Presentation is loading. Please wait.

Presentation is loading. Please wait.

© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.

Published byOswin Lawson Modified over 9 years ago

Similar presentations

Presentation on theme: "© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc."— Presentation transcript:

1 © SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010

2 2 © SafeNet Confidential and Proprietary What can you do with an entity? Require subjects passed in TLS and/or Credential to be registered entities Register or generate data that can be used during authentication, possibly to a third party system Restrict operations that create objects, including other entities Register Attributes that can be searched and retrieved Possible policy relevant attributes like FIPS Level, hardware capabilities, server to client operation support Register extended data that can be logged by the server Supply connection details for Server to Client messages Ask server to notify entity when one or more objects change

3 3 © SafeNet Confidential and Proprietary How are entities created?  Manually entered by server administrator  Imported from a third-party directory by a server administrator  Explicitly registered by a KMIP client with appropriate permissions Some server implementations may require administrator approval before the entity is registered May require asynchronous polling by clients to be effective  Implicitly registered by a KMIP client by sending a new Credential object in a request

4 4 © SafeNet Confidential and Proprietary Credential Redefinition (original proposal) Username and Password Credential Value still supported for backwards compatibility ObjectEncodingREQUIRED CredentialStructure Credential TypeEnumerationYes Authentication Information Type EnumerationNo Credential ValueStructureYes ObjectEncodingREQUIRED Credential ValueStructure Subject ValueVaries according to Credential Type Yes Subject Authentication Information Varies according to Authentication Information Type No

5 5 © SafeNet Confidential and Proprietary Credential Redefinition (new proposal) Much cleaner Username and Password Credential Value no longer supported ObjectEncodingREQUIRED CredentialStructure Subject TypeEnumerationYes Subject ValueVaries according to Subject Type No Subject Authentication Information Type EnumerationYes Subject Authentication Information Value Varies according to SAI type No

6 6 © SafeNet Confidential and Proprietary Credential/Subject Types Credential/Subject TypeValue Username and Password (KMIP v1)00000001 Username00000002 Device00000003 World Wide Name00000004 Distinguished Name00000005 SAML Subject00000006 Open ID00000007 Authentication Information TypeValue Password00000001 X.509 Certificate00000002 Kerberos Ticket00000003 Extensions8XXXXXXX

7 7 © SafeNet Confidential and Proprietary Entity Definition  Entity Attributes: UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes New: Up for discussion: Archive Date, Object Group, Entity Operation Policy  Entity Operations: Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy ObjectEncodingREQUIRED EntityStructure CredentialStructureYes, May be repeated

8 8 © SafeNet Confidential and Proprietary New: Default Operation Policy for Entity Objects (for operations on the Entity object) OperationObject TypePolicy LocateEntityAllowed to all GetEntityAllowed to owner only Get AttributeEntityAllowed to all Get Attribute ListEntityAllowed to all Add/Mod/Del AttributeEntityAllowed to owner only DestroyEntityAllowed to owner only Operation Policy = what operations are allowed on the Entity

9 9 © SafeNet Confidential and Proprietary Default Entity Operation Policy OperationObject TypePolicy CreateSymmetric KeyAllowed to all Create Key PairPublic Key, Private KeyAllowed to all RegisterAll, except EntityAllowed to all CertifyPublic KeyAllowed to all Re-certifyCertificateAllowed to all ValidateCertificateAllowed to all QueryN/AAllowed to all CancelN/AAllowed to all PollN/AAllowed to all Entity Operation Policy = what operations the Entity is allowed to perform

10 10 © SafeNet Confidential and Proprietary Entity / Creator Relationship  KMIP v1 loosely defines Creator as ‘identity of the client’  With Entity, it is possible to define Creator explicitly as: The UUID of the Entity who created the object The Subject of the Entity who create the object In this case, a given Entity will have access to different objects depending on how he authenticated  Creator of an Entity may be different than the Entity itself, which may be confusing  Can an Entity have more than one Credential/Subject of a given type? Ex: More than one username?

Download ppt "© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.

IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
Modifying Managed Objects Alan Frindell 3/29/2011.

Modifying Managed Objects Alan Frindell 3/29/2011.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Asynchronous Web Services Approach Enrique de Andrés Saiz.

Asynchronous Web Services Approach Enrique de Andrés Saiz.

Similar presentations

Ads by Google