customers - cryptsoft · r • full oasiskmip compliance versions: 1.0,1.1,1.2,1.3,1.4,2.0 * •...

R

CUSTOMERSCryptsoft’s valued customers include:

PARTNERSCryptsoft’s valued partners include:

R

Where do our customers and partners use Cryptso� SDKs?

Storage Infrastructure &Security

Cloud

• Disk Arrays, Flash Storage Arrays

• NAS Appliances

• Tape Libraries, Virtual TapeLibraries

• Hyper-Converged Storage

• Encryp�ng Switches

• Storage Key Managers

• Storage Controllers

• Storage Opera�ng Systems

• Key Managers

• Hardware Security Modules

• Encryp�on Gateways

• Virtualization Managers

• Virtual Storage Controllers

• Network Compu�ngAppliances

• Secure Applica�onDevelopment

• Defense and IC Applica�ons

• Key Managers

• Compliance Pla�orms

• Informa�on Managers

• Enterprise Gateways andSecurity

• Enterprise Authen�cation

• Endpoint Security

• Financial Services Applica�ons

• Banking Applica�ons

How are Cryptso�'s customers using our SDKs to overcomenew security challenges?Use Case 1:

A fortune 500 e-commerce company had reached the func�onality and performance limits of their exis�ng PKIsolu�on. Cryptso� SDKs were used to develop a standards-conformant, scalable solu�on that enhancedvisibility and control of cer�ficate issuance and management, whilst delivering the flexibility and performancerequired to meet future business needs.

Use Case 2:

A large governmental en�ty needed a self-contained, portable key management solu�on able to be deployedglobally as part of an exis�ng network of compartmentalised, secure data storage appliances. Cryptso� SDKswere used to deliver the key management capability used to ensure each implementa�on remainedindependently opera�onal, yet able to act as part of a wider, global management infrastructure.

Use Case 3:

An ERP company’s cloud division needed to obtain customer specific encryp�on keys from a range of on-premise and off-premise key management assets. Cryptso� SDKs were used to develop a single, standards-based marshalling and brokerage solu�on that provided data and access management control, enabling fullcustomer segrega�on and GDPR compliance.

1 Applica�on Level

2 Filesystem Level

LEGEND

3 Network Level

4 Device Level

Source: ISO/IEC 27040 - Information technology- Security techniques - Storage security

R

KEY FEATURESKEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEYMANAGEMENT SOLUTIONCryptsoft’s Key Management SDKs enable rapid addi�on of interoperablekey management func�onality to your exis�ng products.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs have beenintegrated into the majority of all KMIP products on the market today,elimina�ng the need for rework to interact with another vendor’sendpoint.

As the security market’s preferred KMIP vendor, Cryptso� has thetechnology and the relationships to ensure your product delivers itsmaximum potential.

Using the Cryptsoft SDKs in ANSI C, C++, C#, Java and Python, you cansupport KMIP key management protocols with a single, consistentinterface and provide your customers with a complete vendorindependent key management solu�on to manage all of the points ofencryp�on within your enterprise.

POINTS OF ENCRYPTION

1 1 3

3

3

2

4

4

1

1 2

Mobile PC

PC

Server File Server

Server

Appliance

Appliance

Appliance

Network

Storage Array

NAS

Tape Library

• Full OASIS KMIP complianceversions: 1.0, 1.1, 1.2, 1.3, 1.4, 2.0*

• Guaranteed interoperability with allreleased KMIP server products

• Available as a binary SDK▫ Source license option

• Comprehensive example code▫ Custom examples available forrapid integra�on

• Supported on over 35 differentpla�orms including Linux, Windowsand a range of embedded pla�orms▫ Custom platform ports on request

Features• Comprehensive example code• Source licence option• Supports KMIP v1.0, v1.1, v1.2, v1.3, v1.4, v2.0*

R

• Supports proprietary key management protocols(op�onal plugins to C SDK)

Supported Databases• Oracle MySQL• Oracle Database• Microsoft SQL Server• SQLite

• IBM DB2• PostgreSQL• Embedded (lightweight)• HSQLDB

Supported Hardware Security Modules and Random Number Generators• SafeNet - Luna PCI (RNG/HSM) [PKCS#11]• SafeNet - Protect Server (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Connect (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Edge (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Solo (RNG/HSM) [PKCS#11]• U�maco CryptoServer CSe10 PCIe/LAN (RNG/HSM) [PKCS#11]• U�maco CryptoServer CSe100 PCIe/LAN (RNG/HSM) [PKCS#11]• Whitewood EntropyEngine (RNG)

