ActivationDate
DeactivationDate
Protect StopDate
Process StartDate
Protect
Process
Asymmetric key pair:
ActivationDate
DeactivationDate
Protect StopDate =
Protect
ActivationDate
DeactivationDate
Process StartDate =
Process
Public key for encryptionPrivate key for digital signature
Illustration of the Lifecycle Dates
Private key for decryptionPublic key for digital signature
28
SymmetricKey 2
SymmetricKey 1
SymmetricKey 3
SecretData
Object 1 Object 2
Derivation:
Re-key or re-certify:
Privat
e
Key
PublicKey
Certificate 1
Certificate 3
Public/Private/Cert:
Certificate 2
Object 3
Derived Key
Derived Key
Base Object
Base Object
Replaced ObjectReplaced Object
Replacement Object Replacement Object
PublicKey
PrivateKey
Certificate
Certificate
PublicKey
Certificate
Illustrations of the Link Attribute
29
Client-to-server Operations Operation consists of a request from client followed
by server response Multiple operations can be batched in a single
request-response pair ID Placeholder can be used to propagate the value of the
object’s Unique Identifier among operations in the same batch
Can be used to implement atomicity Requests may contain Template-Attribute structures
with the desired values of certain attributes Responses contain the attribute values that have
been set differently than as requested by the client
30
Client-to-server Operations cont’d
26 client-to-server operations defined
CreateCreate Key PairRegisterRe-keyDerive KeyCertifyRe-certifyLocateCheckGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeObtain LeaseGet Usage AllocationActivateRevokeDestroyArchiveRecoverValidate (optional)QueryCancel (optional)Poll (optional)Notify (optional)Put (optional)
Generate objects
Set/get attributes
Use the objects
Support for asynchronous responses
Support of optional operations
Search and obtain objects
Server-to-clientoperations
31
Server-to-client Operations Unsolicited messages from the server to
the client with the following operations: Notify operation, used by server to inform
client about attribute-value changes Push operation, used by server to provide an
object and attributes to client, indicating whether the new object is replacing an existing object or not
Batching can be used Support is optional
32
Message Contents and Format Protocol messages consist of requests and responses, each with a
header and one or more batch items with operation payloads and message extensions
Header: Protocol version Maximum response size (optional, in request) Time Stamp (optional in request, required in response) Authentication (optional) Asynchronous Indicator (optional, in request, no support for asynchronous response is
default) Asynchronous Correlation Value (optional, in response). Used later on for asynchronous
polling Result Status: Success, Pending, Undone, Failure (required, in response) Result Reason (required in response if Failure, optional otherwise) Result Message (optional, in response) Batch Order Option (optional, in request, in-order processing is default). Support at server is
optional Batch Error Continuation Option: Undo, Stop, Continue. Stop (optional, in request, Stop is
default). Support at server is optional Batch Count
Batch Item: Operation (enumeration) Unique Message ID (required if more than one batch item in message) Payload (the actual operation request or response) Message Extension (optional, for vendor-specific extensions)
33
Message Encoding Example of TTLV encoding of the Application Specific ID
Attribute Attribute identified by its name “Application Specific ID” Shows value at index 2
Tag Type Length Value
Attribute Structure <varies>Tag Type Length Value
Attribute Name
String <varies> “Application Specific ID”
Attribute Index
Integer 4 2
Attribute Value
Structure <varies>Tag Type Length Value
App. Name
String <varies> “ssl”
App. ID
String <varies> “www.example.com”
34
Message Encoding cont’d
In a TTLV-encoded message, Attributes are identified either by tag value or by their name (see previous slide), depending on the context:
When the operation lists the attribute name among the objects part of the request/response (such as Unique Identifier), its tag is used in the encoded message
When the operation does not list the attribute name explicitly, but instead includes Template-Attribute (such as in the Create operation) or Attribute (such as in Add Attribute) objects as part of the request/response, its name is used in the encoded message
tag
…
type length value
operation 04 4 0000000A
tag type length value
Unique Identifier
06 24 1f165d65-cbbd-4bd6-9867-80e0b390acf9
Get Unique identifier
35
Authentication Authentication is external to the protocol All servers should support at least
SSL/TLS Authentication message field contains the
Credential Base Object Client or server certificate in the case of SSL/TLS
Host
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Enterprise Key Manager
Identity certificate
Identity certificate
SSL/TLS
36
KMIPUse Cases
http://docs.oasis-open.org/kmip/usecases/v1.0/
37
KMIP Use Cases
Purpose: provide examples of message exchanges for common use cases
Categories basic functionality (create, get, register, delete of sym. keys and
templates) life-cycle support (key states) auditing and reporting key exchange asymmetric keys key roll-over archival vendor-specific message extensions
Details of the message composition and TTLV encoding (encoded bytes included)
38
KMIP Use Cases: Example Request containing a Get payload
The operation (object type) and payload parameterGet (symmetric key) In: uuidKey
