Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Information Systems

Jon Geater

advertisement 
www.oasis-open.org
The OASIS KMIP Standard:
Interoperability for the
Cryptographic Ecosystem
Jon Geater
OASIS KMIP TC
With thanks to Bob Griffin, co-chair, OASIS KMIP TC
1
KMIP
Overview
2
Often, Each Cryptographic Environment
Has Its Own Key Management System
Enterprise Cryptographic Environments
Collaboration &
Content Mgmt
Systems
Portals
Production
Database
Disk
Arrays
Enterprise
Applications
CRM
Backup
System
WAN
LAN
VPN
Replica
File Server
Backup
Disk
eCommerce
Applications
Business
Analytics
Staging
Dev/Test
Obfuscation
Email
Key
Management
System
Backup
Tape
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
3
Often, Each Cryptographic Environment
Has Its Own Protocol
Enterprise Cryptographic Environments
Collaboration &
Content Mgmt
Systems
Portals
Production
Database
Disk
Arrays
Enterprise
Applications
CRM
Backup
System
WAN
LAN
VPN
Replica
File Server
Backup
Disk
eCommerce
Applications
Business
Analytics
Staging
Backup
Tape
Dev/Test
Obfuscation
Email
Disparate, Often Proprietary Protocols
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
4
KMIP: Single Protocol Supporting
Enterprise Cryptographic Environments
Enterprise Cryptographic Environments
Portals
Production
Database
Collaboration &
Content Mgmt
Systems
LAN
VPN
File Server
Disk
Arrays
WAN
Backup
System
Replica
CRM
Enterprise
Applications
Backup
Disk
eCommerce
Applications
Business
Analytics
Staging
Backup
Tape
Dev/Test
Obfuscation
Email
Key Management Interoperability Protocol
Enterprise Key Management
5
What is KMIP


The Key Management Interoperability Protocol (KMIP)
enables key lifecycle management. KMIP supports legacy
and new cryptographic-enabled applications, supporting
symmetric keys, asymmetric keys, digital certificates, and
other "shared secrets." KMIP offers developers templates
to simplify the development and use of KMIP-enabled
applications.
KMIP defines the protocol for cryptographic client and keymanagement server communication. Key lifecycle
operations supported include generation, submission,
retrieval, and deletion of cryptographic objects. Vendors
will deliver KMIP-enabled cryptographic applications that
support communication with compatible KMIP keymanagement servers.
6
What is KMIP
Key Client
Key Server
API
API
Internal representation
Internal representation
KMIP
Decode
KMIP
Encode
KMIP
Encode
KMIP
Decode
KMIP
Transport
Transport
7
KMIP status

KMIP Technical Committee was established in OASIS in
April 2009



KMIP V1.0 standard approved end-September 2010







Submissions included at the time of TC creation included draft
specification, usage guide and use cases
Initial membership included most significant vendors in
cryptographic solutions and key management and has continued
to grow.
Revision of initial submissions April-October 2009
First public review Nov/Dec 2009
Revision of documents Jan-April 2010
Second public review May/June 2010.
Approval of KMIP V1.0 docs as OASIS standard Sept 2010
2 public interops completed
KMIP V1.0 conformance defined in terms of server
profiles, such as Symmetric Key Foundry
8
KMIP Profiles

Purpose is to define what any implementation of the
specification must adhere to in order to claim conformance
to the specification





Define the use of KMIP objects, attributes, operations, message
elements and authentication methods within specific contexts of
KMIP server and client interaction.
Define a set of normative constraints for employing KMIP within a
particular environment or context of use.
Optionally, require the use of specific KMIP functionality or in other
respects define the processing rules to be followed by profile
actors.
Three profiles defined in V1.0

Secret data

Symmetric key store

Symmetric key foundry
Profiles are further qualified by authentication suite

TLS V1.0 / V1.1

TLS V1.2
9
KMIP Work Items for vNext


Next version of KMIP standard
expected Q4 2011
Additions to protocol under discussion






10
permissions and groups
client registration
expanded server-to-server use cases
Authentication methods
Additions to profiles include expanded
certificate services and asymmetric
key functionality.
Enhanced interoperability testing
KMIP V1.0 Documents





http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf
http://docs.oasis-open.org/kmip/spec/v1.0/
http://docs.oasis-open.org/kmip/ug/v1.0/
http://docs.oasis-open.org/kmip/profiles/v1.0/
http://docs.oasis-open.org/kmip/usecases/v1.0/
11
KMIP: Interoperability for the
Cryptographic Ecosystem
Enterprise Cryptographic Environments
Portals
Production
Database
Collaboration &
Content Mgmt
Systems
LAN
VPN
File Server
Disk
Arrays
WAN
Backup
System
Replica
CRM
Enterprise
Applications
Backup
Disk
eCommerce
Applications
Business
Analytics
Staging
Backup
Tape
Dev/Test
Obfuscation
Email
Key Management Interoperability Protocol
Enterprise Key Management System
12
Related documents
Modification of KMIP Compliance Statements
Modification of KMIP Compliance Statements
RSA-Interops
RSA-Interops
RSA-Interops
RSA-Interops
What is being announced? OASIS along with Brocade, EMC, HP
What is being announced? OASIS along with Brocade, EMC, HP
M4 Interest Group- 2014 - Association for Surgical Education
M4 Interest Group- 2014 - Association for Surgical Education
3.0 KMIP Profiles
3.0 KMIP Profiles
KMIP Suite B Profile Version 1.0
KMIP Suite B Profile Version 1.0
4 KMIP Profiles
4 KMIP Profiles
4 KMIP Profiles
4 KMIP Profiles
Key Management Interoperability Protocol Profiles Version 1.0
Key Management Interoperability Protocol Profiles Version 1.0
4 KMIP Profiles
4 KMIP Profiles
Key Management Interoperability Protocol Profiles Version 1.2
Key Management Interoperability Protocol Profiles Version 1.2
Download
advertisement