• ID Quantique - Quan�s USB (RNG) [Vendor]• ID Quantique - Quan�s PCI (RNG) [Vendor]• ID Quantique - Quan�s PCIe (RNG) [Vendor]• Fei�an - ePass [PKCS#11]• Oracle - SCA6000 [PKCS#11]• SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11]• SafeNet - Luna CA (RNG/HSM) [PKCS#11]

• Android [OATH-TOTP] [So� Token]• Cryptso� [OATH-TOTP]• Fei�an [OATH-HOTP/TOTP]• Apple [OATH-TOTP] [So� Token]• Google Authen�cator [OATH-TOTP] [So� Token]

Supported One Time Password Devices• FIDO Devices [U2F]• Mi-Token [OATH-TOTP] [So� Token]• RSA Security SecurID [SecurID]• Litheware Tombé [OATH-HOTP] [YubiKey]• Yubico [OATH-HOTP/TOTP] [YubiKey]

Client SDK Products Server SDK Products• KMIP C Client SDK• KMIP C Client SDK SGX Module• KMIP C++ Client SDK• KMIP C++ Client SDK SGX Module• KMIP C# Client SDK• KMIP Java Client SDK• KMIP Python Client SDK• KMIP C Client Layered Protocol SDKs for Proprietary Protocols• KMIP C Client PKCS11 Adapter• KMIP RKM/DPM C Client SDK• KMIP C Client Oracle TDE & Microso� BitLocker• KMIP C Client Layered Protocol SDK• KMIP C Interoperability Test Suite• KMIP Java Interoperability Test Suite• Online Test Service (XML/JSON)

• KMIP C Server SDK• KMIP C Server SDK SGX Module• KMIP Java Server SDK• KMIP Alert Server SDK• KMIP Server VM Subscrip�on (Annual - C or Java)• KMIP Server Administra�on Interface

(for C or Java Server SDK)• KMIP C Proxy Servers for Proprietary Protocols• KMIP C Server Integra�on Modules (PKCS11, HSM, RNG)• KMIP C Server Integra�on Module (HSM) SGX Module• KMIP C Server Integra�on Module (RNG) SGX Module• KMIP C Server Integra�on Module (Audit/Analy�cs)• KMIP C Server OTP Server Module• PKCS#11 C Provider SDK SGXModule• PKCS#11 C Consumer SDK SGX Module• SQLite3 SDK SGX Module• Object Store SDK SGX Module

KEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEYMANAGEMENT SOLUTION

R






KEY FEATURESKMIP CLIENT SDKSC, C++, C#, JAVA, PYTHONA complete range of vendor-independent key management solu�ons

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKslet you rapidly add interoperable, standards-based, enterprise keymanagement capability to your exis�ng applica�ons.

Reduce �me to market, KMIP-enable your solution within days,not months, using our comprehensive collection of example codeprovided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole ofenterprise and government solutions, your KMIP SDK license is backedby a global support network, offering a total key management solu�on.

KMIP Server SDKc java

java pythonc++ c#cKMIP Client SDK

KMS-SGX KMIPHSM

KEY MANAGEMENTINTEROPERABILITYPROTOCOL

KMIP

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL FIPS 2.0• OpenSSL 0.9.8 (op�on)• Sun/Oracle JCE• IBM JCE

R

KMIP CLIENT SDKS SPECIFICATIONS

C, C++, C#, JAVA, PYTHONKMIP Client Examples

KMIP Object Types Supported Cryptographic Providers• Cer�ficate• Cer�ficate

Request2.0

• Opaque Object

• RSA BSAFE MES 3.x, 4.x (op�on)• RSA BSAFE Share-C (op�on)• RSA BSAFE Crypto-J• Bouncy Castle JCE• wolfSSL

• PGP Key• Private Key• Public Key• Secret Key

• Split Key• Symmetric Key• Template

Supported KMIP Operations• Ac�vate• Add A�ribute• Archive• Cancel• Cer�fy• Check• Create

