mulg-vendor key management with kmipmul7-tenancy and mul7-jurisdic7onal enforcement encrypgon...
TRANSCRIPT
![Page 2: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/2.jpg)
KeyManagement01000011010100100101100101010000010101000101001101001111010001100
![Page 3: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/3.jpg)
3
Key Management Standards
q NSA EKMS
q OASIS EKMI
q ANSI X9.24
q IEEE P1619.3
q OASIS KMIP
q IETF KEYPROV
q NIST SP 800-57
q NIST SP 800-130
q NIST SP 800-152
q ISO 11770
![Page 4: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/4.jpg)
4
FIPS 140-2 Key Management
![Page 5: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/5.jpg)
5
NIST SP 800-130 CKMS
![Page 6: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/6.jpg)
6
NIST SP 800-152 Federal KM Profile
![Page 7: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/7.jpg)
OASISKeyManagementInteroperabilityProtocol01000011010100100101100101010000010101000101001101001111010001100
![Page 8: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/8.jpg)
8
MulG-Vendor–SingleIntegraGon
ServerA
Client
ServerB ServerC ServerD
Network
VendorProtocol-AVendorProtocol-BVendorProtocol-CVendorProtocol-D
ServerA
Client
ServerB ServerC ServerD
Network
KMIP
PriortoKMIPeachapplicaGonhadtosupporteachvendorprotocol
WithKMIPeachapplicaGononlyrequiressupportforoneprotocol
![Page 9: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/9.jpg)
9
MulG-Vendor–SingleIntegraGon
Positive
Negative § Single Integration with single SDK
§ Common vocabulary
§ Greater choice of technology providers
§ “Free” interoperability without point-to-point testing
§ Have to actually follow a standard
§ Vocabulary may not match current usage
§ May need to implement more than is strictly necessary
§ No control over end-user integration
![Page 10: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/10.jpg)
KMIPAdopGon–KMIPembeddedinmajorenterpriseproducts
InfrastructureandSecurity
§ KeyManagers
§ Hardwaresecuritymodules
§ Encryp7onGateways
§ Virtualiza7onManagers
§ VirtualStorageControllers
§ NetworkCompu7ngAppliances
Cloud
§ KeyManagers
§ CompliancePlaAorms
§ Informa7onManagers
§ EnterpriseGatewaysandSecurity
§ EnterpriseAuthen7ca7on
§ EndpointSecurity
Storage
§ DiskArrays,FlashStorageArrays,NASAppliances
§ TapeLibraries,VirtualTapeLibraries
§ Encryp7ngSwitches
§ StorageKeyManagers
§ StorageControllers
§ StorageOpera7ngSystems
![Page 11: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/11.jpg)
KMIPProtocolOverview01000011010100100101100101010000010101000101001101001111010001100
![Page 12: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/12.jpg)
KMIPProduct&TechnicalDetails–KMIPisastandardwireprotocol
KeyClient
API
InternalRepresentaGon
KMIPEncode
Transport
KMIPDecode
KeyServer
API
InternalRepresentaGon
KMIPEncode
Transport
KMIPDecode
MessageFormat
TLSv1.0orabove
![Page 13: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/13.jpg)
13
KMIPFundamentals
![Page 14: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/14.jpg)
CoreConcepts§ BaseObjects
§ Protocolbuildingblocksandparameterencoding§ ManagedObjects
§ CoreconceptsmanagedbyKMIP§ CryptographicManagedObjects(objectswithkeymaterial)
§ APributes§ Detailsrelatedtooraboutamanagedobject
§ Client-to-ServerOpera7ons§ Opera7onsclientscansendinrequeststoservers
§ Server-to-ClientOpera7ons§ Opera7onsserverscansendinrequeststoclients
§ MessageContentsandMessageFormats§ RequestandResponseprotocolmessages
§ MessageEncoding§ BinaryTag-Type-Length-Value
§ Authen7ca7on§ SeeProfiles(ClientCer7ficates)
§ Transport§ SeeProfiles(TLSv1.0orTLSv1.2)
OASISKMIP-ProtocolConcepts
![Page 15: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/15.jpg)
