Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS691 M2009 Semester Project PHILIP HUYNH

Published byJavier Salinas Reyes Modified over 6 years ago

Similar presentations

Presentation on theme: "CS691 M2009 Semester Project PHILIP HUYNH"— Presentation transcript:

1 CS691 M2009 Semester Project PHILIP HUYNH
KEY MANAGEMENT SYSTEM

2 Outline of the Talk Key Management System
IEEE P Standard Key Management Infrastructure for Cryptographic Protection of Stored Data Strongkey Symmetric Key Management System (SKMS) OASIS Key Management Interoperability Protocol (KMIP) 11/15/2018 PHILIP HUYNH / CS691

3 KEY MANAGEMENT SYSTEMS
Motivations Functionalities Security 11/15/2018 PHILIP HUYNH / CS691

4 Key Management System Motivations for Key Management
The keys must be kept secret. While the encryption algorithm should be public. Whoever has access to the key, can also access the information, assume someone else's identity, etc. 11/15/2018 PHILIP HUYNH / CS691

5 Key Management System Key Management Functionalities Generation
Distribution Storage Replacement / Exchange Usage Destruction 11/15/2018 PHILIP HUYNH / CS691

6 Key Management System Key Management System Security
Prevent intruder from obtaining a key Avoid unauthorized use of keys, deliberate modification and other forms of manipulation of keys Once the reliability of a key is impaired, its use must be terminated immediately 11/15/2018 PHILIP HUYNH / CS691

7 IEEE P1619.3 STANDARD Problems Solution 11/15/2018
PHILIP HUYNH / CS691

8 IEEE P1619.3 Standard Encrypting Storage Problems
We can’t always expect a tape drive to be able to get keys from an encryption appliance’s key server, or for an encryption appliance to be able to get keys from a tape drive’s key server because there is very little interoperability between vendors’ key management systems. We can’t expect a storage device to be able to get keys from a distant key server. If we encrypt a backup tape in New York data center and send the tape to an offsite backup facility we can’t always expect that the data can be decrypted at the backup facility because the storage device there may be unable to reach the key server that provide the decryption key. 11/15/2018 PHILIP HUYNH / CS691

9 IEEE P1619.3 Standard The goal
Eliminate all the key management problems Make interoperable key management possible. Abstracts the components of a cryptographic system into Key management server Key management client Cryptographic unit. The standard also defines operations between the key management servers. 11/15/2018 PHILIP HUYNH / CS691

10 IEEE P Standard The abstraction components roles and responsibilities Key management server creates and distributes keys as well as the policies covering their use. Key management clients get keys and policies from a key management server on behalf of a cryptographic unit. Cryptographic units perform the actual encryption and decryption operations with the keys the key management clients manage. 11/15/2018 PHILIP HUYNH / CS691

11 STRONGKEY SYMMETRIC KEY MANAGEMENT SYSTEM
Problems Solution 11/15/2018 PHILIP HUYNH / CS691

12 Strongkey Symmetric Key Management System (SKMS)
Why is symmetric key management a problem? Many encryption application Vendors provide different KM Systems. As a result, IT Operation Staffs have to manage many different KM Systems. The complexity of KMS management raises the TCO, and causes the potential danger of a vulnerability in the security strategy. Solution Client/Server KM System for encryption applications Symmetric Key Server – implements the KM functions that are abstracted from the applications Symmetric Key Client – provides API that can make requests for symmetric key services. 11/15/2018 PHILIP HUYNH / CS691

13 Strongkey SKMS Architecture
SKS server A server-class computer running an OS – Linux, UNIX, or Windows that has JVM available for it A relational database for storing the symmetric encryption keys. A J2EE compliant application server to response to the requests over the network A JCE-compliant cryptographic provider to perform the cryptographic operations of key generation, key protection, digital signing, verification,… An optional, Hardware security module (HSM) or Trusted Platform Module (TPM) for securely storing the cryptographic keys that protect the database’s content The SKS server software, consisting of an Enterprise Archive (EAR) and a Web archive (WAR) file for administration console SKCL Client A client computer running an OS – Linux, UNIX, Windows, and OS/400 that has JVM available for it 11/15/2018 PHILIP HUYNH / CS691

14 Strongkey SKMS Architecture
SKCL Client (continued) An optional, Trusted Platform Module (TPM), smartcard, or other USB-based cryptographic token for securely storing the cryptographic keys that protect client’s authentication credentials. The SKCL software, consisting of an API callable by Java applications for communicating with the SKS server and performing cryptographic functions. Non-Java applications have the option of either using a JNI library to call the SKCL, or communicating with the SKS server directly using the SKSML protocol. SKSML Protocol A call from the client to request a symmetric key – new o existing – from the SKS server. A call from the client to request key-caching policy information from the SKS server. A response from the SKS server containing the symmetric key and key’s use policy. A response from the SKS server containing the key-caching policy. A fault message from the SKS server, if either of the two calls doesn’t succeed. 11/15/2018 PHILIP HUYNH / CS691

15 OASIS KEY MANAGEMENT INTEROPERABILITY PROTOCOL
Problems Solution 11/15/2018 PHILIP HUYNH / CS691

16 OASIS Key Management Interoperability Protocol (KMIP)
Why is key management a problem? The proliferation of key management system result in higher operational and infrastructure costs of enterprise using encryption, certificates, asymmetric key pairs, and other encryption technologies 11/15/2018 PHILIP HUYNH / CS691

17 OASIS Key Management Interoperability Protocol (KMIP)
Why is key management a problem? The proliferation of protocols, even when supported by a single enterprise key manager, results in a higher costs for developing and supporting the key manager. 11/15/2018 PHILIP HUYNH / CS691

18 OASIS Key Management Interoperability Protocol (KMIP)
Solution Single protocol for communication between enterprise key management server and cryptographic clients. By defining a protocol that can be used any cryptographic clients, KMIP enables enterprise key management servers to communicate via a single protocol to all cryptographic clients supporting that protocol. Through vendor support KMIP, an enterprise will be able to consolidate key management in a single enterprise key management system, reducing operation and infrastructure costs while strengthening operational controls and governance of security policy. 11/15/2018 PHILIP HUYNH / CS691

19 References Basic Methods of Cryptography Jan C.A. VAN DER LUBBE, Cambridge University Press, 1999. Symmetric Key Management System Arshard Noor, ISSA Journal, 01/2007. Key Management Infrastructure for Protecting Storage Data Luther Martin, Computer, 07/2008. Key Management Interoperability Protocol version 1.0, OASIS, 05/2009. 11/15/2018 PHILIP HUYNH / CS691

Download ppt "CS691 M2009 Semester Project PHILIP HUYNH"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.

Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS

Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.

Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Moscow, 2007 OKB SAPR Information Security Policy that Accords Protection OKB SAPR Special Design Bureau for Computer-Aided Design

Moscow, 2007 OKB SAPR Information Security Policy that Accords Protection OKB SAPR Special Design Bureau for Computer-Aided Design
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2

Similar presentations

Ads by Google