Jon Geater
advertisement
www.oasis-open.org The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair, OASIS KMIP TC 1 KMIP Overview 2 Often, Each Cryptographic Environment Has Its Own Key Management System Enterprise Cryptographic Environments Collaboration & Content Mgmt Systems Portals Production Database Disk Arrays Enterprise Applications CRM Backup System WAN LAN VPN Replica File Server Backup Disk eCommerce Applications Business Analytics Staging Dev/Test Obfuscation Email Key Management System Backup Tape Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System 3 Often, Each Cryptographic Environment Has Its Own Protocol Enterprise Cryptographic Environments Collaboration & Content Mgmt Systems Portals Production Database Disk Arrays Enterprise Applications CRM Backup System WAN LAN VPN Replica File Server Backup Disk eCommerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Disparate, Often Proprietary Protocols Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System 4 KMIP: Single Protocol Supporting Enterprise Cryptographic Environments Enterprise Cryptographic Environments Portals Production Database Collaboration & Content Mgmt Systems LAN VPN File Server Disk Arrays WAN Backup System Replica CRM Enterprise Applications Backup Disk eCommerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Key Management Interoperability Protocol Enterprise Key Management 5 What is KMIP The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for cryptographic client and keymanagement server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects. Vendors will deliver KMIP-enabled cryptographic applications that support communication with compatible KMIP keymanagement servers. 6 What is KMIP Key Client Key Server API API Internal representation Internal representation KMIP Decode KMIP Encode KMIP Encode KMIP Decode KMIP Transport Transport 7 KMIP status KMIP Technical Committee was established in OASIS in April 2009 KMIP V1.0 standard approved end-September 2010 Submissions included at the time of TC creation included draft specification, usage guide and use cases Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. Revision of initial submissions April-October 2009 First public review Nov/Dec 2009 Revision of documents Jan-April 2010 Second public review May/June 2010. Approval of KMIP V1.0 docs as OASIS standard Sept 2010 2 public interops completed KMIP V1.0 conformance defined in terms of server profiles, such as Symmetric Key Foundry 8 KMIP Profiles Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction. Define a set of normative constraints for employing KMIP within a particular environment or context of use. Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors. Three profiles defined in V1.0 Secret data Symmetric key store Symmetric key foundry Profiles are further qualified by authentication suite TLS V1.0 / V1.1 TLS V1.2 9 KMIP Work Items for vNext Next version of KMIP standard expected Q4 2011 Additions to protocol under discussion 10 permissions and groups client registration expanded server-to-server use cases Authentication methods Additions to profiles include expanded certificate services and asymmetric key functionality. Enhanced interoperability testing KMIP V1.0 Documents http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf http://docs.oasis-open.org/kmip/spec/v1.0/ http://docs.oasis-open.org/kmip/ug/v1.0/ http://docs.oasis-open.org/kmip/profiles/v1.0/ http://docs.oasis-open.org/kmip/usecases/v1.0/ 11 KMIP: Interoperability for the Cryptographic Ecosystem Enterprise Cryptographic Environments Portals Production Database Collaboration & Content Mgmt Systems LAN VPN File Server Disk Arrays WAN Backup System Replica CRM Enterprise Applications Backup Disk eCommerce Applications Business Analytics Staging Backup Tape Dev/Test Obfuscation Email Key Management Interoperability Protocol Enterprise Key Management System 12