ManagedObjectshavea“Value”§ Valueissetatobjectcrea7on§ Valuecannotbechanged§ Valuemaybe“incomplete”§ Valuemaybeinvaryingformats
ManagedObjectshaveasetof“A[ributes”§ EveryaPributehasastringname§ EveryaPributehasatype§ Maybesimpletypesorcomplextypes§ Somesetbyserveronceandcannotbechanged§ Somesetbyclientonceandcannotbechanged§ Mostaresingleton(onlyoneinstance)§ Serverdefinednon-standardextensionsareprefixedwith“y-”intheirstringname§ Clientdefinednon-standardextensionsareprefixedwith“x-”intheirstringname
OASISKMIP-ProtocolConcepts
ManagedObjectshavean“ObjectType” § Cer7ficate§ SymmetricKey§ PublicKey
§ PrivateKey§ SplitKey§ Template
§ SecretData§ OpaqueObject§ PGPKey1.2
![Page 16: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/16.jpg)
A[ributesforallManagedObjects§ UniqueIden7fier§ ObjectType§ Ini7alDate
A[ributesforManagedCryptographicObjects§ CryptographicAlgorithm§ CryptographicLength§ CryptographicUsageMask§ Digest
OASISKMIP-ProtocolConcepts
A[ributesforManagedCerGficateObjects§ Cer7ficateType§ Cer7ficateLength§ X.509Cer7ficateIden7fier
§ LastChangeDate§ LeaseTime§ State*
§ Ac7va7onDate§ ProcessStartDate§ ProtectStopDate§ CompromiseOccurrenceDate
§ X.509Cer7ficateIssuer§ X.509Cer7ficateSubject
![Page 17: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/17.jpg)
ManagedObjectLife-cycleState§ AdoptedfromNISTSP800-57§ Handledin“State”APribute§ Transi7onsviaOpera7onsorpre-settriggers§ Datesoftransi7onsrecordedasAPributes
StateA[ribute§ Pre-Ac7ve§ Ac7ve§ Deac7vated
OASISKMIP-ProtocolConcepts
DateA[ributes§ Ini7alDate§ DestroyDate§ LastChangeDate§ ArchiveDate§ Ac7va7onDate§ Deac7va7onDate
§ Compromised§ Destroyed§ DestroyedCompromised
§ CompromiseDate§ CompromiseOccurrenceDate§ ProcessStartDate§ ProtectStopDate§ ValidityDate§ OriginalCrea7onDate1.2
![Page 18: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/18.jpg)
MessageEncoding§ BinaryTag-Type-Length-Valueformat§ Op7onalJSONandXMLencodinginKMIP1.2
OASISKMIP-ProtocolConcepts
42 00 2C 05 00 00 00 04
00 00 00 0C
Tag Type Length
Value
Cryptographic Usage Mask = Encrypt | Decrypt
![Page 19: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/19.jpg)
OASISKMIP-ProtocolConcepts
TTLV Encoding
![Page 20: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/20.jpg)
OASISKMIP-ProtocolConcepts
XML Encoding (optional KMIP1.2 addition)
![Page 21: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/21.jpg)
OASISKMIP-ProtocolConcepts
JSON Encoding (optional KMIP1.2 addition)
![Page 22: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/22.jpg)
ImplementaGonErrors01000011010100100101100101010000010101000101001101001111010001100
![Page 23: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/23.jpg)
23
ImplementaGonErrors
Simple implementation errors
q Invalid Padding
q Invalid Encoding
q Invalid Tag Values
q Invalid Field Order
q Invalid TLS usage
q Missing Mandatory
q Mandating Optional
q Invalid sign
![Page 24: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/24.jpg)
24
ImplementaGonErrors
Compleximplementa7onerrors
q CoreconceptsomiPed
q Specialinterpreta7onadded
q Conceptualconfusion(Templates)
q Unusualfeaturesetselec7on
q Assumedmessagesequencesandcontent
![Page 25: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/25.jpg)
25
ImplementaGonErrors
Simpleinvalidencodingerrors
q Thespecifica7onincludescleartextonencoding
q Thespecifica7onincludesexamplesofeachencoding
q TheKMIP1.0TestCasesincludethehexadecimalrequestandresponsesequences
q Almosteveryvendorgetsoneormoreoftheencodingitemswrong
![Page 26: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/26.jpg)
26
ImplementaGonErrors
9.1.1.3ItemLength
AnItemLengthisa32-bitbinaryinteger,transmi5edbig-endian,containingthenumberofbytesintheItemValue.