• Create Key Pair• Create Split Key• Decrypt• Delete A�ribute• Derive Key• Destroy• Discover Versions

• Encrypt• Export1.4• Get• Get Attribute List• Get A�ributes• Get Usage Alloca�on• Hash

• Import1.4• Join Split Key• Locate• Log2.0• MAC• MAC Verify• Modify A�ribute

• No�fy• Obtain Lease• Poll• Put• Query• Re-cer�fy• Recover• Register

• Re-key• Re-key Key Pair• Revoke• RNG Retrieve• RNG Seed• Sign• Signature Verify• Validate

• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML

• Simple ServersQuery, No�fy, Put

• Simple ClientsLocate Objects, Create and Return Objects

• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML

• KMIP Standard Opera�onsCreate, Register, Destroy, Get, Get A�ributeList, Get A�ributes, Create Key Pair, Re-key,Re-key KeyPair, Archive, Recover, Ac�vate,Derive Key

• Crea�ng KeysSimple, Advanced, Extensions

• Managing A�ributesAdd, Modify, Delete A�ribute

• Linear Tape Open (LTO)LTO-4 Key Management, LTO-5/6 KeyManagement, KAD, AKAD, UKAD naming,Generic LTO-4

• Random Number Generator (RNG)Retrieve Server RNG, Seed Server RNG

• Server Cryptographic Opera�onsEncrypt, Decrypt, Sign, Signature VerifyMAC, MAC Verify, Hash

• Determine Capabili�esServer SDK Version, Discover ProtocolVersions, Query Server Basic , Query ServerExtensions, Query Advanced Capabili�es

• Split Key (Mul�-Party Controls)Create Split Key, Join Split Key

• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Generic Mul�-protocol Key HandlingGet Key, Put Key, Del Key

• Request/Response HandlingRecording, Replaying, Batching, BulkData Loading

• Client Creden�al HandlingPassword-protected TLS Creden�als,Device Creden�als, IBM TKLM/SKLM

Supported KMIP Profiles• Advanced Cryptographic Client1.2• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2

• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client

• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B MinLOS_128 Client• Suite-B MinLOS_192 Client• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

Supported Encodings

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

• IBM• Kryptus• MarkLogic• Micro Focus• Oracle• Quintessence Labs

• Cryptso�• DellEMC• Fornetix• Hewle� Packard

Enterprise• HyTrust

Supported KMIP Servers

• SafeNet• Thales• Townsend

Security• Trend Micro• Unbound

• Vormetric• Ze�aset

R

KEY FEATURESKMIP SERVER SDKSC, JAVAA complete range of vendor-independent key management solu�ons

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKs letyou rapidly add interoperable, standards-based, enterprise keymanagement capability to your exis�ng applica�ons.

Reduce �me to market, KMIP-enable your solution within days, notmonths, using our comprehensive collection of example codeprovided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole ofenterprise and government solutions, your KMIP SDK license is backedby a global support network, offering a total key management solu�on.

KMIP Server SDKc java

java pythonc++ c#cKMIP Client SDK

KMS-SGX KMIPHSM


KMIP






R

KMIP Server Examples• Simple Protocol Format Parsing

TTLV, HEX, BIN, JSON, XML• Simple Clients Opera�ons

Locate Objects, Create and Return Objects• Loca�ng Managed Objects

Simple, Extended, IBM TKLM/SKLM, XML• KMIP Standard Opera�ons

Create, Register, Destroy, Get, Get AttributeList, Get Attributes, Create Key Pair, Re-key,Re-key Key Pair1.1, Archive, Recover,Ac�vate, Derive Key

• Server Cryptographic Opera�ons1.2Encrypt, Decrypt, Sign, Signature Verify,MAC, MAC Verify, Hash

KMIP SERVER SDKS SPECIFICATIONS

C, JAVA

Supported Databases Supported Cryptographic Providers Supported Encodings• HSQLDB• SQLite3• MySQL 5.x• Oracle 11.x, 12.x

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0• Sun/Oracle JCE• IBM JCE• RSA BSAFE Crypto-J• Bouncy Castle JCE

