KMIP 1 3 SP 800 130 Issues Joseph

  • Slides: 7
Download presentation
KMIP 1. 3 SP 800 -130 Issues Joseph Brand / Chuck White / Tim

KMIP 1. 3 SP 800 -130 Issues Joseph Brand / Chuck White / Tim Hudson December 12 th, 2013 1

Observations in Storage/Applications Sensitive Data for Government/Proprietary Use • US Government utilizations – –

Observations in Storage/Applications Sensitive Data for Government/Proprietary Use • US Government utilizations – – – • Technology implementation – – – • Multi-level sensitivity can translate into classification (FOUO, S, TS, etc) Application of attributes with encryption keys for Data at Rest, COMSEC, and TRANSEC Using classification amongst other attributes to associate with encryption keys based on classification usage of the encrypted data From a Server/Distribution perspective - attributes inform workflow for key lifecycle activities to include distribution and management functions. Attributes have security requirements as well as the data associated with the attributes Examples include collaboration systems, reporting systems, and data feeds for collected information, communications services, and data transport infrastructure. Focuses on associating generating keys based on attributes and keeping the attributes associated with unencrypting the information for future use Attributes inform key distribution workflow Attributes inform communications services how the key is used as a component of an End Cryptographic Unit (ECU) or similar communications/transmission security component. Note that this approach has implications for commercial use as well – Focus on Data at Rest, Communications, and Transmission Security for: • • • Proprietary information Healthcare information Personal Information

SP 800 -130 Requirements 6. 7 Restricting Access to Key and Metadata Management Functions

SP 800 -130 Requirements 6. 7 Restricting Access to Key and Metadata Management Functions This section describes how access to the key and metadata management functions may be controlled. The requesting entity may be authenticated, and human exposure to keys and other sensitive metadata may be prevented or severely restricted. 6. 7. 3 Controlling Human Input If a key management function requires the human input of keys or sensitive metadata, then there is a dependence on the human for the accuracy and perhaps the security of the input. 6. 8 Compromise Recovery In an ideal situation, the CKMS would protect all keys and sensitive metadata so that they are never compromised or modified by unauthorized parties. 3

SP 800 -130 Requirements 6. 8. 2 Metadata Compromise Depending on the metadata element

SP 800 -130 Requirements 6. 8. 2 Metadata Compromise Depending on the metadata element and how it is used, the compromise of a metadata element could result in the compromise of a key or the data protected by a key. For example, a metadata element of a symmetric encryption/decryption key could be a list of identities corresponding to the legitimate users of the key. The Access Control System verifies the authenticated identity of the user against the metadata element to determine whether the user is permitted to exercise the decrypt function and thus obtain plaintext data. If the metadata element could be modified to add an unauthorized user to the list of authorized users, then the encrypted data could be compromised. If different keys have common metadata elements, then the compromise of one metadata element could compromise the data protected by each of the keys. Metadata elements that are sensitive to unauthorized modification should be cryptographically bound to their associated keys so that the integrity of the metadata can be easily verified. 4

Draft SP 800 -152 Requirements Profile Table (row 4) FRAMEWORK Not covered in the

Draft SP 800 -152 Requirements Profile Table (row 4) FRAMEWORK Not covered in the Framework TOPIC Key and metadata sensitivity BASE Low, Moderate or High (Low) 5 AUGMENTED FUTURE Moderate or High Multi-Level Security: Low, Moderate, and High (Moderate)

Observations SP 800 -130 implies that certain metadata can be as sensitive as the

Observations SP 800 -130 implies that certain metadata can be as sensitive as the key material. Draft SP 800 -152 indicates multi-level sensitivity (low, moderate, high). Deployed KMIP client usage indicates that clients are placing sensitive information in custom attributes. Specification of attributes within a Key. Value that are “encapsulated with (and possibly wrapped with) the key material itself” is not well defined and not covered in any current test case or profile. SP 800 -130 notes “a metadata element of a symmetric encryption/decryption key could be a list of identities corresponding to the legitimate users of the key” encompassing access control within the general model. 6

Summary KMIP 1. 0, 1. 1, and 1. 2 do not explicitly address sensitive

Summary KMIP 1. 0, 1. 1, and 1. 2 do not explicitly address sensitive metadata (leaving it to the implementation to handle transparently from the user [client]). KMIP 1. 0, 1. 1, and 1. 2 address sensitive key material by allowing: • Get specifying a wrapping key • Register specifying a wrapped key (which the server may or may not have access to the wrapping key) KMIP 1. 3 should address sensitive meta data by allowing: • Get. Attributes specifying a wrapping key • Register specifying wrapped attributes (which the server may or may not have access to the wrapping key) • Note that workflow associated with interpretation of attributes is outside the KMIP specification. 7