Data Type Structure Integer Long Integer Big Integer Enumeration Boolean Text String Byte String Date-Time Interval
Length Varies, multiple of 8 4 8 Varies, multiple of 8 4 8 Varies Varies 8 4
If the Item Type is Structure, then the Item Length is the total length of all of the sub-items contained in the structure, including any padding. If the Item Type is Integer, Enumeration, Text String, Byte String, or Strings SHALL be padded with the minimal number of bytes following the Item Value to obtain a multiple Value.
Actual Implementation Errors q Nopaddingq Paddingbeforeratherthanatendof
valueq Paddingmissingforsometypesq Paddingaddedfortypesthatdonot
requirepadding
![Page 27: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/27.jpg)
27
ImplementaGonErrors-SoluGon
Simpleinvalidencoding
q Acceptthataddingmorespecifica7ontextdoesnotfixthisissue
q Acceptthataddingmoreexamplesofencodingarethesameasaddingmorespecifica7ontext–theyaresimplyeithernotreadornotreadcarefully
q Acceptthattestcasesseemtobeignoredmoreofenthantheyareused
![Page 28: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/28.jpg)
28
ImplementaGonErrors-SoluGon
Simpleinvalidencodingerrors
Testinteroperabilitybetweenimplementa7ons
q Moreplug-fests
q Moreinterop-events
q Moretestsdefinedinmoreapproachablemanner
q Formalconformancetes7ngprogram
i.e.moreeventsandwiderscope
![Page 29: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/29.jpg)
29
ImplementaGonErrors
Specialinterpreta8onorconceptualconfusion
Addingseman7csthatdon’texist–leapingbeyondthespectonon-interoperablesolu7ons
q UsingTemplatesforpolicymanagement
q Automa7callycrea7ngobjectsduringsearch
q IgnoringPasswordfields(acceptanything)
q RequiringNames
q ForcingrestrictedsetofcharactersinNames
![Page 30: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/30.jpg)
30
ImplementaGonErrors-SoluGon
Specialinterpreta8onorconceptualconfusion
q DeprecatedTemplatesasofKMIP1.2
q Requireexplicitindica7onforcreate-when-searchingifreallynecessary
q AddingAlternateNameand“vendoreduca7on”
q Expandingtes7ngofNameswhichexceedarbitraryrestric7ons(spaces,punctua7on,etc)
q Moretestcasesandprofiles
q Flexibleinterpreta7oninservers
![Page 31: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/31.jpg)
31
ImplementaGonErrors
Assumedmessagesequencesandcontent
PaPernmatchingratherthanunderstanding
q Ignoringmostofthemessagecontent
q Assumingfixedlistoffieldsinfixedorderfornon-orderedlists
q Assumingfixedsequenceofrequest/responseitems
q Pre-cannedresponseswithminimalsubs7tu7on
q Ignoringprotocolversioninforma7on
![Page 32: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/32.jpg)
32
ImplementaGonErrors-SoluGon
Assumedmessagesequencesandcontent
q Detectthissortofimplementa7on
q Determinelimita7onsoftheapproach
q Expandontes7ngtorequiremoreseman7cprocessingratherthansimplesyntax
q Moretestcasesandprofiles
![Page 33: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/33.jpg)
SNIAKMIPConformanceTesGng01000011010100100101100101010000010101000101001101001111010001100
![Page 34: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/34.jpg)
34
KMIPConformanceTesGng-Intent
q TheSNIASSIFlaunchedtheprogramtoenableorganiza7onstoshortlistvendorKMIPsolu7onsbasedonsupportforspecificusagescenarios
q Enablesorganiza7onstoverifyvendorclaims
q Valueprovidedbyatrulyindependenttestteam
![Page 35: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/35.jpg)
35
KMIPConformanceTesGng-Profiles
