Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Slides:



Advertisements
Similar presentations
PKCS-11 Protocol for Enterprise Key Management
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Chapter 10: Authentication Guide to Computer Network Security.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
70-411: Administering Windows Server 2012
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
SEC835 Practical aspects of security implementation Part 1.
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
Configuring Directory Certificate Services Lesson 13.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
Module 9: Fundamentals of Securing Network Communication.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Advanced Windows 8 Apps Using JavaScript Jump Start Exam Prep M5: Data, Files, and Encryption Michael Palermo Microsoft Technical Evangelist Jeremy.
1 Key Management Interoperability Protocol (KMIP)
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
Get Random Proposal John Leiseboer 11 October 2012.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
1 Key Management Interoperability Protocol (KMIP)
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Cryptography and Network Security
Authentication Applications
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
Access Control in KMIPv1.1/v2
KMIP Entity Object and Client Registration
Digital Certificates and X.509
Presentation transcript:

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle

Agenda Security and privacy for the Smart Grid Key management standards for the Smart Grid Authentication and authorization standards for the Smart Grid

Agenda Security and privacy for the Smart Grid Key management standards for the Smart Grid Authentication and authorization standards for the Smart Grid

Interoperable Key Management and the Smart Grid Smart Grid represents a complex, multi-vendor environments. Smart Grid will require a range of cryptographic technologies Deploying multiple key management systems results in: – Cumbersome, often manual efforts to manage keys – Increased costs and risks for the utility and consumer – Challenges meeting audit and compliance requirements - 4 -

Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN Key Management System CRM Often, Each Cryptographic Environment Has Its Own Key Management System - 5 -

Often, Each Cryptographic Environment Has Its Own Protocol Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN Key Management System CRM Disparate, Often Proprietary Protocols - 6 -

Enterprise Cryptographic Environments Enterprise Key Management Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Key Management Interoperability Protocol Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM KMIP: Single Protocol Supporting Enterprise Cryptographic Environments - 7 -

KMIP to Commercial Meter Utility Digital Certificate Use Case KMIP to low-end Residential Meter KMIP to Industrial Meter - 8 -

Storage Array Tape Library SAN Application Server Application Enterprise Key Manager Symmetric Encryption Use Case Key Management Interoperability Protocol - 9 -

Asymmetric Encryption Use Case Public Key KMIP

Enterprise Key Manager Request Header Get Unique Identifier Symmetric Key Response Header Unique Identifier Key Value KMIP Request / Response Model Encrypted data Unencrypted data Commercial Meter Utility Name: XYZ SSN: Acct No: 45YT-658 Status: *&^%$#&%$#$%*!^

Transport-Level Encoding Key Client Key Server API Internal representationTransportInternal representationTransport KMIP Encode KMIP Decode API KMIP

KMIP defines a set of standardized Operations that apply to Managed Objects that consist of Attributes and possibly cryptographic material Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate Query Cancel Poll Notify Put Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific Information Contact Information Last Change Date Custom Attribute Certificate Symmetric Key Public Key Private Key Split Key Template Secret Data Opaque Object Managed ObjectsProtocol OperationsObject Attributes Key Block (for keys) or Value (for certificates)

Base Objects Base Objects are: – Components of Managed Objects: Attribute, identified by its Attribute Name Key Block, containing the Key Value, either – in the clear, either in raw format, or as a transparent structure – or “wrapped” using Encrypt, MAC/Sign, or combinations thereof – possibly together with some attribute values – Elements of protocol messages: Credential, used in protocol messages – Parameters of operations: Template attribute, containing template names and/or attribute values, used in operations

Managed Objects Managed Cryptographic Objects – Certificate, with type and value – Symmetric Key, with Key Block – Public Key, with Key Block – Private Key, with Key Block – Split Key, with parts and Key Block – Secret Data, with type and Key Block Managed Objects – Template Template has a subset of Attributes that indicate what an object created from such a template is – Opaque Object, without Key Block Certificate Symmetric Key Public Key Private Key Split Key Template Secret Data Opaque Object Managed Objects Key Block (for keys) Or value (fo mcertificates)

Attributes Attributes contain the “metadata” of a Managed Object – Its Unique Identifier, State, etc – Attributes can be searched with the Locate operation, as opposed to the content of the Managed Object Setting/modifying/deleting Attributes – Only some of the Attributes are set with specific values at object creation, depending on the object type For instance, the Certificate Type Attribute only exists for Certificate objects – Some Attributes are implicitly set by certain operations Certificate Type is implicitly set by Register, Certify, and Re-certify – Client can set explicitly some of the Attributes Certificate Type cannot be set by the client – Not all Attributes can be added, or subsequently modified or deleted once set Certificate Type cannot added, modified or deleted – Some Attributes can have multiple values (or instances) organized with indices For instance, a Symmetric Key object may belong to multiple groups, hence its Object Group Attribute will have multiple values

Attributes Attributes defined Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific Information Contact Information Last Change Date Custom Attribute Describes what “is” the object Describes how to “use” the object Describes other features of the object

Client-to-server Operations Operation consists of a request from client followed by server response Multiple operations can be batched in a single request-response pair – ID Placeholder can be used to propagate the value of the object’s Unique Identifier among operations in the same batch – Can be used to implement atomicity Requests may contain Template-Attribute structures with the desired values of certain attributes Responses contain the attribute values that have been set differently than as requested by the client

Client-to-server Operations client-to-server operations defined Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate (optional) Query Cancel (optional) Poll (optional) Notify (optional) Put (optional) Generate objects Set/get attributes Use the objects Support for asynchronous responses Support of optional operations Search and obtain objects Server-to-client operations

Server-to-client Operations Unsolicited messages from the server to the client with the following operations: – Notify operation, used by server to inform client about attribute-value changes – Push operation, used by server to provide an object and attributes to client, indicating whether the new object is replacing an existing object or not – Batching can be used

LEN … TagLenValueTagLenValue LEN … TagLenValueTagLenValue KMIP Messages in TTLV Format Type

Authentication Authentication is external to the protocol All servers should support at least – TLS 1.2 Authentication message field contains the Credential Base Object – Allows inclusion of additional credential information *&^%$#&%$#$%*!^ @!$%!%!%!%^& *&^%$#&%$#$%*!^ Enterprise Key Manager Identity certificate TLS

Agenda Security and privacy for the Smart Grid Key management standards for the Smart Grid Authentication and authorization standards for the Smart Grid

Questions? Hal

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.