Suvarna Garge (Editor)

Key Management Interoperability Protocol

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Key Management Interoperability Protocol

The Key Management Interoperability Protocol (KMIP) is a communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also defines messages that can be used to perform cryptographic operation on a server such as encrypt and decrypt.

Contents

The KMIP standard is now widely accepted in the industry. Vendors have demonstrated interoperable clients and servers that are commercially available at every recent RSA Conference The KMIP standard effort is governed by the OASIS standards body. Technical details can also be found on the offical KMIP page and WIKI

Description

A KMIP server stores and controls Managed Objects such as Symmetric and Asymmetric keys, Certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Operations are provided to create, locate, retrieve and update managed objects.

Each managed object has an immutable Value such as a key block that contains a cryptographic key. They also contain mutable Attributes which can be used to store meta data about the keys. Some attributes are derived directly from the Value, such as the cryptographic algorithm and length of a key. Other attributes are defined in the specification for the management of objects such as the Application Specific Identifier which is usually derived from tape identification data. Additional identifiers can be defined by the server or client as need by the application.

Each object is identified by a unique and immutable object identifier that is generated by the server and is used to Get object values. Managed objects may also be given a number of mutable but globally unique Name attribute which can be used to Locate objects.

The types of managed object that are managed by KMIP include:-

  • Symmetric Keys.
  • Public and Private Keys.
  • Certificates and PGP Keys.
  • Split Keys.
  • Secret Data (passwords).
  • Opaque Data for client and server defined extensions.

    • The operations provided by KMIP include

  • Create -- to create a new managed object such as a symmetric key, and return the identifier.
  • Get -- to retrieve an object's value given its unique identifier.
  • Register -- to store an externally generated key value.
  • Add Attributes, Get Attributes, and Modify Attributes -- to manipulate the attributes of a managed object.
  • Locate -- to retrieve a list of objects based on a conjunction of predicates.
  • Re-Key -- to create a new key that can replace an existing key.
  • Create Key Pair -- create asymmetric keys.
  • (Re-)Certify -- to certify a certificate.
  • Split and Join n of m keys.
  • Encrypt, Decrypt, MAC etc. -- cryptographic operations performed on the key management server.
  • Export and Import keys to other KMIP servers.
  • Operations to implement the NIST key life cycle.

    • Each key has a cryptographic state such as initial, Active, Deactive, Compromised. Operations are provided that manipulate the state in conformance with the NIST life cycle guidelines. The dates of each transformation are recorded, such as the date that a key was activated. Dates can be specified into the future so that keys automatically become unavailable for specified operations as they expire.

    KMIP is a network protocol rather than an application programming interface like PKCS #11. It has a binary format consisting of nested Tag, Type, Length and Value (TTLV) structures which is similar to but different from ASN.1 encoding. TLS is mandated for link level security in communication between clients and servers. The TTLV is normally transmitted raw, but it may optionally be wrapped in HTTPS. Profiles also provide well defined XML and JSON encodings of the protocol for environments where binary is not appropriate.

    KMIP also defines a set of profiles which are subsets of the KMIP specification showing common usage for a particular context like a storage array or a tape library where subsets of KMIP are used.

    Relationship to PKCS#11

    PKCS 11 is an API used to control Hardware security module. It provides cryptographic operations such as Encrypt and Decrypt, together with operations for simple key management to support those operations. Thus there is considerable overlap between the PKCS#11 API and the KMIP wire protocol.

    The two standards were originally developed independently. PKCS#11 was created by RSA Security, but the standard is now also governed by an OASIS technical committee. It is the stated objective of both the PKCS#11 and KMIP committees to align the standards were practicable. For example, the PKCS#11 Sensitive and Extractable attributes are being added to KMIP version 1.4. There is considerable overlap between members of the two technical committees.

    Interoperability between implementations

    The KMIP standard is defined using both a formal document, test cases, and profiles that define correct messages inter change. These are publicly available from the OASIS website.

    Vendors demonstrate interoperability during a process organized by the OASIS Technical Committee in the months before each RSA security conference. These have been held every ear since 2010. The following chart shows the number of individual tests performed by each client and server vendor combination since 2012.

    Server vendor results are summarized below

    Full details of the result of the 2017 interop can be found at OASIS KMIP Interop results.

    The Storage Networking Industry Association (SNIA) announced a formal KMIP conformance testing program in 2014.

    Known KMIP Implementations

    The number of KMIP implentations has been growing. The OASIS KMIP Technical Committee maintains a list of known (to the TC members) KMIP implementations, which can be found at

    By March, 2017 there were 28 interoperable implementations and 61 KMIP products in the list.

    References

    Key Management Interoperability Protocol Wikipedia
    (Text) CC BY-SA