1
The OASIS KMIP Standard: Interoperability
for the Cryptographic Ecosystem
www.oasis-open.org
Jon GeaterOASIS KMIP TCWith thanks to Bob Griffin, co-chair, OASIS KMIP TC
2
KMIPOverview
3
Enterprise Cryptographic Environments
Key Management
System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
CRM
Often, Each Cryptographic Environment Has Its Own Key Management System
4
Enterprise Cryptographic Environments
Key Management
System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
Key Management
System
CRM
Often, Each Cryptographic Environment Has Its Own Protocol
Disparate, Often Proprietary Protocols
5
Enterprise Cryptographic Environments
Enterprise Key Management
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
Key Management Interoperability Protocol
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
CRM
KMIP: Single Protocol Supporting Enterprise Cryptographic Environments
6
What is KMIP The Key Management Interoperability Protocol (KMIP)
enables key lifecycle management. KMIP supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications.
KMIP defines the protocol for cryptographic client and key-management server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects. Vendors will deliver KMIP-enabled cryptographic applications that support communication with compatible KMIP key-management servers.
7
What is KMIPKey Client Key Server
API
Internal representation
Transport
Internal representation
Transport
KMIP Encode
KMIP Encode
KMIP Decode
KMIP Decode
API
KMIP
8
KMIP status KMIP Technical Committee was established in OASIS in
April 2009 Submissions included at the time of TC creation included draft
specification, usage guide and use cases Initial membership included most significant vendors in
cryptographic solutions and key management and has continued to grow.
KMIP V1.0 standard approved end-September 2010 Revision of initial submissions April-October 2009 First public review Nov/Dec 2009 Revision of documents Jan-April 2010 Second public review May/June 2010. Approval of KMIP V1.0 docs as OASIS standard Sept 2010
2 public interops completed KMIP V1.0 conformance defined in terms of server
profiles, such as Symmetric Key Foundry
9
KMIP Profiles
Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification
Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction.
Define a set of normative constraints for employing KMIP within a particular environment or context of use.
Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors.
Three profiles defined in V1.0 Secret data Symmetric key store Symmetric key foundry
Profiles are further qualified by authentication suite TLS V1.0 / V1.1 TLS V1.2
10
KMIP Work Items for vNext Next version of KMIP standard
expected Q4 2011 Additions to protocol under discussion
permissions and groups client registration expanded server-to-server use cases Authentication methods
Additions to profiles include expanded certificate services and asymmetric key functionality.
Enhanced interoperability testing
11
KMIP V1.0 Documents
http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf http://docs.oasis-open.org/kmip/spec/v1.0/ http://docs.oasis-open.org/kmip/ug/v1.0/ http://docs.oasis-open.org/kmip/profiles/v1.0/ http://docs.oasis-open.org/kmip/usecases/v1.0/
12
Enterprise Cryptographic Environments
Enterprise Key Management System
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
Key Management Interoperability Protocol
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
CRM
KMIP: Interoperability for the Cryptographic Ecosystem