TheKMIPTCdefinesProfiles
q Norma7vedocumentsspecifyingtheminimumsetoffunc7onalitytobesupported
q Containexpectedrequestsandresponses
q Coverarangeofdeploymentscenarios
§ AdvancedCryptographic1.2§ AdvancedSymmetricKeyFoundryAsymmetricKeyLifecycle
§ BaselineClient&ServerBasic§ BaselineClient&ServerTLSv1_2§ BasicCryptographic1.2
§ StorageArrayWithSED§ Suite-BMinLOS_128§ Suite-BMinLOS_192§ SymmetricKeyLifecycle§ TapeLibrary§ CompleteServer
§ BasicSymmetricKeyFoundry§ HTTPS,JSON,XML§ IntermediateSymmetricKeyFoundryOpaqueManagedObjectStoreRNGCryptographic1.2
Profiles
![Page 36: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/36.jpg)
36
KMIPConformanceTesGng–Method
q Implementa7onsaremadeavailabletothetestteam
q TestteamoperatesundertheSSIF’sdirec7onbuttes7nginforma7oniskeptcompletelyconfiden7al
q Resultsarepublished(withtes7ngorganiza7on'sconsent)oncomple7onoftes7ng.
![Page 37: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/37.jpg)
37
KMIPConformanceTesGng–ClientProcess
Customer Client SSIF Test Infrastructure
![Page 38: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/38.jpg)
38
KMIPConformanceTesGng–ServerProcess
Customer Server SSIF Test Infrastructure
![Page 39: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/39.jpg)
39
KMIPConformanceTesGng–Results
Snapshot taken from : http://www.snia.org/forums/SSIF/kmip/results
![Page 40: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/40.jpg)
40
KMIPConformanceTesGng–Results
q Testresultsarepublished(withcustomer’spermission
q Resultsremainconfiden7altocustomerandtestteamun7lresultsarepublished
q Onlysupportedprofilesappearontheresultspage(failuresand/ornon-supportedprofilesarenotstated).
![Page 41: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/41.jpg)
KMIPProduct&TechnicalDetails01000011010100100101100101010000010101000101001101001111010001100
![Page 42: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/42.jpg)
DiskArrays,FlashStorageArrays,NASAppliances,StorageOperaGngSystems§ Vaul7ngmasterauthen7ca7onkey§ Cluster-widesharingofconfigura7onselngs§ SpecificUsageLimitschecking(policy)§ FIPS140-2externalkeygenera7on(create,retrieve)§ Mul7-versionkeysupportduringRekey§ Backupandrecoveryofdevicespecifickeysets
TapeLibraries,VirtualTapeLibraries§ Externalkeygenera7on(create,retrieve)§ FIPS140-2externalkeygenera7on(create,retrieve)§ Mul7-versionkeysupportduringRekey
EncrypGngSwitches,StorageControllers§ Vaul7ngdeviceorportspecificencryp7onkeys§ Cluster-widesharingofconfigura7onselngs§ SpecificUsageLimitschecking(policy)
KMIPusageacrossproducttypes
![Page 43: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/43.jpg)
KeyManagers§ KeyandotherObjectVault(store)§ KeyandotherObjectCreator(generate)§ SecureCryptographicOpera7ons(use)§ PolicyEnforcementforAccess§ PolicyEnforcementforOpera7onUsage§ AuditandComplianceManagement§ Cross-deviceandcross-applica7oncoordina7on§ Useranddeviceauthen7ca7onenforcement§ Mul7-tenancyandmul7-jurisdic7onalenforcement
EncrypGonGateways,VirtualisaGonManagers§ Vaul7ngdevice,portoruserspecificencryp7onkeys§ Externalkeygenera7on(create,retrieve)§ Cluster-widesharingofconfigura7onselngs§ SpecificUsageLimitschecking(policy)
KMIPusageacrossproducttypes
![Page 44: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/44.jpg)
CompliancePlaborms,InformaGonManagers,EnterpriseSecurity§ PolicyEnforcementforAccess§ PolicyEnforcementforOpera7onUsage§ AuditandComplianceManagement§ Cross-deviceandcross-applica7oncoordina7on§ Useranddeviceauthen7ca7onenforcement§ Mul7-tenancyandmul7-jurisdic7onalenforcement
