Upload
oliver-burns
View
223
Download
3
Embed Size (px)
Citation preview
1 NIST Key State Models
SP800-57 Part 1 SP800-130 (Draft)
2 KMIP Key Role Types
Key Role Type 1.1Key Role Type
KMIP Name Description Value
BDK Base Derivation Key 00000001
CVK Card Verification Key 00000002
DEK Data Encryption Key 00000003
MKAC Application Cryptograms 00000004
MKSMC Secure Messaging for Confidentiality 00000005
MKSMI Secure Messaging for Integrity 00000006
MKDAC Data Authentication Code 00000007
MKDN Dynamic Numbers 00000008
MKCP Card Personalization 00000009
MKOTH Other 0000000A
KEK Key Encryption or Wrapping Key 0000000B
16609 ISO 16609 MAC Algorithm 1 0000000C
97971 ISO 9797-1 MAC Algorithm 1 0000000D
97972 ISO 9797-2 MAC Algorithm 2 0000000E
97973 ISO 9797-3 MAC Algorithm 3 0000000F
97974 ISO 9797-4 MAC Algorithm 4 00000010
97975 ISO 9797-5 MAC Algorithm 5 00000011
ZPK PIN Block Encryption Key 00000012
PVKIBM PIN Verification Key, IBM 3624 00000013
PVKPVV PIN Verification Key, Visa PVV 00000014
PVKOTH PIN Verification Key, Other 00000015
Extensions Future or Vendor Specific Use 8XXXXXXX
Proposal for 1.2Key Role Type
KMIP Name Description Value
BDK Base Derivation Key 00000001
CVK Card Verification Key 00000002
DEK Data Encryption 00000003
MKAC Application cryptograms 00000004
MKSMC Secure Messaging for Confidentiality 00000005
MKSMI Secure Messaging for Integrity 00000006
MKDAC Data Authentication Code 00000007
MKDN Dynamic Numbers 00000008
MKCP Card Personalization 00000009
MKOTH Other 0000000A
KEK Key Encryption or wrapping 0000000B
16609 ISO 16609 MAC algorithm 1 0000000C
97971 ISO 9797-1 MAC Algorithm 1 0000000D
97972 ISO 9797-1 MAC Algorithm 2 0000000E
97973 ISO 9797-1 MAC Algorithm 3 0000000F
97974 ISO 9797-1 MAC Algorithm 4 00000010
97975 ISO 9797-1 MAC Algorithm 5 00000011
ZPK PIN Encryption 00000012
PVKIBM PIN verification, IBM 3624 00000013
PVKPVV PIN Verification, VISA PVV 00000014
PVKOTH PIN verification, KPV, other algorithm 00000015
DUKPT DUKPT Initial Key (also known as IPEK) 00000016
IV Initialization Vector (IV) 00000017
KBPK TR-31 Key Block Protection Key 00000018
Extensions Future or Vendor Specific Use 8XXXXXXX
3 KMIP Profiles
Purpose is to define what any implementation of the specification must adhere to in order to claim conformance
Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction
Define a set of normative constraints for employing KMIP within a particular environment or context of use
Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors (e.g. Server & Client)
Defined OASIS Profiles Profiles are further qualified by authentication suite
TLS V1.0 / V1.1 / V1.2 or similar
External Profile in development – (Not OASIS developed) INCITS T10 profile – Fibre Channel Security Protocol v2.0 (FCSP2)
4 Defining Profiles
Server requirements (required) Includes all objects, operations and attributes that a client can access
Defined down to all required components of those objects, operations and attributes Even if optional in KMIP specification, it can be required in a profile
Definition of any extensions and how they are to be used
Client requirements (optional) What are the bare minimum requirements for a Client to claim conformance
e.g. Must support get of a symmetric key using unique identifier
Can be a single statement Basically states that support of any operation, object and attributes that are supported by the
server and you can be conformant
Protocol requirements (recommended) Wire protocol KMIP messaging uses (e.g. SSL 3.0, TLS v1.2, FCSP, etc…)
Authentication requirements (recommended) Certificates, user ID/password, mutual authentication, DH-CHAP, etc…
Interoperability Requirements (recommended) How to prove conformance either as part of the profile or as a separate Test Case guide
Use Cases (recommended) How objects, operations and attributes are to be used with message examples