Key Management Interoperability Protocol
The Key Management Interoperability Protocol (KMIP) is a communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also defines messages that can be used to perform cryptographic operation on a server such as encrypt and decrypt.
The KMIP standard is now widely accepted in the industry. At the 2015 RSA Conference 14 vendors demonstrated interoperable clients and servers that are commercially available. The KMIP standard effort is governed by the OASIS standards body. Technical details can also be found on the KMIP page.[1]
With the addition of cryptographic operations, there is considerable overlap between KMIP and the PKCS #11 HSM API. The PKCS #11 standard is now also managed by Oasis, and it is a stated goal of the technical committees to align the two standards.
Description
A KMIP server stores and controls Managed Objects such as Symmetric and Asymmetric keys, Certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Operations are provided to create, locate, retrieve and update managed objects.
Each managed object has an immutable Value such as a key block that contains a cryptographic key. They also contain mutable Attributes which can be used to store meta data about the keys. Some attributes are derived directly from the Value, such as the cryptographic algorithm and length of a key. Other attributes are defined in the specification for the management of objects such as the Application Specific Identifier which is usually derived from tape identification data. Additional identifiers can be defined by the server or client as need by the application.
Each object is identified by a unique and immutable object identifier that is generated by the server and is used to Get object values. Managed objects may also be given a number of mutable but globally unique Name attribute which can be used to Locate objects.
The types of managed object that are managed by KMIP include:-
- Symmetric Keys.
- Public and Private Keys.
- Certificates and PGP Keys.
- Split Keys.
- Secret Data (passwords).
- Opaque Data for client and server defined extensions.
The operations provided by KMIP include
- Create -- to create a new managed object such as a symmetric key, and return the identifier.
- Get -- to retrieve an object's value given its unique identifier.
- Register -- to store an externally generated key value.
- Add Attributes, Get Attributes, and Modify Attributes -- to manipulate the attributes of a managed object.
- Locate -- to retrieve a list of objects based on a conjunction of predicates.
- Re-Key -- to create a new key that can replace an existing key.
- Create Key Pair -- create asymmetric keys.
- (Re-)Certify -- to certify a certificate.
- Split and Join n of m keys.
- Encrypt, Decrypt, MAC etc. -- cryptographic operations performed on the key management server.
- Operations to implement the NIST key life cycle.
Each key has a cryptographic state such as initial, Active, Deactive, Compromised. Operations are provided that manipulate the state in conformance with the NIST life cycle guidelines. The dates of each transformation are recorded, such as the date that a key was activated. Dates can be specified into the future so that keys automatically become unavailable for specified operations as they expire.
KMIP is a network protocol rather than an application programming interface like PKCS #11. It has a binary format consisting of nested Tag, Type, Length and Value (TTLV) structures which is similar to but different from ASN.1 encoding. TLS is mandated for link level security in communication between clients and servers. The TTLV is normally transmitted raw, but it may optionally be wrapped in HTTPS. Profiles also provide well defined XML and JSON encodings of the protocol for environments where binary is not appropriate.
KMIP also defines a set of profiles which are subsets of the KMIP specification showing common usage for a particular context like a storage array or a tape library where subsets of KMIP are used.