EndpointSecurity§ Vaul7ngdevice,portoruserspecificencryp7onkeys§ Externalkeygenera7on(create,retrieve)§ Cluster-widesharingofconfigura7onselngs§ SpecificUsageLimitschecking(policy)
KMIPusageacrossproducttypes
![Page 45: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/45.jpg)
HardwareSecurityModules(HSM)§ KeyandotherObjectVault(store)§ PolicyEnforcementforAccess§ PolicyEnforcementforOpera7onUsage§ AuditandComplianceManagement§ Mul7-tenancyandmul7-jurisdic7onalenforcement§ Keymanagement/HSMgateways
AuthenGcaGonandIdenGtyManagement§ Vaul7nguserspecificinforma7on§ Externalauthen7ca7onstorageandgenera7on§ Valida7onofauthen7ca7onformul7-protocolsupportover
KMIP
KMIPusageacrossproducttypes
![Page 46: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/46.jpg)
KeyManagementServersandHardwareSecurityModules(KMSandHSM)
01000011010100100101100101010000010101000101001101001111010001100
![Page 47: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/47.jpg)
HardwareSecurityModules(HSM)§ StandardAPIs
§ PKCS#11,JavaJCE,MicrosofCryptoAPI(CSP,CNG)§ Vendorproprietaryextensions
§ Typicallyrequiredformanycontexts
§ Vendorproprietarynetworkprotocols§ LimitedplaAormsupport
§ Generallyasmallsubsetofapplica7onplaAorms§ Typicallynowebbasedserveradministra7on§ UsuallyFIPS140-2level2orlevel3validated§ Generallyratherlimitedon-devicestorage
KeyManagementServers(KMS)§ Standardnetworkprotocols§ BroadplaAormsupport
§ networkprotocolandSDKsfrommul7plevendors§ Generallywebbasedserveradministra7on§ OfenFIPS140-2level2orlevel3validated§ Typicallymul7-tenant§ Generallyalmostunlimitedon-devicestorage
KeyManagementServersandHardwareSecurityModules
![Page 48: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/48.jpg)
DeploymentModelsforHSMonlyclient§ PKCS#11API§ StandaloneHSM§ HSMwithon-boardKMS§ HSMwithlinkedKMS
KeyManagementServersandHardwareSecurityModules
PKCS#11Client
PKCS#11Client KMIP
PKCS#11Client
![Page 49: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/49.jpg)
DeploymentModelsforKMSonlyclient§ KMIPProtocol§ StandaloneKMS§ KMSwithon-boardHSM§ KMSwithlinkedHSM
KeyManagementServersandHardwareSecurityModules
KMIPClient
KMIPClient
KMIPClient PKCS#11
![Page 50: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/50.jpg)
DeploymentModelsforKMS+HSMclient§ PKCS#11APIandKMIPProtocol§ StandaloneHSM§ HSMwithon-boardKMS§ HSMwithlinkedKMS§ StandaloneKMS§ KMSwithon-boardHSM§ KMSwithlinkedHSM§ HSMwithnon-linkedKMS§ KMSwithnon-linkedHSM
KeyManagementServersandHardwareSecurityModules
KMIP
Client
KMIP
Client
KM
IP
PKCS#11
![Page 52: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/52.jpg)
ExtraBonusSlides…
01000011010100100101100101010000010101000101001101001111010001100
![Page 53: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/53.jpg)
53
FIPS140-2 Module Certificates by Lab
53
![Page 54: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/54.jpg)
54
FIPS140-2 Module Certificates by Lab
54
![Page 55: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/55.jpg)
55
FIPS140-2 Module Certificates by Year & Level
55
![Page 56: MulG-Vendor Key Management with KMIPMul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys](https://reader036.vdocuments.net/reader036/viewer/2022081613/5fb765203d501f7f0e758a5e/html5/thumbnails/56.jpg)
56
FIPS140-2 Module Certificates by Year & Level
56