KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev...

KMIP - Hardware Security ModulesMeta-Data-Only (MDO) Keys

Saikat Saha & Denis Pochuev

[email protected]@safenet-inc.com

Feb 2012

2

Purpose of HSM (Hardware Security Module)

- Hardware based Key Storage Device

- Provides High Assurance – FIPS 140-2 Level 2 & 3

- Creates, Stores and manages various cryptographic objects

Symmetric Keys

Asymmetric Keys

Certificates

- Provides Crypto Acceleration and root of trust (trust anchor)

- Available in PCI as well as Network Appliance versions with multiple partitions

- NIST disapproves key material leaving the FIPS boundary

3

Enterprise Key Management for HSMs

EKM

Centralized Key ManagementRemote sites handle only IT related activities

KeyArchive

Backup/Archive

Initialization Activation

Audit Log

KM

IP

KMIP

KMIP

• Key Management Interoperability Protocol

• Allows for interoperability between

1. differing device types

2. devices from different vendors

EKM Management Console

3

ApplicationApplicationHSM EKM

Client HSM EKM Client

4

Backup HSM and Key Archive

HSM With Multiple Partitions

Audit Log

Key Secure

Application + HSM with EKM Client Database + HSM with EKM Client

InitializationActivation

EKM Web Browser

Centralized Administration of HSMs with EKM

KMIP KMIP KMIP

EKM• Centrally see all keys created and

used by HSM

• Stores and manages key attributes

• Centralized audit for compliance

5

General idea behind MDO keys

Core Server Functionality = Key Mgmt + Key UsageWhere does the key usage happen?- at the server- at the client (HSM case)

Cryptographic Objects = Key Material + Meta DataIf key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data?

Application

HSM Ser

ver

Key material perimeter

6

KMIP commands and MDO keysSupported KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery

MDO KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery

7

Registered Object

Meta-Data

Regular KMIP Request

Request Message (0x420078) | 0x01 | 0000000000 |

Request Header (0x420077) | 0x01 | …

Batch Item (0x42000f) | 0x01 | 0000000000 |

Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003

Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39

Request Payload (0x420079) | 0x01 | 0000000000 |

Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

Template-Attribute (0x420091) | 0x01 | 0000000000 |

Attribute (0x420008) | 0x01 | 0000000000 |

Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask

Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007

Attribute (0x420008) | 0x01 | 0000000000 |

Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name

Attribute Value (0x42000b) | 0x01 | 0000000000 |

Name Value (0x420055) | 0x07 | 0x00000005 | mykey

Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

Symmetric Key (0x42008f) | 0x01 | 0000000000 |

Key Block (0x420040) | 0x01 | 0000000000 |

Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001

Key Value (0x420045) | 0x01 | 0000000000 |

Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…

Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003

Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080

KMIP Register operation in detail

8

Regular KMIP Request

Request Message (0x420078) | 0x01 | 0000000000 |


Batch Item (0x42000f) | 0x01 | 0000000000 |

Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003


Request Payload (0x420079) | 0x01 | 0000000000 |

Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

Template-Attribute (0x420091) | 0x01 | 0000000000 |

Attribute (0x420008) | 0x01 | 0000000000 |



Attribute (0x420008) | 0x01 | 0000000000 |


Attribute Value (0x42000b) | 0x01 | 0000000000 |


Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

Symmetric Key (0x42008f) | 0x01 | 0000000000 |

Key Block (0x420040) | 0x01 | 0000000000 |

Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001

Key Value (0x420045) | 0x01 | 0000000000 |

Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…

Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003

Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080

KMIP Register operation in detailMDO KMIP Request

Request Message (0x420078) | 0x01 | 0x00000180 |


Batch Item (0x42000f) | 0x01 | 0x00000128 | Re

Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003


Request Payload (0x420079) | 0x01 | 0x00000100 |

Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

Template-Attribute (0x420091) | 0x01 | 0x000000e8 |

Attribute (0x420008) | 0x01 | 0x00000030 |

Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm


Attribute (0x420008) | 0x01 | 0x00000030 |

Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length


Attribute (0x420008) | 0x01 | 0x00000030 |



Attribute (0x420008) | 0x01 | 0x00000038 |


Attribute Value (0x42000b) | 0x01 | 0x00000020 |


Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

9

New key format

What happened to Key Format in previous request?

- Key Format is not a full-fledged attribute

- Absence of the object => custom key format

- Key Format is purely internal

10

KMIP Updates for MDO keys

Crypto Domain Parameterso Crypto parameters need to be a part of the Register command, not only Create Key Pair

ECC Enumerationo Need a broader set of supported curves

11

Questions?

Thank you.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev...

Documents

Transcript of KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev...