Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
R
R
Cryptso� products are used in a wide range of solu�ons.
Storage Infrastructure & Security Cloud
• Disk Arrays, Flash Storage Arrays
• NAS Appliances
• Tape Libraries, Virtual TapeLibraries
• Hyper-Converged Storage
• Encryp�ng Switches
• Storage Key Managers
• Storage Controllers
• Storage Opera�ng Systems
• Key Managers
• Hardware Security Modules
• Encryp�on Gateways
• Virtualiza�on Managers
• Virtual Storage Controllers
• Network Compu�ng Appliances
• Secure Applica�on Development
• Defense and IC Applica�ons
• Key Managers
• Compliance Pla�orms
• Informa�on Managers
• Enterprise Gateways and Security
• Enterprise Authen�ca�on
• Endpoint Security
• Financial Services Applica�ons
• Banking Applica�ons
THE TRUSTED SECURITY PROVIDER TO YOURTRUSTED SECURITY PROVIDERCryptso� is a privately held Australian company that operates worldwide in the enterprise key management securitymarket. Cryptso�’s Key Management Interoperability Protocol (KMIP) and Public Key Cryptography Standard 11 (PKCS#11)so�ware development kits (SDKs) are the market’s preferred OEM solu�ons.
Cryptso�’s solu�ons have been selected by prominent global companies for interoperable enterprise key managementand encryp�on technology in their storage, infrastructure & security and cloud products.
Cryptso� is commi�ed to the development of standards based security so�ware and is an OASIS Founda�onal Sponsorand FIDO Member.
KMIP STANDARD
STANDARDS AND ASSOCIATIONS
Cryptso� is an OASIS Founda�onalSponsor and an ac�ve member andcontributor to the KMIP and PKCS#11technical committees
PKCS#11 STANDARD
The Cryptso� Quality ManagementSystem is cer�fied to ISO 9001:2015
R
CUSTOMERSCryptso�’s valued customers include:
PARTNERSCryptso�’s valued partners include:
R
Applica�on Level
LEGEND:
Filesystem LevelNetwork Level
Device Level
KEY MANAGEMENT SDKsComplete Vendor-Independent KeyManagement Solu�onsCryptso�’s Key Management SDKs enable rapid addi�on of interoperable keymanagement func�onality to your exis�ng products.
Providing both Client and Server SDKs, Cryptso� KMIP SDKs have beenintegrated into the majority of all KMIP products on the market today,elimina�ng the need for rework to interact with another vendor’s endpoint.
Cryptso�’s PKCS#11 Consumer and Provider SDKs provide access to a widerange of hardware security devices allowing applica�on portability, migra�onand management control in complex secure environments.
As the security market’s preferred key management vendor, Cryptso� has thetechnology and the rela�onships to ensure your product delivers its maximumpoten�al.
Using the Cryptso� SDKs in C, C++, C#, Java and Python, you can support keymanagement protocols with a single, consistent interface and provide yourcustomers with a complete vendor independent key management solu�on tomanage all of the points of encryp�on within your enterprise.
Where Key Management is requiredKey management is necessary for every point of encryp�on in the businessenvironment. At every point where data is encrypted whether it be in use, intransit or at rest there will be a key to encrypt and decrypt that data. If datahas been encrypted to protect it then managing the encryp�on key is asimportant as the data itself.
Cryptso� KMIP Server and Client SDKs provide a ready made set of testedtoolkits able to provide standards compliant key management for yoursolu�on at any point where encryp�on is required.
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• KMIP SDKs interoperable with allreleased KMIP server/client products
• PKCS#11 SDKs compliant with OASISPKCS#11 versions: 2.40, 3.0*
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX support available
KEY FEATURES
NAS
Storage Array
Tape Library
ApplianceFile Server
PC
Server
Mobile PC Server
Appliance
Appliance
Network
R
• nCipher - nShield Connect (RNG/HSM) [PKCS#11]• nCipher - nShield Edge (RNG/HSM) [PKCS#11]• nCipher - nShield Solo (RNG/HSM) [PKCS#11]• SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11]• SafeNet - Luna PCI (RNG/HSM) [PKCS#11]• SafeNet - Protect Server (RNG/HSM) [PKCS#11]• U�maco - CryptoServerCSe10/100 (RNG/HSM) [PKCS#11]
• AWS - CloudHSM V1/V2 (RNG/HSM) [PKCS#11]• Cavium - LiquidSecurity (RNG/HSM) [PKCS#11]• Cryptso�® - CloudHSMTM (RNG/HSM) [PKCS#11]• Engage Black - BlackVault (HSM) [PKCS#11]• ID Quan�que - Quan�s USB (RNG) [Vendor]• ID Quan�que - Quan�s PCI (RNG) [Vendor]• ID Quan�que - Quan�s PCIe (RNG) [Vendor]
• FIDO Devices [U2F]• RSA Security SecurID [SecurID]• Yubico [OATH-HOTP/TOTP/YubiKey]
KMIP Client SDK Products
PKCS#11 Consumer SDK Products PKCS#11 Provider SDK Products
