Kmip hardware security modules meta data only mdo keys
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys. Saikat Saha & Denis Pochuev [email protected] [email protected] Feb 2012. Purpose of HSM (Hardware Security Module). - Hardware based Key Storage Device - Provides High Assurance – FIPS 140-2 Level 2 & 3

Download Presentation

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Kmip hardware security modules meta data only mdo keys

KMIP - Hardware Security ModulesMeta-Data-Only (MDO) Keys

Saikat Saha & Denis Pochuev

[email protected]

[email protected]

Feb 2012


Purpose of hsm hardware security module

Purpose of HSM (Hardware Security Module)

- Hardware based Key Storage Device

- Provides High Assurance – FIPS 140-2 Level 2 & 3

- Creates, Stores and manages various cryptographic objects

  • Symmetric Keys

  • Asymmetric Keys

  • Certificates

    - Provides Crypto Acceleration and root of trust (trust anchor)

    - Available in PCI as well as Network Appliance versions with multiple partitions

    - NIST disapproves key material leaving the FIPS boundary


Enterprise key management for hsms

Enterprise Key Management for HSMs

Key

Archive

EKM Management Console

Audit Log

Backup/Archive

EKM

Initialization Activation

KMIP

  • KMIP

  • Key Management Interoperability Protocol

  • Allows for interoperability between

  • differing device types

  • devices from different vendors

KMIP

Application

Application

HSM EKM

Client

HSM EKM

Client

Centralized Key Management

Remote sites handle only IT related activities


Kmip hardware security modules meta data only mdo keys

Centralized Administration of HSMs with EKM

Database + HSM with EKM Client

HSM With Multiple Partitions

Application + HSM with EKM Client

Key Secure

Backup HSM and Key Archive

KMIP

KMIP

KMIP

  • EKM

  • Centrally see all keys created and used by HSM

  • Stores and manages key attributes

  • Centralized audit for compliance

Initialization

Activation

EKM Web Browser

Audit Log


General idea behind mdo keys

General idea behind MDO keys

  • Core Server Functionality = Key Mgmt + Key Usage

  • Where does the key usage happen?

  • - at the server

  • - at the client (HSM case)

  • Cryptographic Objects = Key Material + Meta Data

  • If key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data?

Key material perimeter

Application

Server

HSM


Kmip commands and mdo keys

KMIP commands and MDO keys

  • MDO KMIP Commands

  • Create

  • Create Key Pair

  • Register

  • Locate

  • Get

  • Get Attributes

  • Get Attribute List

  • Add Attribute

  • Modify Attribute

  • Delete Attribute

  • Destroy

  • Query

  • Supported KMIP Commands

  • Create

  • Create Key Pair

  • Register

  • Locate

  • Get

  • Get Attributes

  • Get Attribute List

  • Add Attribute

  • Modify Attribute

  • Delete Attribute

  • Destroy

  • Query


Kmip register operation in detail

KMIP Register operation in detail

Regular KMIP Request

  • Request Message (0x420078) | 0x01 | 0000000000 |

  • Request Header (0x420077) | 0x01 | …

  • Batch Item (0x42000f) | 0x01 | 0000000000 |

  • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003

  • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39

  • Request Payload (0x420079) | 0x01 | 0000000000 |

  • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

  • Template-Attribute (0x420091) | 0x01 | 0000000000 |

  • Attribute (0x420008) | 0x01 | 0000000000 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask

  • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007

  • Attribute (0x420008) | 0x01 | 0000000000 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name

  • Attribute Value (0x42000b) | 0x01 | 0000000000 |

  • Name Value (0x420055) | 0x07 | 0x00000005 | mykey

  • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

  • Symmetric Key (0x42008f) | 0x01 | 0000000000 |

  • Key Block (0x420040) | 0x01 | 0000000000 |

  • Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001

  • Key Value (0x420045) | 0x01 | 0000000000 |

  • Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 abcdef 01 23 45 67…

  • Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003

  • Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080

Meta-Data

Registered Object


Kmip register operation in detail1

KMIP Register operation in detail

MDO KMIP Request

  • Request Message (0x420078) | 0x01 | 0x00000180 |

  • Request Header (0x420077) | 0x01 | …

  • Batch Item (0x42000f) | 0x01 | 0x00000128 | Re

  • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003

  • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 30

  • Request Payload (0x420079) | 0x01 | 0x00000100 |

  • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

  • Template-Attribute (0x420091) | 0x01 | 0x000000e8 |

  • Attribute (0x420008) | 0x01 | 0x00000030 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm

  • Attribute Value (0x42000b) | 0x05 | 0x00000004 | 0x00000003

  • Attribute (0x420008) | 0x01 | 0x00000030 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length

  • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000080

  • Attribute (0x420008) | 0x01 | 0x00000030 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask

  • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007

  • Attribute (0x420008) | 0x01 | 0x00000038 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name

  • Attribute Value (0x42000b) | 0x01 | 0x00000020 |

  • Name Value (0x420055) | 0x07 | 0x00000005 | mykey

  • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

Regular KMIP Request

  • Request Message (0x420078) | 0x01 | 0000000000 |

  • Request Header (0x420077) | 0x01 | …

  • Batch Item (0x42000f) | 0x01 | 0000000000 |

  • Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003

  • Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39

  • Request Payload (0x420079) | 0x01 | 0000000000 |

  • Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002

  • Template-Attribute (0x420091) | 0x01 | 0000000000 |

  • Attribute (0x420008) | 0x01 | 0000000000 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask

  • Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007

  • Attribute (0x420008) | 0x01 | 0000000000 |

  • Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name

  • Attribute Value (0x42000b) | 0x01 | 0000000000 |

  • Name Value (0x420055) | 0x07 | 0x00000005 | mykey

  • Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001

  • Symmetric Key (0x42008f) | 0x01 | 0000000000 |

  • Key Block (0x420040) | 0x01 | 0000000000 |

  • Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001

  • Key Value (0x420045) | 0x01 | 0000000000 |

  • Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 abcdef 01 23 45 67…

  • Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003

  • Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080


New key format

New key format

  • What happened to Key Format in previous request?

  • - Key Format is not a full-fledged attribute

  • - Absence of the object => custom key format

  • - Key Format is purely internal


Kmip updates for mdo keys

KMIP Updates for MDO keys

  • Crypto Domain Parameters

    • Crypto parameters need to be a part of the Register command, not only Create Key Pair

  • ECC Enumeration

    • Need a broader set of supported curves


Questions

Questions?

  • Thank you.


  • Login