kmip - hardware security modules meta-data-only (mdo) keys saikat saha & denis pochuev...
TRANSCRIPT
![Page 1: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/1.jpg)
KMIP - Hardware Security ModulesMeta-Data-Only (MDO) Keys
Saikat Saha & Denis Pochuev
[email protected]@safenet-inc.com
Feb 2012
![Page 2: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/2.jpg)
2
Purpose of HSM (Hardware Security Module)
- Hardware based Key Storage Device
- Provides High Assurance – FIPS 140-2 Level 2 & 3
- Creates, Stores and manages various cryptographic objects
Symmetric Keys
Asymmetric Keys
Certificates
- Provides Crypto Acceleration and root of trust (trust anchor)
- Available in PCI as well as Network Appliance versions with multiple partitions
- NIST disapproves key material leaving the FIPS boundary
![Page 3: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/3.jpg)
3
Enterprise Key Management for HSMs
EKM
Centralized Key ManagementRemote sites handle only IT related activities
KeyArchive
Backup/Archive
Initialization Activation
Audit Log
KM
IP
KMIP
KMIP
• Key Management Interoperability Protocol
• Allows for interoperability between
1. differing device types
2. devices from different vendors
EKM Management Console
3
ApplicationApplicationHSM EKM
Client HSM EKM Client
![Page 4: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/4.jpg)
4
Backup HSM and Key Archive
HSM With Multiple Partitions
Audit Log
Key Secure
Application + HSM with EKM Client Database + HSM with EKM Client
InitializationActivation
EKM Web Browser
Centralized Administration of HSMs with EKM
KMIP KMIP KMIP
EKM• Centrally see all keys created and
used by HSM
• Stores and manages key attributes
• Centralized audit for compliance
![Page 5: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/5.jpg)
5
General idea behind MDO keys
Core Server Functionality = Key Mgmt + Key UsageWhere does the key usage happen?- at the server- at the client (HSM case)
Cryptographic Objects = Key Material + Meta DataIf key usage can be restricted only to clients, why not keep the key material there and only transfer Meta Data?
Application
HSM Ser
ver
Key material perimeter
![Page 6: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/6.jpg)
6
KMIP commands and MDO keysSupported KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery
MDO KMIP CommandsCreateCreate Key PairRegisterLocateGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeDestroyQuery
![Page 7: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/7.jpg)
7
Registered Object
Meta-Data
Regular KMIP Request
Request Message (0x420078) | 0x01 | 0000000000 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0000000000 |
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39
Request Payload (0x420079) | 0x01 | 0000000000 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0000000000 |
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0000000000 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
Symmetric Key (0x42008f) | 0x01 | 0000000000 |
Key Block (0x420040) | 0x01 | 0000000000 |
Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001
Key Value (0x420045) | 0x01 | 0000000000 |
Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…
Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003
Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080
KMIP Register operation in detail
![Page 8: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/8.jpg)
8
Regular KMIP Request
Request Message (0x420078) | 0x01 | 0000000000 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0000000000 |
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 39
Request Payload (0x420079) | 0x01 | 0000000000 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0000000000 |
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0000000000 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0000000000 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
Symmetric Key (0x42008f) | 0x01 | 0000000000 |
Key Block (0x420040) | 0x01 | 0000000000 |
Key Format Type (0x420042) | 0x05 | 0x00000004 | 0x00000001
Key Value (0x420045) | 0x01 | 0000000000 |
Key Material (0x420043) | 0x08 | 0x00000010 | 01 23 45 67 89 ab cd ef 01 23 45 67…
Cryptographic Algorithm (0x420028) | 0x05 | 0x00000004 | 0x00000003
Cryptographic Length (0x42002a) | 0x02 | 0x00000004 | 0x00000080
KMIP Register operation in detailMDO KMIP Request
Request Message (0x420078) | 0x01 | 0x00000180 |
Request Header (0x420077) | 0x01 | …
Batch Item (0x42000f) | 0x01 | 0x00000128 | Re
Operation (0x42005c) | 0x05 | 0x00000004 | 0x00000003
Unique Batch Item ID (0x420093) | 0x08 | 0x00000001 | 30
Request Payload (0x420079) | 0x01 | 0x00000100 |
Object Type (0x420057) | 0x05 | 0x00000004 | 0x00000002
Template-Attribute (0x420091) | 0x01 | 0x000000e8 |
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000017 | Cryptographic Algorithm
Attribute Value (0x42000b) | 0x05 | 0x00000004 | 0x00000003
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000014 | Cryptographic Length
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000080
Attribute (0x420008) | 0x01 | 0x00000030 |
Attribute Name (0x42000a) | 0x07 | 0x00000018 | Cryptographic Usage Mask
Attribute Value (0x42000b) | 0x02 | 0x00000004 | 0x00000007
Attribute (0x420008) | 0x01 | 0x00000038 |
Attribute Name (0x42000a) | 0x07 | 0x00000004 | Name
Attribute Value (0x42000b) | 0x01 | 0x00000020 |
Name Value (0x420055) | 0x07 | 0x00000005 | mykey
Name Type (0x420054) | 0x05 | 0x00000004 | 0x00000001
![Page 9: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/9.jpg)
9
New key format
What happened to Key Format in previous request?
- Key Format is not a full-fledged attribute
- Absence of the object => custom key format
- Key Format is purely internal
![Page 10: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/10.jpg)
10
KMIP Updates for MDO keys
Crypto Domain Parameterso Crypto parameters need to be a part of the Register command, not only Create Key Pair
ECC Enumerationo Need a broader set of supported curves
![Page 11: KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Saikat.saha@safenet-inc.com denis.pochuev@safenet-inc.com Feb 2012](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e715503460f94b6eefd/html5/thumbnails/11.jpg)
11
Questions?
Thank you.