KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Slides:



Advertisements
Similar presentations
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Advertisements

SafeNet Luna XML Hardware Security Module
Deploying and Managing Active Directory Certificate Services
DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
Key Management Interoperability Protocol By: Derrick Erickson.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
Key Management in Cryptography
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
HSM Management Use-case Summary KMIP F2F Sep 2012 Denis Pochuev
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
Additional Security Tools Lesson 15. Skills Matrix.
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
Module 9: Fundamentals of Securing Network Communication.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
1 Key Management Interoperability Protocol (KMIP)
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Oracle's Distributed Database Bora Yasa. Definition A Distributed Database is a set of databases stored on multiple computers at different locations and.
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.
1 Key Management Interoperability Protocol (KMIP)
Meta-Data-Only (MDO) Keys KMIP 1.2 Proposal Oct Denis Pochuev, SafeNet John Leiseboer, QuintessenceLabs.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Locate By Value Anthony Berglas. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
1 © SafeNet Confidential and Proprietary SafeNet KeySecure with Luna HSM Management.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
VMware, SQL Server and Encrypting Private Data
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Module Overview Installing and Configuring a Network Policy Server
Understand Networking Services
KMIP Client Registration Ideas for Discussion
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
KMIP Entity Object and Client Registration
RKL Remote key loading.
Platform Architecture
Presentation transcript:

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012

2 Purpose of HSM (Hardware Security Module) - Hardware based Key Storage Device - Provides High Assurance – FIPS Level 2 & 3 - Creates, Stores and manages various cryptographic objects  Symmetric Keys  Asymmetric Keys  Certificates - Provides Crypto Acceleration and root of trust (trust anchor) - Available in PCI as well as Network Appliance versions with multiple partitions - NIST disapproves key material leaving the FIPS boundary

3 Enterprise Key Management for HSMs EKM Centralized Key Management Remote sites handle only IT related activities Key Archive Backup/Archive Initialization Activation Audit Log KMIP Key Management Interoperability Protocol Allows for interoperability between 1.differing device types 2.devices from different vendors EKM Management Console 3 Application HSM EKM Client HSM EKM Client

4 Backup HSM and Key Archive HSM With Multiple Partitions Audit Log Key Secure Application + HSM with EKM Client Database + HSM with EKM Client Initialization Activation EKM Web Browser Centralized Administration of HSMs with EKM KMIP EKM Centrally see all keys created and used by HSM Stores and manages key attributes Centralized audit for compliance

5 General idea behind MDO keys  Core Server Functionality = Key Mgmt + Key Usage  Where does the key usage happen?  - at the server  - at the client (HSM case)  Cryptographic Objects = Key Material + Meta Data  If key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data? Application HSM Server Key material perimeter

6 KMIP commands and MDO keys  Supported KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query  MDO KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query

7 Registered Object Meta-Data Regular KMIP Request  Request Message (0x420078) | 0x01 | |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | |  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 39  Request Payload (0x420079) | 0x01 | |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | |  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x  Symmetric Key (0x42008f) | 0x01 | |  Key Block (0x420040) | 0x01 | |  Key Format Type (0x420042) | 0x05 | 0x | 0x  Key Value (0x420045) | 0x01 | |  Key Material (0x420043) | 0x08 | 0x | ab cd ef …  Cryptographic Algorithm (0x420028) | 0x05 | 0x | 0x  Cryptographic Length (0x42002a) | 0x02 | 0x | 0x KMIP Register operation in detail

8 Regular KMIP Request  Request Message (0x420078) | 0x01 | |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | |  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 39  Request Payload (0x420079) | 0x01 | |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | |  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x  Symmetric Key (0x42008f) | 0x01 | |  Key Block (0x420040) | 0x01 | |  Key Format Type (0x420042) | 0x05 | 0x | 0x  Key Value (0x420045) | 0x01 | |  Key Material (0x420043) | 0x08 | 0x | ab cd ef …  Cryptographic Algorithm (0x420028) | 0x05 | 0x | 0x  Cryptographic Length (0x42002a) | 0x02 | 0x | 0x KMIP Register operation in detail MDO KMIP Request  Request Message (0x420078) | 0x01 | 0x |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | 0x | Re  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 30  Request Payload (0x420079) | 0x01 | 0x |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | 0x000000e8 |  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Algorithm  Attribute Value (0x42000b) | 0x05 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Length  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | 0x |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x

9 New key format  What happened to Key Format in previous request?  - Key Format is not a full-fledged attribute  - Absence of the object => custom key format  - Key Format is purely internal

10 KMIP Updates for MDO keys  Crypto Domain Parameters o Crypto parameters need to be a part of the Register command, not only Create Key Pair  ECC Enumeration o Need a broader set of supported curves

11 Questions?  Thank you.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.