• SQL Server 2003+• IBM DB2 9 & 10• PostgreSQL 8 & 9

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

• Managing A�ributesAdd, Modify, Delete A�ribute

• Random Number Generator (RNG)1.2Retrieve Server RNG, Seed Server RNG

• Split Key (Mul�-Party Controls)1.2Create Split Key, Join Split Key

• Crea�ng KeysSimple, Advanced, Extensions

• Determine Capabili�esServer SDK Version, Discover ProtocolVersions1.1, Query Server Basic, QueryServer Extensions1.1, Query AdvancedCapabili�es1.3

• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Request/Response HandlingRecording, Replaying, Batching, Bulk DataLoading

• AdministrationCreate, Modify, Delete Users, Par�tions,Groups, Manage Group Privileges, Serialize,Deserialize Managed Objects

• DatabaseSchema Management and Migra�on FixtureLoading, SQL Replay

• Simple ServersQuery, No�fy, Put

• JCE ExamplesKey Store Provider

Supported KMIP Profiles• Advanced Cryptographic Server1.2• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Complete Server Basic• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B MinLOS_128 Server• Suite-B MinLOS_192 Server• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

• DataStax• Dell• DellEMC• ETI-NET• Fornetix• Fujitsu• Hewle� Packard

Enterprise

• Hitachi DataSystems

• Huawei• HyTrust• IBM• Integrated

Research• Intersystems

• Iskraemeco• MarkLogic• NetApp• Netskope• P6R• Panzura• Pluribus Networks

• Quantum• Quintessence

Labs• Reduxio• RSD SA• SafeNet• Sepaton

• ADDGrup• BDT• Bracket• Brocade• Cisco• Cryptso�• CSC

Supported KMIP Operations• Ac�vate• Add A�ribute• Archive• Cancel• Cer�fy• Check• Create

• Create Key Pair• Create Split Key• Decrypt• Delete A�ribute• Derive Key• Destroy• Discover Versions

• Encrypt• Export1.4• Get• Get Attribute List• Get A�ributes• Get Usage Alloca�on• Hash

• Import1.4• Join Split Key• Locate• Log2.0• MAC• MAC Verify• Modify A�ribute

• No�fy• Obtain Lease• Poll• Put• Query• Re-cer�fy• Recover• Register

• Re-key• Re-key Key Pair• Revoke• RNG Retrieve• RNG Seed• Sign• Signature Verify• Validate

Supported KMIP Clients

• SkyhighNetworks

• SpectraLogic• Trend Micro• TrustedConcepts• VMWare• Ze�aset


• Available as a binary SDK or as aservice▫ Source license option

• Comprehensive test cases▫ KMIP Test Cases▫ KMIP Profile Test Cases

R

Cryptsoft’s Key Management Interoperability Protocol (KMIP) TestSuites let you rapidly confirm the interoperability status of yourproduct. Designed to support the different test cases and profiles inthe KMIP standard you can ensure that your applica�on’s design canbe thoroughly tested to deliver interoperability with a range of otherKMIP clients and servers.

The Cryptso� KMIP Test Suites provide full coverage for each versionof KMIP (1.0, 1.1, 1.2, 1.3, 1.4 and 2.0*) that can be configured tosupport the level of KMIP required for your applica�on. In addi�on ifyour applica�on is based on one of the KMIP profiles then you canapply only the relevant profiles to fully support your requirements.Reduce �me to market and release with the confidence provided bydata driven testing.

KEY FEATURES

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

Suppor�ng Cryptso�'s full OASIS KMIP SDK the test suites supportCryptso� C and Java based SDKs as well as offering Web and Cloudbased services.

Cryptso� Test Suites are available for all published and working dra�versions of the OASIS KMIP Standard.

RELATEDPRODUCTS• KMIP C Test Suite SDK• KMIP Java Test Suite SDK• KMIP Web Test Suite SDK• KMIP Cloud Test Suite SDK

KEY BENEFITS• Low risk• Easy to use• Public Interoperability test

results• Reduce your time to market

KMIP v1.0 KMIP v1.1 KMIP v1.2

KMIP v1.3 KMIP v1.4 KMIP v2.0

KMIP TEST CASESKMIP PROFILES

R

The Cryptso� KMIP Test Suites provide full coverage of all versions ofthe OASIS KMIP standard as well as all of the currently defined profilesas defined in each of the available versions of the KMIP Standard. Thesetest suites are used to test against all vendors and are used in theannual OASIS KMIP Interoperability testing.

