KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
Inventory System Application Design Document Tomer Peled Al Yaros Kobi Ruham.
Network Security Essentials Chapter 4
Modifying Managed Objects Alan Frindell 3/29/2011.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
Cryptography and Network Security Chapter 17
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Component-Level Design
Aspect-Oriented Software Development (AOSD) Additional Tutorial.
Chapter 8 Web Security.
Mint-user MINT Technical Overview October 8 th, 2010.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.
Illustration Assets for KMIP Use Case Document. Users.
Chapter 10: Authentication Guide to Computer Network Security.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
HSM Management Use-case Summary KMIP F2F Sep 2012 Denis Pochuev
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Cryptography and Network Security (SSL)
Deceit System This overview is meant to provide a coherent understanding of the Deceit System and Engine. The distribution of clients and servers, the.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
KMIP 1.3 Deprecation February 20, Deprecation 5.1 KMIP Deprecation Rule Items in the normative KMIP Specification [KMIP-Spec] document can be marked.
Windows 2000 Certificate Authority By Saunders Roesser.
PORSCHA PORSCHA : POLICY ORIENTED SECURE CONTENT HANDLING IN ANDROID Machigar Ongtang, Kevin Butler, Patrick McDaniel Dhurakij Pundit University, University.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
KMIP Support for PGP Things to take out Things to put in.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
KMIP Notes 1.3 – Security Attribute Security 15 May 2014 Chuck White – 1.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
KMIP PKCS#12 February 2014 Tim Hudson – 1.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Locate By Value Anthony Berglas. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
1 Key Management Interoperability Protocol (KMIP) Bob Griffin co-chair, KMIP TC
IEEE SISWG (P1619.3)‏ Messaging & Transport. AGENDA Transport Protocols & Channel Protection Messaging Layer Capability Exchange & Authentication Groups.
The Information Protection Problem
CS691 M2009 Semester Project PHILIP HUYNH
Cryptographic Usage Mask
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
KMIP Entity Object and Client Registration
Server Side Wrap Operations
Cryptographic Usage Mask
Presentation transcript:

KMIP Use Cases Update on the process

Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals Next Steps Example Process Flows

Goals Create a cookbook of applied KMIP operations Demonstrate how the specification today can be applied. Make the document readable to non- OASIS/non KMIP-TC readers Demonstrate Specification Maturity

Process Flow, Managed Objects, Atomics, Batch, Composites, and Not KMIP Process Flow – straight from the Use Case document – what are the steps to perform a use case. Managed Objects – given a process flow, what KMIP Managed Objects can be applied to the process Atomics – Singular KMIP operations that can be applied to a process step (or components of batch or composite operations) Batch Operations – singular operations in serial as per the specification Composite Operations – A series of KMIP Atomic operations that require Server or Client processing that notes state or other applied logic to a given operation. – Composite operations note that vendor interpretation is required to implement – This is a point that denotes that Vendors can provide value in their unique implementations Not KMIP – a Process Flow Step that is best implemented outside the specification. – There is nothing wrong with KMIP not doing everything. – Brief reminder of one of the 12 truths – “In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away” (IETF RFC 1925).

Evaluating the Document In light of the goals…. Patterns of utilization – When applying atomic, batch, and composite KMIP commands patterns of use start to become self evident – This is a good thing. Process Flow – Means of evaluating what operations and managed objects can be applied Many use cases were removed because they were not directly associated with the specification as it stands. – Specifically Policy Use Cases – Policy is a very good thing, but until the TC comes to terms on what it looks like there is no value adding it to a use case. Worth noting that a number of use cases were incomplete – information was not formatted within the prescribed format in the document or there was no information at all For those use cases that has applicable process flows and were complete, we evaluated the use case for Managed Objects, Atomic, Batch, Composite, and Not KMIP operations. This is the previously mentioned chainsaw.

Next Steps Build out applicable use cases that were not formatted correctly and apply Managed Objects, Atomics, Batch, Composite and Not KMIP Operations. Add some new Use Cases – focus on KMIP 1.3 operations as well as new fields of use like communications Attempt to define use cases for each class of operation Revise the prescribed format to make the Use Cases document more readable by non TC members

Example Process Flows 9.1 Use case KSTUC-1: Storage Device Requests Key from KMS Managed Objects: – Symmetric Key Process Flow – Storage device requests key creation (Not KMIP) Storage device sends key creation request to KMC component. (Not KMIP) KMC component in enterprise securely sends a request to KMS component. (Batch: KMIP Create, KMIP Get) – Storage device receives response from system (Batch Response: KMIP Create, KMIP Get) KMS creates key and response message and securely sends message to KMC component. (Batch Response: KMIP Create, KMIP Get) KMC component sends response to storage device component (Not KMIP) 5.2 Use Case HM-2: Local Key Foundry with Key Wrapping Managed Objects: – Certificate, Symmetric Key, PGP Key, Public Key, Private Key, Secret Object, Opaque Object. Process Flow – Xerxes logs into KMS. (Not KMIP) – Xerxes lists all Object Identifiers known to KMS, which includes all keys residing on HSMs in the enterprise. (KMIP Locate) – Xerxes creates an AES-256 symmetric key on KMS using KMS HSM Management UI, which is subsequently imported to the Partition B on HSM-1. (KMIP Create, KMIP Get (UUID), KMIP Register) – Xerxes deactivates key KEY1 on KMS; KEY1’s state transition is replicated to Partition C of HSM-2. (KMIP Modify Attribute (State) – Using KMS UI, Xerxes finds all DES keys associated with all registered HSMs and destroys them. All keys are destroyed on corresponding partitions across all registered HSMs. (KMIP Locate (Cryptographic Algorithm DES), KMIP Destroy) – Xerxes clones the key material from an existing HSM partition (2A) to a new module using KMS UI. (Composite: KMIP Locate, KMIP Get, KMIP Get Attributes, KMIP Register)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.