Presentation is loading. Please wait.

Presentation is loading. Please wait.

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

Published byNicholas Robinson Modified over 9 years ago

Similar presentations

Presentation on theme: "KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob."— Presentation transcript:

1 KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob Lockhart

2 Defining the Problem A user wants to create and control the lifecycle of a key via an application that is responsible for the data being protected Primary use cases are for applications that manage data lifecycle A client needs to get the key to access the data but CANNOT create or control the key Data is encrypted or decrypted at its point of use and thus protected when in flight or at rest. If defined properly, profiles could be created to support any version of the KMIP specification (e.g. 1.0, 1.1, 1.2, etc…) Use the KMIP Profiles 1.3 document to define how it is done This keeps client development requirements lower Puts more work on server vendors (potentially)

3 Solving the Problem – Step 1 To date profiles have only defined object types and attributes There is no reason not to allow it to also define operations Limit the operations performed by a given client profile “Administrative” users could perform some or all operations with the exception of get key “Managed” users could perform get and other allowed operations NOTE:Defining two or more client types within one profile should be allowed to avoid confusion between different profiles

4 Example Different Clients in a Profile Administrative Client Operations Create Create Key Pair Register Re-Key Re-Key Key Pair Derive Key Certify Re-certify Locate Check Get Attributes Get Attribute List Managed Client Operations Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Activate Revoke Destroy Archive Recover Validate Query Discovery Versions Cancel Modify Attribute Obtain Lease Get Usage Allocation Validate Query Discovery Versions

5 Considerations What ifs… What if an “administrative” client needs to access a different set of keys? What if a managed client needs to fit into two profiles What if … There are a lot of different use cases but until someone finds one, these are vendor specific implementations we should stay away from We need to be flexible enough to allow server and client vendors to determine how best to differentiate themselves We need to stay just enough ahead of the market when defining how KMIP works This will require additional considerations for test cases by requiring two different clients or sets of credentials We haven’t really done this one before Focus on the messaging via Profiles in 1.x, tackle the tough stuff in 2.x and later

Download ppt "KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
KMIP 1.3 SP800-130 Issues Joseph Brand / Chuck White / Tim Hudson December 12th, 2013 1.

KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,
Professor Hongbin Luo Beijing Jiaotong University Usage scenario for instant messages in ICN November 3, 2013.

Professor Hongbin Luo Beijing Jiaotong University Usage scenario for instant messages in ICN November 3, 2013.
E Bidding Log on Screen. Bid Details Search Criteria for Bid Details.

E Bidding Log on Screen. Bid Details Search Criteria for Bid Details.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.

Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Modifying Managed Objects Alan Frindell 3/29/2011.

Modifying Managed Objects Alan Frindell 3/29/2011.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
© 2006 ITT Educational Services Inc. Course Name: IT390 Business Database Administration Unit 10 Slide 1 IT390 Business Database Administration Unit 10:

© 2006 ITT Educational Services Inc. Course Name: IT390 Business Database Administration Unit 10 Slide 1 IT390 Business Database Administration Unit 10:
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
ISMT221 Information Systems Analysis and Design Prototyping with MS Access Lab 6 Tony Tam.

ISMT221 Information Systems Analysis and Design Prototyping with MS Access Lab 6 Tony Tam.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
MIS 431 Chapter 71 Ch. 7: Advanced File Management System MIS 431 Created Spring 2006.

MIS 431 Chapter 71 Ch. 7: Advanced File Management System MIS 431 Created Spring 2006.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Similar presentations

Ads by Google