Ensure that your applica�on has full coverage and interoperability byusing the Cryptso� KMIP Test Suite today.

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

COMPREHENSIVE TEST COVERAGE

COMPLETE KMIP PROFILE COVERAGESupported KMIP Server Profiles

• Advanced Cryptographic Server1.2• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Complete Server Basic• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B MinLOS_128 Server• Suite-B MinLOS_192 Server• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

Supported KMIP Client Profiles• Advanced Cryptographic Client1.2• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2

• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client

• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B MinLOS_128 Client• Suite-B MinLOS_192 Client• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

R

KEY BENEFITS

KEY FEATURES

STORAGEModern enterprises can have a wide array of storage technologiesdistributed throughout their organizations, this may be because ofadoption of new technology or the many acquisitions and mergers ofbusiness units that have taken place over time. The one commonrequirement that most modern enterprises all have is storage.

The obvious solution to managing a secure storage solution is to ensurethat all data is encrypted at rest or in transmission. For manyorganizations this may be a regulatory requirement or based on soundbusiness and risk management reasons. With increasing volumes ofdata that an organization stores, the need to encrypt that data with asimilarly increasing volume of encryption keys introduces a newproblem. For these data assets to be used, those keys need to be available.In many large enterprises, this means millions of keys under managementwith many thousands of keys in use at any given time.

With no common standard for key management a large enterprise canhave a range of disparate key stores with varying levels of support fordifferent types of equipment leading to incompatibilities and differingmanagement and audit requirements.

OASIS KMIP provides an industry supported standards compliantinteroperability protocol for key management. This allows operators ofstorage solutions to integrate products from mul�ple vendors which canmake use of an interoperable way to generate, store, manage andretrieve encryp�on keys across all the elements in their storagesolution. In addition this allows for products from different vendors tointeroperate. This means that organiza�ons are no longer locked in tostorage solutions from a single vendor or may also provide a reductionin risk in their storage solu�on as they can grow, reduce, or update theirimplementa�on in a more flexible manner.


• Guaranteed interoperability Withall released KMIP products

• Cross-Language Support▫ Clients in C, C++, C#, Java andPython

▫ Servers in C and Java• Supports wide range of security

objects:▫ Symmetric keys▫ Asymmetric keys▫ Cer�ficates▫ Authen�cation▫ Authorization▫ Tokens

• Extensive example code provided

• Low risk• Easy to use• Extensively deployed• Proven technology for security

object management• Public Interoperability test

results• Reduce your time to market• Gain access to an extensive

KMIP ecosystem

Figure 1 - Mul�ple Key Stores

PC

Server Tape Library

Network

Flash Array Key Store

Key Store

Key Store

Storage Array

R

RELATEDPRODUCTSCryptsoft’s range of KMIP SDKs have been used to enable a wide range

of storage and storage infrastructure solutions with encryp�on andenterprise key management capability. From tape libraries to hyper-converged flash arrays, deployment of KMIP technology ensures adeployment of data at rest security solutions within a multi-vendorenterprise.

Cryptsoft’s range of SDKs ensure this can be realized in your productssuch that your customers can deploy them straight into theirenterprises without the need to conduct multiple rounds of point topoint testing – we’ve done the hard part for you.

From deployment into brand new products lines, to integra�on intowell respected products for feature parity of compliance, ourcustomers benefit from millions of multi-vendor test runs and a deepunderstanding of relevant standards. With decades of experience ofimplemen�ng encryp�on and key management systems fromembedded hardware through to so�ware and virtualized systems, weenable our customers’ products to achieve market parity for data atrest security within weeks.

• KMIP C Server SDK• KMIP C Server SDK SGX Module• KMIP C Server Administra�on

Interface• KMIP C Server Integra�on

Module (HSM)• KMIP C Server Integra�on

Module (HSM) SGX Module• KMIP C Server Integra�on

Module (RNG)• KMIP C Server Integra�on

Module (RNG) SGX Module• KMIP C Interoperability Test

Suite• KMIP Java Server SDK• KMIP Java Server Administra�on

Interface• KMIP Java Interoperability Test

Suite• KMIP Java Server SDK• KMIP C Client SDK• KMIP C Client SDK SGX Module• KMIP C++ Client SDK• KMIP C++ Client SDK SGX

Module• KMIP C# Client SDK• KMIP Java Client SDK• KMIP Python Client• PKCS#11 C Provider SDK SGX

Module• PKCS#11 C Consumer SDK SGX

Module• SQLite3 SDK SGX Module• Object Store SDK SGX Module

PC

Server Tape Library

Network

Flash Array

Key Store

Storage Array

KMIP

Figure 2 - Oasis KMIP Key Store

STORAGE (CONT)

R

SECURING DATAEnsuring protec�on and privacy of data is a responsibility of all modernorganiza�ons.

