www oasisopen org The OASIS KMIP Standard Interoperability
www. oasis-open. org The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair, OASIS KMIP TC
KMIP Overview
Often, Each Cryptographic Environment Has Its Own Key Management System Enterprise Cryptographic Environments Collaboration & Content Mgmt Systems Portals Production Database Enterprise Applications CRM Disk Arrays WAN LAN VPN Replica File Server Backup System Backup Disk e. Commerce Applications Business Analytics Staging Dev/Test Obfuscation Email Key Management System Backup Tape Key Management System Key Management System
Often, Each Cryptographic Environment Has Its Own Protocol Enterprise Cryptographic Environments Collaboration & Content Mgmt Systems Portals Production Database Enterprise Applications CRM Disk Arrays WAN LAN VPN Replica File Server Backup System Backup Disk e. Commerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Disparate, Often Proprietary Protocols Key Management System Key Management System
KMIP: Single Protocol Supporting Enterprise Cryptographic Environments Portals Production Database Collaboration & Content Mgmt Systems LAN VPN File Server Disk Arrays WAN Backup System Replica CRM Enterprise Applications Backup Disk e. Commerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Key Management Interoperability Protocol Enterprise Key Management
What is KMIP n n The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets. " KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for cryptographic client and keymanagement server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects. Vendors will deliver KMIP-enabled cryptographic applications that support communication with compatible KMIP keymanagement servers.
What is KMIP Key Client Key Server API Internal representation KMIP Decode KMIP Encode KMIP Decode KMIP Transport
KMIP status n KMIP Technical Committee was established in OASIS in April 2009 l l n KMIP V 1. 0 standard approved end-September 2010 l l l n n Submissions included at the time of TC creation included draft specification, usage guide and use cases Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. Revision of initial submissions April-October 2009 First public review Nov/Dec 2009 Revision of documents Jan-April 2010 Second public review May/June 2010. Approval of KMIP V 1. 0 docs as OASIS standard Sept 2010 2 public interops completed KMIP V 1. 0 conformance defined in terms of server profiles, such as Symmetric Key Foundry
KMIP Profiles n Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification l l l n n Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction. Define a set of normative constraints for employing KMIP within a particular environment or context of use. Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors. Three profiles defined in V 1. 0 l Secret data l Symmetric key store l Symmetric key foundry Profiles are further qualified by authentication suite l TLS V 1. 0 / V 1. 1 l TLS V 1. 2
KMIP Work Items for v. Next l l Next version of KMIP standard expected Q 4 2011 Additions to protocol under discussion n n l l permissions and groups client registration expanded server-to-server use cases Authentication methods Additions to profiles include expanded certificate services and asymmetric key functionality. Enhanced interoperability testing
KMIP V 1. 0 Documents l l l http: //xml. coverpages. org/KMIP-FAQ. pdf http: //docs. oasis-open. org/kmip/spec/v 1. 0/ http: //docs. oasis-open. org/kmip/ug/v 1. 0/ http: //docs. oasis-open. org/kmip/profiles/v 1. 0/ http: //docs. oasis-open. org/kmip/usecases/v 1. 0/
KMIP: Interoperability for the Cryptographic Ecosystem Enterprise Cryptographic Environments Portals Production Database Collaboration & Content Mgmt Systems LAN VPN File Server Disk Arrays WAN Backup System Replica CRM Enterprise Applications Backup Disk e. Commerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Key Management Interoperability Protocol Enterprise Key Management System
- Slides: 12