1 / 11

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys. Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012. Purpose of HSM (Hardware Security Module). - Hardware based Key Storage Device Provides High Assurance: CC EAL 4+

belita
Download Presentation

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. KMIP - Hardware Security ModulesMeta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012

  2. Purpose of HSM (Hardware Security Module) - Hardware based Key Storage Device • Provides High Assurance: • CC EAL 4+ • FIPS 140-2 Level 2 & 3 - Full Critical Crypto key Lifecycle Protection • Symmetric Keys • Asymmetric Keys • Certificates - Provides Crypto Acceleration and root of trust (trust anchor) • Available in Multiple Form Factors: • Network Appliance • PCI Express card • USB attacked module - NIST disapproves key material leaving the FIPS boundary

  3. General idea behind MDO keys • Core Server Functionality = Key Mgmt + Key Usage • Where does the key usage happen? • - at the server • - at the client (HSM case) • Cryptographic Objects = Key Material + Meta Data • If key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data? Key material perimeter Application Server HSM

  4. Enterprise Key Management for HSMs Key Archive EKM Management Console Audit Log Backup/Archive EKM Initialization Activation KMIP • KMIP • Key Management Interoperability Protocol • Allows for interoperability between • differing device types • devices from different vendors KMIP Application Application HSM EKM Client HSM EKM Client Centralized Key Management Remote sites handle only IT related activities

  5. Centralized Administration of HSMs with EKM Database + HSM with EKM Client HSM With Multiple Partitions Application + HSM with EKM Client Key Secure Backup HSM and Key Archive KMIP KMIP KMIP • EKM • Centrally see all keys created and used by HSM • Stores and manages key attributes • Centralized audit for compliance Initialization Activation EKM Web Browser Audit Log

  6. KMIP commands and MDO keys • MDO KMIP Commands • Create • Create Key Pair • Register • Locate • Get • Get Attributes • Get Attribute List • Add Attribute • Modify Attribute • Delete Attribute • Destroy • Query • Supported KMIP Commands • Create • Create Key Pair • Register • Locate • Get • Get Attributes • Get Attribute List • Add Attribute • Modify Attribute • Delete Attribute • Destroy • Query

  7. KMIP Register operation in detail Regular KMIP Request • Request Message (0x420078) | 0x01 | 0000000000 | • Request Header (0x420077) | 0x01 | … • Batch Item (0x42000f) | 0x01 | 0000000000 | • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003 • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39 • Request Payload (0x420079) | 0x01 | 0000000000 | • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002 • Template-Attribute (0x420091) | 0x01 | 0000000000 | • Attribute (0x420008) | 0x01 | 0000000000 | • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007 • Attribute (0x420008) | 0x01 | 0000000000 | • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name • Attribute Value (0x42000b) | 0x01 | 0000000000 | • Name Value (0x420055) | 0x07 | 0x00000005 | mykey • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001 • Symmetric Key (0x42008f) | 0x01 | 0000000000 | • Key Block (0x420040) | 0x01 | 0000000000 | • Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001 • Key Value (0x420045) | 0x01 | 0000000000 | • Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 abcdef 01 23 45 67… • Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003 • Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080 Meta-Data Registered Object

  8. KMIP Register operation in detail MDO KMIP Request • Request Message (0x420078) | 0x01 | 0x00000180 | • Request Header (0x420077) | 0x01 | … • Batch Item (0x42000f) | 0x01 | 0x00000128 | Re • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003 • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 30 • Request Payload (0x420079) | 0x01 | 0x00000100 | • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002 • Template-Attribute (0x420091) | 0x01 | 0x000000e8 | • Attribute (0x420008) | 0x01 | 0x00000030 | • Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm • Attribute Value (0x42000b) | 0x05 | 0x00000004 | 0x00000003 • Attribute (0x420008) | 0x01 | 0x00000030 | • Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000080 • Attribute (0x420008) | 0x01 | 0x00000030 | • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007 • Attribute (0x420008) | 0x01 | 0x00000038 | • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name • Attribute Value (0x42000b) | 0x01 | 0x00000020 | • Name Value (0x420055) | 0x07 | 0x00000005 | mykey • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001 Regular KMIP Request • Request Message (0x420078) | 0x01 | 0000000000 | • Request Header (0x420077) | 0x01 | … • Batch Item (0x42000f) | 0x01 | 0000000000 | • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003 • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39 • Request Payload (0x420079) | 0x01 | 0000000000 | • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002 • Template-Attribute (0x420091) | 0x01 | 0000000000 | • Attribute (0x420008) | 0x01 | 0000000000 | • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007 • Attribute (0x420008) | 0x01 | 0000000000 | • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name • Attribute Value (0x42000b) | 0x01 | 0000000000 | • Name Value (0x420055) | 0x07 | 0x00000005 | mykey • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001 • Symmetric Key (0x42008f) | 0x01 | 0000000000 | • Key Block (0x420040) | 0x01 | 0000000000 | • Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001 • Key Value (0x420045) | 0x01 | 0000000000 | • Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 abcdef 01 23 45 67… • Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003 • Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080

  9. New key format • What happened to Key Format in previous request? • - Key Format is not a full-fledged attribute • - Absence of the object => custom key format • - Key Format is purely internal

  10. KMIP Updates for MDO keys • Crypto Domain Parameters • Crypto parameters need to be a part of the Register command, not only Create Key Pair • ECC Enumeration • Need a broader set of supported curves

  11. Questions? • Thank you.

More Related