For organiza�ons which operate in an environment driven by statutes andregula�ons, or organisa�ons with sound business and risk managementguidelines, the ability to demonstrate an auditable, reliable, best-prac�ceapproach to protec�on and privacy of data (assets) is essen�al.

In a highly distributed environment comprising of mul�ple physical loca�onswith varying hardware and so�ware solu�ons, the need to have a commonstandard approach for management of the security informa�on that protectsdata is cri�cal.

Data has a life-cycle involving crea�on, use and destruc�on with storage andmovement between systems.

Data-in-use, data-in-mo�on, and data-at-rest all require protec�on.Protec�ng data using encryp�on necessitates management of theencryp�on keys used to protect the data. With organiza�ons storingincreasing volumes of data, there is a correspondingly increasing volume ofencryp�on keys.

In many large organiza�ons, this means millions of keys under managementwith many thousands of keys in use at any given �me. In order to provide aguarantee of access to the data, a tested and proven key managementsolu�on is necessary.

A common standard for encryp�on key management within a largeorganiza�on eliminates opera�onal incompa�bili�es, improves bothmanagement and audit capabili�es and substan�ally reduces costs.

Cryptsoft’s KMIP SDKs and associated technologies are already in usewith global vendors securing data in use, in mo�on and at rest; securingdata on premises, in private and public clouds; securing data on-deviceand data off-device.

Storage Array

Tape Library

Mobile Device

Workstation

Key Manager

Flash Array

ApplicationServers

Firewall

Medical Device

Applications

Switch andLink Encryptor

Data in Use Data in Motion Data at Rest

FW

KMIP

HSM

Data Center - Private/Public CloudWorkplace

KEY BENEFITS

KEY FEATURES

• Low risk• Easy to use• Extensively deployed• Proven technology for security

object management• Public Interoperability test

results• Reduce your time to market• Gain access to an extensive

KMIP ecosystem

APP

APP

APP


• Guaranteed interoperability Withall released KMIP products

• Cross-Language Support▫ Clients in C, C++, C#, Java andPython

▫ Servers in C and Java• Supports wide range of security

objects:▫ Symmetric keys▫ Asymmetric keys▫ Cer�ficates▫ Authen�cation▫ Authorization▫ Tokens

• Extensive example code provided

R

SECURING DATA WITH SGXYour data and systems are now under a�ack more than ever before.The solu�on to this problem has always been to make use ofencryp�on to ensure that data if exposed is not able to be accessedby an unauthorized user. However with the growth of informa�onsystems being used to improve service and produc�vity this meansthat the tradi�onal use of a hardware key manager to generate andmanage encryp�on keys is now the bo�leneck in widely distributedor cloud managed services.The solu�on is to move the data encryp�on services closer to thepoint of use.

Cryptso� Client and Server KMIP SDKs are designed to u�lize theIntel(R) So�ware Guard Extensions to be able to run all or some ofthe KMIP func�onality within the trusted execu�on environmentproviding the applica�on with a hardware protected enclave toensure that your encryp�on keys or other security informa�on nowhas the same level of hardware protec�on that was previouslyavailable only to specialist security devices. This means that yourapplica�ons and data are protected using the same easymanagement processes that you use to control your applica�ons.

