Key Management Interoperability Protocol
The Key Management Interoperability Protocol ( KMIP ) offers a uniform standard for communication between a Key Lifecycle Management System (KLMS) and its clients. This enables central key management to be used and data security to be increased. The protocol is standardized by OASIS .
Protocol definition
The KMIP specification defines what a message must look like and what information can be exchanged. Some functionalities of the client and server , for example error handling, are specified. Others can be implemented as desired. A client or server does not have to implement the complete functionality defined in the protocol, but only what is actually required. The protocol specification does not specify how the authentication between client and server is carried out. However, two authentication profiles are described in an accompanying document. Versions of the TLS are used for both profiles . TLS is not only used for authentication, it also ensures the integrity of the data .
Objects
When it comes to objects, a distinction is made between base objects and managed objects . Base objects are information that specify a managed object . The base objects include, for example, attributes, key value and key wrapping data.
A managed object is an object with cryptographic content that is managed by the KLM system. This includes the various keys and certificates . In addition, templates can be created which enable the administrator of a KLM system to summarize attributes of frequently used processes. For example, a template for a symmetric key can be created in which the algorithm and the length of the key are defined. If a key is to be created according to these specifications, the name of the template is passed instead of the desired attributes. The Secret Data Object (e.g. for passwords ) or the Opaque Object are used to save other objects that are to be kept secret . The data in the Opaque Object need not be able to be interpreted by the server. For example, a key is saved even though the server does not support the encryption algorithm used .
Attributes
There are various attributes to specify the managed objects . In the table all attributes are listed with their most important properties. There are attributes that are mandatory for every object or for certain objects, others are optional. Several instances of some attributes can exist per object. This is important for the link, for example. A public key has a link to the associated private key and, in addition to the certificate, which links the key to an identity. The KMIP specification also describes for each attribute who is allowed to create, change or delete it and for which operations the attribute is set implicitly.
attribute | description |
---|---|
Unique identifier |
|
Surname |
|
Object Type |
|
Cryptographic Algorithm | |
Cryptographic Length |
|
Cryptographic parameters |
|
Cryptographic Domain Parameters |
|
Certificate Type | |
Certificate Identifier |
|
Certificate Subject |
|
Certificate issuer |
|
Digest |
|
Operation Policy Name |
|
Cryptographic Usage Mask |
|
Lease time |
|
Usage limits |
|
State |
|
Initial date |
|
Activation Date |
|
Process Start Date |
|
Protect Stop Date |
|
Deactivation date |
|
Destroy Date |
|
Compromise Occurrence Date |
|
Compromise date |
|
Revocation Reason |
|
Archive Date |
|
Object Group |
|
link |
|
Application Specific Information |
|
Contact information |
|
Last change date |
|
Custom attributes |
|
Operations
A distinction is made between the operations by whom they are initiated. Most of them are client-to-server operations. In addition, there are few server-to-client operations. The KMIP specification describes which information a request and the corresponding response contain. The operations and their most important properties are listed in the following subsections. The division is made according to the purpose of use.
Client-to-server operations
A client can support a subset or all of the operations. If he wants to send several operations to the server at the same time, these can be combined in one message to form a batch .
The table below contains the operations that create a new object or update the content of an existing object. The KLMS can issue certificates itself or request certification from an external service ( certification authority ) .
surgery | description |
---|---|
Create |
|
Create key pair |
|
register |
|
Re-key |
|
Derive Key |
|
Certify |
|
Re-certify |
|
Operations that are needed to find and retrieve objects and to check their usage are listed in the next table.
surgery | description |
---|---|
Locate |
|
Check |
|
Get |
|
The following table shows the operations that relate to the attributes of objects. The desired object is selected with the unique identifier and the attribute is selected with the attribute name.
surgery | description |
---|---|
Get Attributes |
|
Get Attribute List |
|
Add attributes |
|
Modify attributes | Change of an attribute |
Delete attribute | Deleting an attribute |
Operations, which are listed in the next table, deal with the use of objects. As mentioned above, the object is selected by specifying the unique identifier. Some of the following operations may only be requested by certain clients (for example, the administrator or the creator of an object). The identity of these clients must be verified by means of authentication.