Fields and structure of the message (length not shown)Tag: Request Message (0x42000073), Type: Structure (0x80), Data: Tag: Request Header (0x42000072), Type: Structure (0x80), Data: Tag: Protocol Version (0x42000065), Type: Structure (0x80), Data: Tag: Protocol Version Major (0x42000066), Type: Integer (0x01), Data: 0x00000000 (0) Tag: Protocol Version Minor (0x42000067), Type: Integer (0x01), Data: 0x00000062 (98) Tag: Batch Count (0x4200000D), Type: Integer (0x01), Data: 0x00000001 (1) Tag: Batch Item (0x4200000F), Type: Structure (0x80), Data: Tag: Operation (0x42000057), Type: Enumeration (0x04), Data: 0x0000000A (Get) Tag: Request Payload (0x42000074), Type: Structure (0x80), Data: Tag: Unique Identifier (0x4200008F), Type: Text String (0x06), Data:
96789141-62bf-4352-b1c4-9d48dac4b77d
TTLV byte encoding of the message42000073800000008542000072800000003042000065800000001A42000066010000000400000000420000670100000004000000624200000D0100000004000000014200000F80000000434200005704000000040000000A42000074800000002D4200008F060000002439363738393134312D363262662D343335322D623163342D396434386461633462373764
39
KMIP InteroperabilityDemonstration
40
KMIP Interop Demo
Demonstrate protocol functionality using multiple independent implementations
Scenarios from the KMIP Use Cases document
Includes e.g. creating, deleting, searching and retrieving of symmetric keys
41
KMIP Interoperability Demo
Servers
Clients
42
Use Case 3.1.1 (1/3)
The client asks the server to create a 128-bit symmetric key, using the AES algorithm, to be used for encryption and decryption
After the key has been created, the client asks the server to destroy the created key
43
Use Case 3.1.1 (2/3)
Create-request, Attributes: { Algorithm=AES, Length=128, Usage Mask=encrypt&decrypt }
Create-response: Success, Unique Identifier of created key
Client
Server
44
Use Case 3.1.1 (3/3)
Destroy-request, Unique Identifier of previously created key
Destroy-response: Success, Unique Identifier of destroyed key
45
Use Case 3.1.2 (1/4) The client registers a template with
attributes The client asks the server to create a
symmetric key with the attributes specified in the previously registered template
The client retrieves some attributes of the key to verify they were set according to the template
Note: Only operations not shown until now are illustrated
46
Use Case 3.1.2 (2/4)
Register-request, ObjectType=Template, Attributes (e.g.): { Name=Template1, ObjectGroup=Group1 }
Register-response: Success, Unique Identifier of registered template
47
Use Case 3.1.2 (3/4)
Create-request, TemplateName=Template1
Create-response: Success, Unique Identifier of created key
48
Use Case 3.1.2 (4/4)
Get Attributes-request, Attribute Names: { ObjectGroup, AppSpecificInfo, ContactInfo, x-Purpose }
Get Attributes-response: Success, Attributes { ObjectGroup=Group1 etc. }
?
49
Use Case 3.1.3 (1/3)
The client asks the server to create a key and specifies a Name attribute value
The client then performs a Locate operation, supplying the Name, to which the server responds with the Unique Identifier of the created key
The client retrieves the created key using its Unique Identifier
50
Use Case 3.1.3 (2/3)
Locate-request, Attribute: { Name=Key1 } Locate-response: Success, Unique
Identifier of created key
Previously created Keywith Name attribute set
51
Use Case 3.1.3 (3/3)
Get-request, Unique Identifier of previously created key
Get-response: Success, key material of the previously created key
52
Use Case 4.1 (1/4)
The client asks the server to create a key The client gets the State attribute to
confirm that the key is initially in the Pre-Active state
The client performs an Activate operation to change the state to Active
The client performs a Revoke operation to change the state to Compromised
53
Use Case 4.1 (2/4)
Get Attributes-request: Unique Identifier of key, Attribute Name: { State }
Get Attributes-response: Success, Unique Identifier of key, State=Pre-Active
?
Previously created keyin the Pre-Active state
54
Use Case 4.1 (3/4)
Activate-request: Unique Identifier of key Activate-response: Success, Unique
Identifier of activated key
55
Use Case 4.1 (4/4)
Revoke-request: Unique Identifier of key, Revocation Reason=Compromised
Revoke-response: Success, Unique Identifier of revoked key
56
Use Case 5.1 (1/4) The client asks the server to create a key,
activates it and sets a certain amount of Usage Allocation (1000 MB)
The client gets some Usage Allocation so that it can use the key e.g. for encrypting data
Once it has been used up, the client requests some more usage allocation
When the usage allocation has been used up, the key cannot be used for encryption anymore
57
Use Case 5.1 (2/4)
Get Usage Allocation-request: Unique Identifier of key, ByteCount=500
Get Usage Allocation-response: Success, Unique Identifier of key
Usage allocation
Usage allocation
58
Use Case 5.1 (3/4)
Get Usage Allocation-request: Unique Identifier of key, ByteCount=500
Get Usage Allocation-response: Success, Unique Identifier of key
Usage allocation
Usage allocation
(usage allocation is used up)
59
Use Case 5.1 (4/4)
Get Usage Allocation-request: Unique Identifier of key, ByteCount=500
Get Usage Allocation-response: Operation Failed, Usage Allocation requested could not be granted
Usage allocation
Usage allocation
(usage allocation is used up)
60
Conclusion
61
Enterprise Cryptographic Environments
Enterprise Key Management System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
Key Management Interoperability Protocol
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
CRM
KMIP: enabling enterprise key management through standard protocol
62
Q&A