RELATEDPRODUCTS• KMIP C Server SDK• KMIP C Server SDK SGX

Module• KMIP C Server Administra�on

Interface• KMIP C Server Integra�on

Module (HSM)• KMIP C Server Integra�on

Module (HSM) SGX Module• KMIP C Server Integra�on

Module (RNG)• KMIP C Server Integra�on

Module (RNG) SGX Module• KMIP C Interoperability Test

Suite• KMIP Java Server SDK• KMIP Java Server

Administra�on Interface• KMIP Java Interoperability Test

Suite• KMIP Java Server SDK• KMIP C Client SDK• KMIP C Client SDK SGX Module• KMIP C++ Client SDK• KMIP C++ Client SDK SGX

Module• KMIP C# Client SDK• KMIP Java Client SDK• KMIP Python Client• PKCS#11 C Provider SDK SGX

Module• PKCS#11 C Consumer SDK SGX

Module• SQLite3 SDK SGX Module• Object Store SDK SGX Module

SGX

Cryptsoft SDKs support the full range of op�ons for Intel SGX allowingyou to improve the security of every worksta�on and server in yourorganiza�on, simplifying management and security of keys and givingyou the security that was previously unaffordable.

Cryptsoft KMIP EnclaveCryptsoft KMIP Server

Other Components

Users Partitions

Groups Administration

Security Object Store

Integration Interfaces

Server Code

TLS Handling

Cryptographic Provider

Protocol Handling

#### #### #### #### ********************

Integration Modules

TLS Handling

Security Object Store

#### #### #### #### ********************

Users Partitions

Groups Administration

Server Code



Protocol Handling

Integration Modules

Other Components

Figure 1 - Cryptso� Server components available forhardware protec�on with Intel® SGX

Figure 2 - Cryptso� Client components available forhardware protec�on with Intel® SGX

Cryptsoft KMIP Client

Other Components

Credential Store


Client Code

TLS Handling


Protocol Handling

Cryptsoft KMIP Enclave

Other Components

Credential Store


Client Code

TLS Handling


Protocol Handling

SGX

Protected

SGX

Protected

R

KMIP FUNDAMENTALS

OASIS KMIP is a widely accepted open standard for the managementof a range of security objects including symmetric and asymmetrickeys, cer�ficates, and user or vendor defined objects. Based on acommunica�ons protocol which defines message formats for the fulllifecycle of keys stored on a key management server.

Clients can request a server to perform the full key managementlifecycle for key opera�ons. These opera�ons are grouped together inthe table below in func�onal groups allowing for maximum flexibilityfor key opera�ons. The KMIP open standard for key managementallows application programmers to develop the logic of theirapplica�ons for their business purpose free from the complexi�es ofkey management and to rest assured that their applica�on can bedeveloped once and will interoperate with key managers from arange of vendors.

Join Split Key1.2Import1.4

Log2.0

ESTABLISH

RETRIEVE

ROTATE

SERVER

CLIENT

OTHER

CRYPTOGRAPHIC

CreateRegisterCreate Key Pair

Derive KeyCer�fyCreate Split Key1.2

RNG Retrieve1.2

RNG Seed1.2

Encrypt1.2

Decrypt1.2Sign1.2

Signature Verify1.2

Hash1.2

Mac1.2MacVerify1.2

Ac�vateArchiveRecover

RevokeDestroy

LocateGet A�ribute

Get Attribute ListGet

CheckObtain Lease

Get UsageAlloca�on

Add A�ributeModify A�ribute

Delete A�ribute

Re-keyRe-Cer�fy

Re-key Key Pair

QueryPoll

Cancel

No�fyPut

Discover Versions1.1Validate

USAGE

STATE

INFO

MANAGE

Export1.4


KMIP

R

• Storage solutions andappliances

• Network infrastructure• Security applica�ons• Database management• Embedded solutions• Security hardware

management• Gateways and endpoints• Financial Services and banking

applica�ons• Defense and IC applica�ons• Audi�ng and compliance

TYPICAL USESCryptsoft’s Key Management SDKs have been incorporated into awide range of products that are leading the market in interoperablekey management.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs havebeen integrated into the majority of all KMIP products on the markettoday, elimina�ng the need for rework to interact with anothervendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptso� has thetechnology and the relationships to ensure your product delivers itsmaximum potential and can interoperate with a wide range of KMIPbased products from a range of vendors allowing easy adoption ofyour product.

KMIP CLIENTS AND SERVERS


KMIP

CLIENTS

SERV

ERS

AUTHENTICATIONCryptso� has worked with a number of standards bodies to provideadditional security options for developers building key managementsolutions into their products.

