KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Slides:



Advertisements
Similar presentations
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Advertisements

SafeNet Luna XML Hardware Security Module
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Security and Policy Enforcement Mark Gibson Dave Northey
Key Management Interoperability Protocol By: Derrick Erickson.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.
Key Management in Cryptography
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Tolga Acar 24 Feb Distributed Key Management and Cryptographic Agility.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
HSM Management Use-case Summary KMIP F2F Sep 2012 Denis Pochuev
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
153 Brooks Road, Rome, NY | | 153 Brooks Road, Rome, NY | |
Additional Security Tools Lesson 15. Skills Matrix.
Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.
Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –
Module 9: Fundamentals of Securing Network Communication.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
1 Key Management Interoperability Protocol (KMIP)
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
1 Key Management Interoperability Protocol (KMIP)
Meta-Data-Only (MDO) Keys KMIP 1.2 Proposal Oct Denis Pochuev, SafeNet John Leiseboer, QuintessenceLabs.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Locate By Value Anthony Berglas. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be.
1 © SafeNet Confidential and Proprietary SafeNet KeySecure with Luna HSM Management.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
Administering Windows Server 2012 Question Answer.
Data-Tech Guardian Endpoint Security Suite. Guardian Endpoint Security Suite secures All Things Mobile TM from one management console.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
VMware, SQL Server and Encrypting Private Data
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Module Overview Installing and Configuring a Network Policy Server
Understand Networking Services
KMIP Client Registration Ideas for Discussion
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Enabling Encryption for Data at Rest
CS691 M2009 Semester Project PHILIP HUYNH
Organization for the Advancement of Structured Information Standards
KMIP Entity Object and Client Registration
RKL Remote key loading.
Platform Architecture
Presentation transcript:

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012

2 Purpose of HSM (Hardware Security Module) - Hardware based Key Storage Device - Provides High Assurance:  CC EAL 4+  FIPS Level 2 & 3 - Full Critical Crypto key Lifecycle Protection  Symmetric Keys  Asymmetric Keys  Certificates - Provides Crypto Acceleration and root of trust (trust anchor) - Available in Multiple Form Factors:  Network Appliance  PCI Express card  USB attacked module - NIST disapproves key material leaving the FIPS boundary HW based Creation HW enforced Key Policies HW based Usage HW based backup Storage HW based Deletion

3 General idea behind MDO keys  Core Server Functionality = Key Mgmt + Key Usage  Where does the key usage happen?  - at the server  - at the client (HSM case)  Cryptographic Objects = Key Material + Meta Data  If key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data? Application HSM Server Key material perimeter

4 Enterprise Key Management for HSMs EKM Centralized Key Management Remote sites handle only IT related activities Key Archive Backup/Archive Initialization Activation Audit Log KMIP Key Management Interoperability Protocol Allows for interoperability between 1.differing device types 2.devices from different vendors EKM Management Console 4 Application HSM EKM Client HSM EKM Client

5 Backup HSM and Key Archive HSM With Multiple Partitions Audit Log Key Secure Application + HSM with EKM Client Database + HSM with EKM Client Initialization Activation EKM Web Browser Centralized Administration of HSMs with EKM KMIP EKM Centrally see all keys created and used by HSM Stores and manages key attributes Centralized audit for compliance

6 KMIP commands and MDO keys  Supported KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query  MDO KMIP Commands  Create  Create Key Pair  Register  Locate  Get  Get Attributes  Get Attribute List  Add Attribute  Modify Attribute  Delete Attribute  Destroy  Query

7 Registered Object Meta-Data Regular KMIP Request  Request Message (0x420078) | 0x01 | |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | |  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 39  Request Payload (0x420079) | 0x01 | |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | |  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x  Symmetric Key (0x42008f) | 0x01 | |  Key Block (0x420040) | 0x01 | |  Key Format Type (0x420042) | 0x05 | 0x | 0x  Key Value (0x420045) | 0x01 | |  Key Material (0x420043) | 0x08 | 0x | ab cd ef …  Cryptographic Algorithm (0x420028) | 0x05 | 0x | 0x  Cryptographic Length (0x42002a) | 0x02 | 0x | 0x KMIP Register operation in detail

8 Regular KMIP Request  Request Message (0x420078) | 0x01 | |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | |  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 39  Request Payload (0x420079) | 0x01 | |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | |  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x  Symmetric Key (0x42008f) | 0x01 | |  Key Block (0x420040) | 0x01 | |  Key Format Type (0x420042) | 0x05 | 0x | 0x  Key Value (0x420045) | 0x01 | |  Key Material (0x420043) | 0x08 | 0x | ab cd ef …  Cryptographic Algorithm (0x420028) | 0x05 | 0x | 0x  Cryptographic Length (0x42002a) | 0x02 | 0x | 0x KMIP Register operation in detail MDO KMIP Request  Request Message (0x420078) | 0x01 | 0x |  Request Header (0x420077) | 0x01 | …  Batch Item (0x42000f) | 0x01 | 0x | Re  Operation (0x42005c) | 0x05 | 0x | 0x  Unique Batch Item ID (0x420093) | 0x08 | 0x | 30  Request Payload (0x420079) | 0x01 | 0x |  Object Type (0x420057) | 0x05 | 0x | 0x  Template-Attribute (0x420091) | 0x01 | 0x000000e8 |  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Algorithm  Attribute Value (0x42000b) | 0x05 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Length  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Cryptographic Usage Mask  Attribute Value (0x42000b) | 0x02 | 0x | 0x  Attribute (0x420008) | 0x01 | 0x |  Attribute Name (0x42000a) | 0x07 | 0x | Name  Attribute Value (0x42000b) | 0x01 | 0x |  Name Value (0x420055) | 0x07 | 0x | mykey  Name Type (0x420054) | 0x05 | 0x | 0x

9 New key format  What happened to Key Format in previous request?  - Key Format is not a full-fledged attribute  - Absence of the object => custom key format  - Key Format is purely internal

10 KMIP Updates for MDO keys  Crypto Domain Parameters o Crypto parameters need to be a part of the Register command, not only Create Key Pair  ECC Enumeration o Need a broader set of supported curves

11 Questions?  Thank you.