History
Version | Committee Draft | Main Features |
---|---|---|
1.0 | Oct 2010 | Initial version |
1.1 | Jan 2013 | |
1.2 | Jun 2014 | Cryptographic Operations. Introduction of Profiles, including Application Identifiers for tape libraries. |
1.3 | 2015 | Streaming Cryptographic Operations. |
1.4 | In progress | Better asynchronous operations; Import/export of keys to other servers; Export to PKCS #12, Object Collections for ACLs; Better error handling; Protected attributes. |
2.0 | In Planning | Substantial updates and new capability expected. |
KMIP was initially submitted to OASIS for standardization on February 12, 2009. The specification was voted on by members of the KMIP technical committee. Version 1.0 was formally ratified on October 1, 2010.[2]
By 2010 some vendors released or announced planned release dates for updates to their key management products to support KMIP.[3] Vendors demonstrated interoperability at the RSA Conferences held in March 2010, February 2011,[4] 2012,[5] 2013 [6] and 2014.[7]
Use case examples for KMIP outline how messages are formatted and communicated between a KMIP client and a KMIP server in available in a variety of formats.[8]
Summary of interoperability results between vendors from plug-fests and interoperability showcases organised by the OASIS KMIP technical committee.[9]
There were about sixty-four participants from about thirty organizations on the committee as at January 2012. Eleven companies demonstrated support for the standard in the 2012 RSA conference.[10] Version 1.1 was drafted in July 2011, and approved in January 2013.[11] The first official committee specification draft of Version 1.2 was posted in October 2013.[12] Version 1.2 is currently in public review.[13]
The OASIS KMIP Technical Committee maintains a list of known (to the TC members) KMIP implementations on the KMIP TC Wiki.[14]
The Storage Networking Industry Association (SNIA) announced a formal KMIP conformance testing program in 2014.[15]
Implementations and Interoperability
There are several implementations of KMIP clients and servers. OASIS (organization) runs interop tests every year to ensure that different implementations can communicate with each other and are compliant with the KMIP specification. The graph below shows the result of the 2016 tests. Participating vendors were Cryptsoft, Fornetix, HPE, IBM, P6R, QuintessenceLabs, SafeNet, Townsend, and Utimaco.
Known SDK implementations
- Cryptsoft (Clients in C, Java, C++, C-Sharp and Python, Servers in C and Java)[16]
- OASIS KMIP TC Wiki - known KMIP implementations[17]
- Open Source KMIP Server (C Sharp)) [18]
- Open Source KMIP Client (Java, Python) [19] [20]
- P6R (Client in C, C++, Java Native Interface (JNI), Python extension module, and a PKCS#11 KMIP token) [21]
See also
- Encryption
- IEEE P1619 Security in Storage Working Group
- Key (cryptography)
- Key management
References
- ↑ Oasis KMIP Page
- ↑ Mary McRae (October 1, 2010). "Approval of KMIP v1.0 and KMIP Profiles v1.0 as OASIS Standards". tc-announce (Mailing list). Retrieved October 7, 2013.
- ↑ IBM (August 24, 2010). "IBM Centralizes Management of Encryption Keys Via KMIP". Archived from the original on January 5, 2011. Retrieved October 7, 2013.
- ↑ "KMIP Interoperability Demonstration". OASIS.
- ↑ "KMIP Interoperability Demonstration at RSA 2012". OASIS.
- ↑ "OASIS Security Standards Showcase at RSA Conference & Exposition 2013". OASIS.
- ↑ "OASIS Security Standards Showcase at RSA Conference & Exposition 2014". OASIS.
- ↑ Cryptsoft (2012-01-27). "KMIP Use Cases". Retrieved 2013-10-07.
- ↑ "Summary of interoperability results between vendors".
- ↑ Eleven Companies Demonstrate Support for KMIP
- ↑ "Key Management Interoperability Protocol Specification Version 1.1". Official web site. OASIS. 2013-01-24. Retrieved 2013-10-07.
- ↑ "Key Management Interoperability Protocol Specification Version 1.2". Official web site. OASIS. 2013-10-31. Retrieved 2013-12-21.
- ↑ "30-day Public Reviews for 12 #KMIP Committee Specification Drafts and 2 KMIP Committee Note Drafts". Official web site. OASIS. 2014-03-20. Retrieved 2014-03-20.
- ↑ "OASIS KMIP TC Wiki - known KMIP implementations".
- ↑ "SNIA KMIP Test Program Announced". Official web site. SNIA. 2014-02-24. Retrieved 2014-03-20.
- ↑ Cryptsoft. "Key Management Interoperability Protocol SDKs". Cryptsoft. Retrieved October 7, 2013.
- ↑ "OASIS KMIP Wiki - known KMIP implementations".
- ↑ "Open source KMIP Server". Retrieved March 20, 2014.
- ↑ "KMIP4J Open Source Implementation".
- ↑ "PyKMIP Open Source Implementation".
- ↑ "SKC Secure KMIP Client SDK". Project 6 Research.