Options are available for Fast IDentity Online (FIDO) Universal SecondFactor (U2F) and OATH compliant One Time Password (OTP) whichallows developers to include this functionality in their opera�ons as wellas increase the security of the key management solu�on itself.

OTP SUPPORTCryptsoft’s OTP solu�on is based on open standards and allows thedeveloper to create enterprise solutions to manage the full lifecycle ofthe seed records that underpin the security in an OTP solu�on. Thisensures that only the enterprise has access to the seed records, and theenterprise has full control over the provisioning, usage, and de-provisioning of tokens.

Time based One Time Password (TOTP) tokens provide users with asecure and reliable hardware device to integrate standards-basedhardware two-factor authen�cation.

Two-factor authen�cation with TOTP combines something you know(your password) with something you have (a unique number sequencegenerated by a hardware device). Both of these factors are required toauthen�cate – which substantially improves the security proper�eswhen compared to a single factor authentica�on solu�on.

The non-predictable variable length digit token output is derived fromboth the secret seed record and the on-board real time clock (RTC). Asingle hardware token can be programmed for variable output andvariable time intervals (30 or 60 seconds) ensuring a solu�on is easilytailored to the enterprise security context that the developer is building.

Two (or more) tokens initialised with the same seed value can be usedfor person-to-person two-factor authentica�on solutions, en�relyindependent of any server infrastructure.

The same seed record can also be loaded into so�ware based TOTPsolutions allowing for a mixed hardware and so�ware deploymentcontext that can be managed by the same infrastructure.

945483

R

• Strong two-factorauthen�cation

• Support for OATH compliant�me-based TOTP devices

• Support for mul�ple OTPhardware tokens

• Support for variable lengthOTP hardware tokens

• Integrated with OASIS KMIPfor client authen�cation andseed provisioning

• Configurable seedmanagement

• Capability for Mul�-Deviceseeds

• OASIS KMIP Compliant• Provides configurable control

of authen�cation

KEY FEATURES

KEY BENEFITS

U2F SUPPORTCryptsoft’s OASIS KMIP products support the Fast IDentity Online(FIDO) Universal Second Factor (U2F) types of tokens. Cryptsoft’sServer and Client SDKS provide developers with the tools to provisionand manage keys which can be used by these commonly availablehardware tokens.

Cryptsoft’s KMIP SDKs allow the developer to fully integrate OTP andU2F tokens into their managed security solution.

• KMIP C Server SDK

• KMIP C ServerAdministra�on Interface

• KMIP C Server OTP ServerModule

• KMIP C Server Integra�onModule (HSM)

• KMIP Java Server SDK

• KMIP C SDK

• KMIP C++ SDK

• KMIP C# SDK

• KMIP Java SDK

• KMIP Python Client

RELATEDPRODUCTS

KMIP STANDARD

R

THE TRUSTED SECURITY PROVIDER TO YOURTRUSTED SECURITY PROVIDERCryptso� is a privately held Australian company that operates worldwide in the enterprise key managementsecurity market. Cryptsoft’s Key Management Interoperability Protocol (KMIP) and PKCS#11 so�ware developmentkits (SDKs) are the market’s preferred OEM solutions.

Cryptsoft’s solutions have been selected by prominent global companies for interoperable enterprise keymanagement and encryp�on technology in their storage, infrastructure & security and cloud products.Cryptso� is committed to the development of standards based security so�ware and is an OASIS FoundationalSponsor and FIDO Member.

STANDARDS AND ASSOCIATIONS

The Cryptsoft Quality ManagementSystem is certified to ISO 9001:2015

Cryptsoft is an OASIS FoundationalSponsor and an active member andcontributor to the KMIP and PKCS#11technical committees

Cryptsoft is a member of theFIDO. (Fast IDen�ty Online)Alliance

PKCS#11 STANDARD

R

[email protected] WWW.CRYPTSOFT.COM+61 7 3103 0321 | US +1 650 918 4362

@CRYPTSOFTCRYPTSOFT-SECURITY-SPECIALISTS@CRYPTSOFT

Copyright © 2018 Cryptsoft Pty Ltd. All rights reserved. All trademarks, service marks, trade names, product names and logos are property of their respective owners.

2018-05

customers - cryptsoft · r • full oasiskmip compliance versions: 1.0,1.1,1.2,1.3,1.4,2.0 * •...

Documents