© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas

Slides:



Advertisements
Similar presentations
IPP Notification Subscriptions Event Notification.
Advertisements

Distributed Data Processing
Categories of I/O Devices
Chapter 10: Designing Databases
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
Secure Socket Layer.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 10 September, 2010 Encoding Options for Key Wrap.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
CS 111 – Nov. 17 Enterprise databases –Goals –Examples –Many-to-many relationship –Restricting one’s view of entire database –Design considerations –Concurrency.
© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice KMIP Key Naming for Removable Media.
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
OSD Metadata Management
Data Sharing in OSD Environment Dingshan He September 30, 2002.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Data Grid Web Services Chip Watson Jie Chen, Ying Chen, Bryan Hess, Walt Akers.
Inexpensive Scalable Information Access Many Internet applications need to access data for millions of concurrent users Relational DBMS technology cannot.
Why Interchange?. What is Interchange? Interchange Capabilities: Offers complete replacement of CommBridge point-to-point solution with a hub and spoke.
1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.
Barracuda Load Balancer Server Availability and Scalability.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
IMS 4212: Distributed Databases 1 Dr. Lawrence West, Management Dept., University of Central Florida Distributed Databases Business needs.
Irwin/McGraw-Hill Copyright © 2004 The McGraw-Hill Companies. All Rights reserved Whitten Bentley DittmanSYSTEMS ANALYSIS AND DESIGN METHODS6th Edition.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Database Design – Lecture 16
Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
IEEE R lmap 23 Feb 2015.
Electronic Commerce & Marketing. What is E-Commerce? Business communications and transactions over networks and through computers, specifically –The buying.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
HSM Management Use-case Summary KMIP F2F Sep 2012 Denis Pochuev
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.
Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Reconsidering Internet Mobility Alex C. Snoeren, Hari Balakrishnan, M. Frans Kaashoek MIT Laboratory for Computer Science.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Architecture Models. Readings r Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 m Note: All figures from this book.
Overview of analysis of existing SDO M2M architectures Group Name: REQ ARC#2 Source: Alcatel-Lucent.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Get Random Proposal John Leiseboer 11 October 2012.
© 1stworks Corp. The Connected Community 85% of US corporations have a PC 75% of these PCs have an Internet connection 50% of US households have a PC 80%
Linux Operations and Administration
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.
Enterprise Computing with Jini Technology Mark Stang and Stephen Whinston Jan / Feb 2001, IT Pro presented by Alex Kotchnev.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
September, 2005What IHE Delivers 1 Patient Index and Demographic Implementation Strategies IHE Vendors Workshop 2006 IHE IT Infrastructure Education Rick.
1 Options Clearing Corporation Encore Data Distribution Services April 22, 2004.
1 Information Retrieval and Use De-normalisation and Distributed database systems Geoff Leese September 2008, revised October 2009.
DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 DICOMweb Workflow API (UPS-RS) Jonathan.
© 2012 IBM Corporation IBM Linear Tape File System (LTFS) Overview and Demo.
Client-Server Interaction
KMIP Server-to-server: use-cases and status
EECS 498 Introduction to Distributed Systems Fall 2017
Access Control in KMIPv1.1/v2
Presentation transcript:

© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas contributors HP - Stan Feather (Dec 2,

© 2010 IBM Corporation IBM Research - Zurich 23 September Server to server (s2s): Focal use cases 1.Propagating key material closer to endpoints, e.g., –Example 1 (retail store) A retail store operation with each store relying on encrypted storage Network connectivity with the central key management server (CKMS) not reliable Small subset of the keys needed to be served locally, but the management is at CKMS Keys at local key-management servers could be read-only, with pre-allocated usage or lease time The local server needs to communicate with the CKMS –Example 2 (e-commerce websites) Multiple e-commerce websites centrally managed (CKMS) Some keys need to be pushed down from CKMS (readable locally), i.e., with CKMS exporting the keys 2.Propagating key material updates towards the central key manager –A large multinational bank needs the information about cryptographic material from distributed Location B in central Location A (but not vice versa) 3.Business-partner data exchange –Propagation of keys between KMIP servers to facilitate business partner data exchange -Example 3 (Collaborative development with offline key exchange) -Company A creates data to be processed by Company B. -Both companies have KMIP servers, behind separate firewalls -Company A stores the data (eg, encrypted tapes) and delivers the data to Company B -Company A transmits wrapped keys to Company B. -Exported attributes may be more restrictive than for the local keys -Company B registers the keys and attributes on their server. -Company B uses keys. -B’s server enforces restrictions set by Company A -Example 4 (Collaboration, with direct key exchange) -Similar to example 3, but servers have network access across firewalls (potentially temporary) -Rather than Company B registering the keys, Server A uses Put to transfer keys to Server B

© 2010 IBM Corporation IBM Research - Zurich 23 September Server to server (s2s): Focal use cases (continued) 5.Partitioning –A KMIP server needs to be partitioned into more servers 6.KMIP server acting as the gateway/proxy –A less capable KMIP server may need to proxy client’s request to the more capable KMIP server (e.g., to interact with a PKI)

© 2010 IBM Corporation IBM Research - Zurich 23 September Server to server (s2s): Deferred and excluded use cases Deferred use cases: –Replication (fault-tolerance) –Exchange of different server policies and their enforcement –M&A A company acquires another and cryptographic objects from different KMIP servers need to be merged Excluded use cases (to be handled via mechansims outside KMIP): –Backup, Data Loss Prevention –Load balancing/Delegation

© 2010 IBM Corporation IBM Research - Zurich 23 September KMIP Implications of s2s: Summary Useful operations are optional (Notify, Put) –KMIPv2: make Notify and Put mandatory for a s2s compliant KMIP server KMIPv2: More attributes are needed –e.g., Master, Slaves Other issues (KMIPv2) –UUID, Name collisions across different servers. –Locate does not return an indication to the client whether there are more objects matching the query, nor the means to “resume” such a Locate (KMIPv2) Bulk export/import can be only partially emulated (using batched operations) –support for “Get All Attributes” (fixed in KMIPv1.0) The behavior of Put when Replaced Unique Identifier ruuid is specified, but the object with ruuid does not exist on the remote end needs to be specified (fixed in KMIPv1.0) Notify does not support notification about deleted attributes (fixed in KMIPv1.0) Other issues (fixed in KMIPv1.0) –Cannot Locate all –Locate supports wildcards only for Name and Object group

© 2010 IBM Corporation IBM Research - Zurich 23 September Next steps summary Write up detailed scenarios around focal use-cases Address server representation/registration (cf. client registration) –“Entity” to represent servers as well, incl. contact info (IP address) to facilitate communication Define additional attributes –Master/Slave –Interact with AC (e.g., Slave permissions). Can a Slave perform read-only, or pre- allocated usage, or … Say something about UUID, Name collisions across servers Provide means to continue/resume a Locate

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.