KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev...
-
Upload
arron-parrish -
Category
Documents
-
view
213 -
download
1
Transcript of KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev...
KMIP - Hardware Security ModulesMeta-Data-Only (MDO) Keys
Saikat Saha & Denis Pochuev
[email protected]@safenet-inc.com
Feb 2012
2
Purpose of HSM (Hardware Security Module)
- Hardware based Key Storage Device
- Provides High Assurance – FIPS 140-2 Level 2 & 3
- Creates, Stores and manages various cryptographic objects
Symmetric Keys
Asymmetric Keys
Certificates
- Provides Crypto Acceleration and root of trust (trust anchor)
- Available in PCI as well as Network Appliance versions with multiple partitions
- NIST disapproves key material leaving the FIPS boundary
3
Enterprise Key Management for HSMs
EKM
Centralized Key ManagementRemote sites handle only IT related activities
KeyArchive
Backup/Archive
Initialization Activation
Audit Log
KM
IP
KMIP
KMIP
• Key Management Interoperability Protocol
• Allows for interoperability between
1. differing device types
2. devices from different vendors
EKM Management Console
3
ApplicationApplicationHSM EKM
Client HSM EKM Client
4
Backup HSM and Key Archive
HSM With Multiple Partitions
Audit Log
Key Secure
Application + HSM with EKM Client Database + HSM with EKM Client
InitializationActivation
EKM Web Browser
Centralized Administration of HSMs with EKM
KMIP KMIP KMIP
EKM• Centrally see all keys created and
used by HSM
• Stores and manages key attributes
• Centralized audit for compliance
5
General idea behind MDO keys
Core Server Functionality = Key Mgmt + Key UsageWhere does the key usage happen?- at the server- at the client (HSM case)
Cryptographic Objects = Key Material + Meta DataIf key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data?
Application
HSM Ser
ver
Key material perimeter
6
KMIP commands and MDO keysSupported KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery
MDO KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery
7
Registered Object
Meta-Data
Regular KMIP Request
Request Message (0x420078) | 0x01 | 0000000000 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0000000000 |
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39
Request Payload (0x420079) | 0x01 | 0000000000 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0000000000 |
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0000000000 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
Symmetric Key (0x42008f) | 0x01 | 0000000000 |
Key Block (0x420040) | 0x01 | 0000000000 |
Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001
Key Value (0x420045) | 0x01 | 0000000000 |
Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…
Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003
Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080
KMIP Register operation in detail
8
Regular KMIP Request
Request Message (0x420078) | 0x01 | 0000000000 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0000000000 |
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39
Request Payload (0x420079) | 0x01 | 0000000000 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0000000000 |
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0000000000 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
Symmetric Key (0x42008f) | 0x01 | 0000000000 |
Key Block (0x420040) | 0x01 | 0000000000 |
Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001
Key Value (0x420045) | 0x01 | 0000000000 |
Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…
Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003
Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080
KMIP Register operation in detailMDO KMIP Request
Request Message (0x420078) | 0x01 | 0x00000180 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0x00000128 | Re
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 30
Request Payload (0x420079) | 0x01 | 0x00000100 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0x000000e8 |
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm
Attribute Value (0x42000b) | 0x05 | 0x00000004 | 0x00000003
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000080
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0x00000038 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0x00000020 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
9
New key format
What happened to Key Format in previous request?
- Key Format is not a full-fledged attribute
- Absence of the object => custom key format
- Key Format is purely internal
10
KMIP Updates for MDO keys
Crypto Domain Parameterso Crypto parameters need to be a part of the Register command, not only Create Key Pair
ECC Enumerationo Need a broader set of supported curves
11
Questions?
Thank you.