130 likes | 145 Views
The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem. www.oasis-open.org. Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair, OASIS KMIP TC. KMIP Overview. Production Database. eCommerce Applications. Disk Arrays. WAN. LAN. VPN. Backup Tape.
E N D
The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem www.oasis-open.org Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair, OASIS KMIP TC
Production Database eCommerce Applications Disk Arrays WAN LAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Often, Each Cryptographic Environment Has Its Own Key Management System Enterprise Cryptographic Environments CRM Email Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System
Production Database eCommerce Applications Disk Arrays WAN LAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Often, Each Cryptographic Environment Has Its Own Protocol Enterprise Cryptographic Environments CRM Email Disparate, Often Proprietary Protocols Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System
Enterprise Cryptographic Environments Production Database eCommerce Applications Disk Arrays LAN WAN VPN Backup Tape Enterprise Applications CRM Business Analytics Replica Backup System File Server Email Staging Portals Dev/Test Obfuscation Key Management Interoperability Protocol Backup Disk Collaboration & Content Mgmt Systems Enterprise Key Management KMIP: Single Protocol Supporting Enterprise Cryptographic Environments
What is KMIP • The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. • KMIP defines the protocol for cryptographic client and key-management server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects. Vendors will deliver KMIP-enabled cryptographic applications that support communication with compatible KMIP key-management servers.
Transport Transport API API KMIP Encode KMIP Encode KMIP Decode KMIP Decode What is KMIP Key Server Key Client Internal representation Internal representation KMIP
KMIP status KMIP Technical Committee was established in OASIS in April 2009 Submissions included at the time of TC creation included draft specification, usage guide and use cases Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. KMIP V1.0 standard approved end-September 2010 Revision of initial submissions April-October 2009 First public review Nov/Dec 2009 Revision of documents Jan-April 2010 Second public review May/June 2010. Approval of KMIP V1.0 docs as OASIS standard Sept 2010 2 public interops completed KMIP V1.0 conformance defined in terms of server profiles, such as Symmetric Key Foundry
KMIP Profiles Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction. Define a set of normative constraints for employing KMIP within a particular environment or context of use. Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors. Three profiles defined in V1.0 Secret data Symmetric key store Symmetric key foundry Profiles are further qualified by authentication suite TLS V1.0 / V1.1 TLS V1.2 9
KMIP Work Items for vNext Next version of KMIP standard expected Q4 2011 Additions to protocol under discussion permissions and groups client registration expanded server-to-server use cases Authentication methods Additions to profiles include expanded certificate services and asymmetric key functionality. Enhanced interoperability testing
KMIP V1.0 Documents http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf http://docs.oasis-open.org/kmip/spec/v1.0/ http://docs.oasis-open.org/kmip/ug/v1.0/ http://docs.oasis-open.org/kmip/profiles/v1.0/ http://docs.oasis-open.org/kmip/usecases/v1.0/
KMIP:Interoperability for the Cryptographic Ecosystem Production Database eCommerce Applications Disk Arrays LAN WAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Enterprise Cryptographic Environments CRM Email Key Management Interoperability Protocol Enterprise Key Management System