Description Key Management Interoperability Protocol

-



1 description

1.1 message encoding
1.2 kmip profiles
1.3 relationship pkcs#11





description

a kmip server stores , controls managed objects such symmetric , asymmetric keys, certificates, , user defined objects. clients use protocol access these objects subject security model implemented servers. operations provided create, locate, retrieve , update managed objects.


each managed object has immutable value such key block contains cryptographic key. contain mutable attributes can used store meta data keys. attributes derived directly value, such cryptographic algorithm , length of key. other attributes defined in specification management of objects such application specific identifier derived tape identification data. additional identifiers can defined server or client need application.


each object identified unique , immutable object identifier generated server , used object values. managed objects may given number of mutable globally unique name attribute can used locate objects.


the types of managed objects managed kmip include



symmetric keys.
public , private keys.
certificates , pgp keys.
split keys.
secret data (passwords).
opaque data client , server defined extensions.

the operations provided kmip include



create—to create new managed object such symmetric key, , return identifier.
get—to retrieve object s value given unique identifier.
register—to store externally generated key value.
add attributes, attributes, , modify attributes—to manipulate attributes of managed object.
locate—to retrieve list of objects based on conjunction of predicates.
re-key—to create new key can replace existing key.
create key pair—create asymmetric keys.
(re-)certify—to certify certificate.
split , join n of m keys.
encrypt, decrypt, mac etc. -- cryptographic operations performed on key management server.
export , import keys other kmip servers.
operations implement nist key life cycle.

each key has cryptographic state such initial, active, deactive, compromised. operations provided manipulate state in conformance nist life cycle guidelines. dates of each transformation recorded, such date key activated. dates can specified future keys automatically become unavailable specified operations expire.


message encoding

the kmip protocol specifies modified form of type-length-value binary encoding of messages, called ttlv (tag, type, length, value). nested ttlv structures allow encoding of complex, multi-operation messages in single binary message. ttlv encoding has several deliberate design choices:



padding: ttlv aligns data nearest 4 or 8 bytes allow optimal processor alignment.
extensibility: deliberately leaving room within enumerations allow easy addition of new tags, data types , attribute values.
mapping other encodings: protocol allows encoding of kmip messages in form of xml , json, described in kmip additional message encodings document.

there defined xml , json encodings of protocol environments binary not appropriate.


ttlv alone raw binary format , not provide encryption of transmitted messages. tls mandated link level security in communication between clients , servers.


kmip profiles

kmip defines set of profiles, subsets of kmip specification showing common usage particular context. particular kmip implementation said conformant profile when fulfills requirements set forth in profile specification document. oasis has put forth various profiles describing requirements compliance towards storage arrays , tape libraries, organization can create profile.


relationship pkcs#11

pkcs#11 api used control hardware security modules. pkcs#11 provides cryptographic operations encrypt , decrypt, operations simple key management. there considerable amount of overlap between pkcs#11 api , kmip protocol.


the 2 standards developed independently. pkcs#11 created rsa security, standard governed oasis technical committee. stated objective of both pkcs#11 , kmip committees align standards practical. example, pkcs#11 sensitive , extractable attributes being added kmip version 1.4. many of same people on technical committees of both kmip , pkcs#11.








Comments

Post a Comment

Popular posts from this blog

Prosodic bootstrapping Bootstrapping (linguistics)

-
1 prosodic bootstrapping 1.1 prosodic cues syntactic structure 1.2 prosodic cues clauses , phrases 1.3 criticism prosodic bootstrapping even before infants can comprehend word meaning, prosodic details assist them in discovering syntactic boundaries. prosodic bootstrapping or phonological bootstrapping investigates how prosodic information — includes stress, rhythm, intonation, pitch, pausing, dialectal features — can assist child in discovering grammatical structure of language or acquiring. in general, prosody introduces features reflect either attributes of speaker or of utterance type. speaker attributes include emotional state, presence of irony or sarcasm. utterance-level attributes used mark questions, statements, , commands, , can used mark contrast. prosodic features associated speaker: emotional state, irony, sarcasm prosodic features associate utterance type: question, statement, command, contrast similarly, in sign language, prosody includes facial expression, mouthing, , r...
Read more

Principal leitmotifs Music of The Lord of the Rings film series

-
1 principal leitmotifs 1.1 first appearance in fellowship of ring 1.2 first appearance in 2 towers 1.3 first appearance in return of king 1.4 reprised themes hobbit 1.5 themes of hobbit principal leitmotifs howard shore s composition not carry motifs on either other scores of career or passages of existing film or stage music, exception of 1 intentional nod richard wagner on end-credits of third film. shore wrote long series of interrelated leitmotifs used, developed, combined or fragmented throughout 3 scores. motifs attached places, cultures, characters, objects , occurrences. while stage , film composers deviated meaning of themes , used them romantically (i.e. suggestion of mood) shore refrains using technique. several pieces feature intriguing thematic choices choosing history of 1 ring theme passage of argonath or ringwraith theme orc armies in prologue (and again azog in hobbit) neither outright romantic in application , can explained. history of ring being main theme o...
Read more

List of masters Devon and Somerset Staghounds

-
1 list of masters 1.1 north devon staghounds 1.2 chichester s hounds 1.3 devon , somerset staghounds list of masters hugh pollard , master in 1598. (sir hugh ii pollard of king s nympton, father of sir lewis pollard, 1st baronet (c. 1578–c.  1645)) edward ii dyke (d. 1746), portrait circa 1741 attributed thomas hudson (1701–1779), national trust, collection of dunster castle edward dyke (d. 1746), of pixton, in somerset, (eldest brother of thomas dyke (d. 1745) of tetton , of john dyke (d. 1732) of holnicote, in somerset), warden , lesee of royal forest of exmoor , master of staghounds, office held warder. married margaret trevelyan, daughter of sir john trevelyan, 2nd baronet (1670–1755), of nettlecombe in somerset, , widow of alexander luttrell (1705–1737) of dunster castle. edward inherited holnicote , estates in bampton brother john dyke (d. 1732), died without progeny. died without progeny , bequeathed pixton , holnicote niece elizabeth dyke (d. 1753), whom appointed sole executo...
Read more