surgery | description |
---|---|
Obtain lease |
|
Get Usage Allocation |
|
Activate |
|
Revoke |
|
Destroy |
|
Archives |
|
Recover |
|
Validate |
|
The next table describes the asynchronous operations as well as an operation to poll the server. Operations are said to be asynchronous if the server does not respond immediately. The client can poll to receive the response at a later time. This approach is chosen when operations require a certain processing time (e.g. restoring an object).
surgery | description |
---|---|
Query |
|
Cancel |
|
Poll |
|
Server-to-client operations
For certain processes it makes sense for a KLM server to initiate communication. The server sends the client a request (request message). The client replies with a response message. When using these operations, clients must log on to the server. The type of login is not specified in the protocol . However, authentication is expected to take place to prevent a man-in-the-middle attack .
surgery | description |
---|---|
Notify |
|
Put |
|
Message format
A message always consists of a header , followed by one or more stacked batch objects and optional message extensions.
A distinction is made between two message types in the header: request and response. The protocol version and the batch count are specified in both headers . The batch count indicates how many operations are requested with this message. There is also additional data, depending on the type. A batch object specifies the desired operation and contains all the attributes required for it. The dotted attributes in the following figures are optional.
Tag-Type-Length-Value (TTLV) coding is used to guarantee simple processing (see figure).
- Tag : Identification of the following information of the TTLV segment, coded as a six-digit hexadecimal number , whereby this always starts with 42 ("42XXXX")
- Type : Type of the following information (Structure, Integer, Long Integer, Big Integer, Enumeration, Boolean, Text String, Byte String, Date-Time, Interval)
- Length : Length of the following information in bytes
- Value : The actual value or core of the TTLV segment (coded differently depending on the data type)
Structures are used to create nested content. Further TTLV segments can occur in the value part of a structure. The number of bytes of all elements contained in the structure is then specified as the length of the structure .
Example of message encoding
A message from the KMIP client to the KLMS server to create a symmetric key can look like this, represented as a byte stream in hexadecimal form . Broken down according to the TTLV scheme and interpreted according to the KMIP specification, this message is a request from the client to the server . The client requires a symmetric key for encryption and decryption with the AES algorithm. The key should have a length of 128 bits .
Use cases
Use cases were developed in addition to the specification . The processes of various scenarios and the messages to be exchanged were described. On the one hand, the use cases can be used to understand the flow of communication. On the other hand, an implementation of the KMIP that runs on a KLMS can be tested with it. The use cases only contain realistic applications; they are not suitable for testing possible attacks on the system.
Open source implementation KMIP4J
While some software companies have been working with proprietary implementations of KMIP for a while , there was no freely available software. With KMIP4J there is now an open source implementation of KMIP 1.0. This is available on SourceForge .
Web links
- oasis-open.org / ... - Official website of the committee for the KMIP standard
- wiki.oasis-open.org / ... - reference implementations
- Key Management Interoperability Protocol Specification Version 1.0 (PDF; 2.0 MB)
- Key Management Interoperability Protocol Use Cases Version 1.0 ( MS Word ; 1.0 MB)
- Key Management Interoperability Protocol Usage Guide Version 1.0 ( MS Word ; 453 kB)
- Key Management Interoperability Protocol Profiles Version 1.0 (PDF; 197 kB)
- White Paper: Key Management Interoperability Protocol (PDF; 1.1 MB)
- KMIP4J on Sourceforge
Individual evidence
- ↑ http://xml.coverpages.org/KMIP/KMIP-WhitePaper.pdf
- ↑ Key Management Interoperability Protocol Specification Version 1.0 - OASIS Standard
- ↑ http://docs.oasis-open.org/kmip/spec/v1.0/cs01/kmip-spec-1.0-cs-01.pdf
- ↑ Key Management Interoperability Protocol Profiles Version 1.0 Committee Specification , June 15, 2010, (PDF)
- ↑ Kurose and Ross: Computer Networks - The Top-Down Approach. Pearson Deutschland GmbH, Munich 2012.
- ↑ http://docs.oasis-open.org/kmip/usecases/v1.0/cs01/kmip-usecases-1.0-cs-01.doc