© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
UDDI v3.0 (Universal Description, Discovery and Integration)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4
Modifying Managed Objects Alan Frindell 3/29/2011.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Asynchronous Web Services Approach Enrique de Andrés Saiz.
Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?
Presented By: Product Activation Group Syndication.
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Upgrading to Novell ® SecureLogin 3.5 Rod Tietjen,
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Setting up/Managing Bank Personnel Intuit Financial Services University Business Financial Solutions Certification.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Scarlett Gibb NIH Office of Extramural Research Office of Electronic Research and Reports Management Interim Chief, eRA User Support, Training & Documentation.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Kerberos  Kerberos was a 3-headed dog in Greek mythology Guarded the gates of the deadGuarded the gates of the dead Decided who might enterDecided who.
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Proprietary & Confidential. Distribution without approval prohibited. Copyright © Zultys, Inc All rights reserved. ZIP 3x Series Quick Reference.
Remote Access Using a Netgear DG834 Router 1http://
The OASIS Feedback Process Using OASIS to Drive Improvement.
1 Example security systems n Kerberos n Secure shell.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Isolating and Protecting Devices on the Network A database-driven methodology Tom Zeller June 2008.
Identity Management (IdM)
Cryptography and Network Security
Authentication Applications
THE STEPS TO MANAGE THE GRID
KMIP Client Registration Ideas for Discussion
KMIP Entity Object and Client Registration
Kerberos.
Architecture Competency Group
SharePoint Online Authentication Patterns
System – to – System Access to Freddie Mac’s Loan Product Advisor
Presentation transcript:

© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010

2 © SafeNet Confidential and Proprietary What can you do with an entity? Require subjects passed in TLS and/or Credential to be registered entities Register or generate data that can be used during authentication, possibly to a third party system Restrict operations that create objects, including other entities Register Attributes that can be searched and retrieved Possible policy relevant attributes like FIPS Level, hardware capabilities, server to client operation support Register extended data that can be logged by the server Supply connection details for Server to Client messages Ask server to notify entity when one or more objects change

3 © SafeNet Confidential and Proprietary How are entities created?  Manually entered by server administrator  Imported from a third-party directory by a server administrator  Explicitly registered by a KMIP client with appropriate permissions Some server implementations may require administrator approval before the entity is registered May require asynchronous polling by clients to be effective  Implicitly registered by a KMIP client by sending a new Credential object in a request

4 © SafeNet Confidential and Proprietary Credential Redefinition (original proposal) Username and Password Credential Value still supported for backwards compatibility ObjectEncodingREQUIRED CredentialStructure Credential TypeEnumerationYes Authentication Information Type EnumerationNo Credential ValueStructureYes ObjectEncodingREQUIRED Credential ValueStructure Subject ValueVaries according to Credential Type Yes Subject Authentication Information Varies according to Authentication Information Type No

5 © SafeNet Confidential and Proprietary Credential Redefinition (new proposal) Much cleaner Username and Password Credential Value no longer supported ObjectEncodingREQUIRED CredentialStructure Subject TypeEnumerationYes Subject ValueVaries according to Subject Type No Subject Authentication Information Type EnumerationYes Subject Authentication Information Value Varies according to SAI type No

6 © SafeNet Confidential and Proprietary Credential/Subject Types Credential/Subject TypeValue Username and Password (KMIP v1) Username Device World Wide Name Distinguished Name SAML Subject Open ID Authentication Information TypeValue Password X.509 Certificate Kerberos Ticket Extensions8XXXXXXX

7 © SafeNet Confidential and Proprietary Entity Definition  Entity Attributes: UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes New: Up for discussion: Archive Date, Object Group, Entity Operation Policy  Entity Operations: Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy ObjectEncodingREQUIRED EntityStructure CredentialStructureYes, May be repeated

8 © SafeNet Confidential and Proprietary New: Default Operation Policy for Entity Objects (for operations on the Entity object) OperationObject TypePolicy LocateEntityAllowed to all GetEntityAllowed to owner only Get AttributeEntityAllowed to all Get Attribute ListEntityAllowed to all Add/Mod/Del AttributeEntityAllowed to owner only DestroyEntityAllowed to owner only Operation Policy = what operations are allowed on the Entity

9 © SafeNet Confidential and Proprietary Default Entity Operation Policy OperationObject TypePolicy CreateSymmetric KeyAllowed to all Create Key PairPublic Key, Private KeyAllowed to all RegisterAll, except EntityAllowed to all CertifyPublic KeyAllowed to all Re-certifyCertificateAllowed to all ValidateCertificateAllowed to all QueryN/AAllowed to all CancelN/AAllowed to all PollN/AAllowed to all Entity Operation Policy = what operations the Entity is allowed to perform

10 © SafeNet Confidential and Proprietary Entity / Creator Relationship  KMIP v1 loosely defines Creator as ‘identity of the client’  With Entity, it is possible to define Creator explicitly as: The UUID of the Entity who created the object The Subject of the Entity who create the object In this case, a given Entity will have access to different objects depending on how he authenticated  Creator of an Entity may be different than the Entity itself, which may be confusing  Can an Entity have more than one Credential/Subject of a given type? Ex: More than one username?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.