KMIP Server SDK Products• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module SDK• KMIP C Client PKCS#11 Adapter• KMIP RKM/DPM C Client SDK• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite (C/Java)• KMIP Client Online Test Service
• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX Module SDK• KMIP Server Administra�on Interface (C/Java)• KMIP Server VM Annual Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary Protocols• KMIP C Server (PKCS#11/HSM/RNG) Module• KMIP C Server (PKCS#11/HSM/RNG) SGX Module• KMIP C Server (Audit/Analy�cs) Module• KMIP C Server OTP Module• KMIP Server Online Test Service
KEY MANAGEMENT SDKsComplete Vendor-Independent Key Management Solu�ons
Supported Hardware Devices/Solu�ons
• Android So� Token [OATH-TOTP]• Cryptso�® [OATH-TOTP/U2F]• Fei�an [OATH-HOTP/TOTP]• Google Authen�cator So� Token [OATH-TOTP]
• PKCS#11 C Consumer SDK• PKCS#11 C Consumer SGX Module SDK• PKCS#11 C++ Consumer SDK• PKCS#11 C++ Consumer SGX Module SDK• PKCS#11 C# Consumer SDK• PKCS#11 C# Consumer SGX Module SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX Module SDK• PKCS#11 Python Consumer SDK• PKCS#11 Python Consumer SGX Module SDK• PKCS#11 Consumer Online Test Service
• PKCS#11 C Provider SDK• PKCS#11 C Provider SGX Module SDK• PKCS#11 C++ Provider SDK• PKCS#11 C++ Provider SGX Module SDK• PKCS#11 C# Provider SDK• PKCS#11 C# Provider SGX Module SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module SDK• PKCS#11 Python Provider SDK• PKCS#11 Python Provider SGX Module SDK• PKCS#11 Provider Online Test Service
Supported Hardware Security Modules and Random Number Generators
Supported One Time Password Devices
R
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• Guaranteed interoperability with allreleased KMIP server products
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX support available
KEY FEATURESKMIP CLIENT SDKC, C++, C#, JAVA, PYTHONA complete range of vendor-independent key management solu�ons.
Cryptso�’s Key Management Interoperability Protocol (KMIP) SDKs let yourapidly add interoperable, standards-based, enterprise key managementcapability to your exis�ng applica�ons. This allows applica�ons to useencryp�on func�onality available from a wide range of key managers makingit easier to deploy and preven�ng vendor lock-in to proprietary solu�ons.
Cryptso�’s C, C++ and Java SDKs are all pure na�ve code not wrappedversions, ensuring the most portable code for your applica�on.
Reduce �me to market, KMIP-enableyour client solu�ons within days, notmonths, using our comprehensive collec�on of example code provided by themarket leader in key management SDKs.
From specialised embedded systems through to scalable, whole of enterpriseand government solu�ons, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.
KMIP Server SDK
KMIP Client SDK
KEY MANAGEMENTINTEROPERABILITYPROTOCOL
KMIP
C C++ C# JAVA PYTHON
C JAVA
HSMKMS-SGX KMIP
R
• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 3.0.x (dev)• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0 (op�on)• Oracle JCE JAVA
KMIP CLIENT SDK - SPECIFICATIONSC, C++, C#, JAVA, PYTHON
• Cer�ficate• Cer�ficate
Request2.0
• Opaque Object
• IBM JCE JAVA
• RSA BSAFE MES 3.x, 4.x (op�on)• RSA BSAFE Share-C (op�on)• RSA BSAFE Crypto-J JAVA
• Bouncy Castle JCE JAVA
• wolfSSL (op�on)
• PGP Key• Private Key• Public Key• Secret Key
• Split Key• Symmetric Key• Template
• Ac�vate• Add A�ribute• Adjust A�ribute2.0
• Alloca�on• Archive• Cancel• Cer�fy• Check• Create• Create Key Pair
• Create Split Key1.2
• Decrypt1.2
• Delegated Login2.0
• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1
• Encrypt1.2
• Export1.4
• Get
• Get A�ribute List• Get A�ributes• Get Usage
Alloca�on• Hash1.2
• Import1.4
• Interop2.0
• Join Split Key1.2
• Locate• Log2.0
• Login2.0
• Logout2.0
• MAC1.2
• MAC Verify1.2
• Modify A�ribute• No�fy• Obtain Lease• PKCS112.0
• Poll• Put
• Query• Re-Cer�fy• Recover• Register• Re-Key• Re-Key Key Pair• Re-Provision2.0
• Revoke• RNG Retrieve1.2
• RNG Seed1.2
• Set A�ribute2.0
• Set Endpoint Role2.0
• Sign1.2
• Signature Verify1.2
• Validate
• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML
• Simple ServersQuery, No�fy, Put
• Simple ClientsLocate Objects, Create and Return Objects
• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML
• KMIP Standard Opera�onsCreate, Register, Destroy, Get, GetA�ribute List, GetA�ributes, Create KeyPair, Re-Key, Re-KeyKeyPair, Archive,Recover, Ac�vate, Derive Key
• Crea�ng KeysSimple, Advanced, Extensions
• Managing A�ributesAdd, Modify, Delete A�ribute
• LinearTape Open (LTO)LTO-4 Key Management, LTO-5/6 KeyManagement, KAD, AKAD, UKAD naming,Generic LTO-4
• Random Number Generator (RNG)Retrieve Server RNG, Seed Server RNG
• Server Cryptographic Opera�onsEncrypt, Decrypt, Sign, Signature VerifyMAC, MAC Verify, Hash
• Determine Capabili�esServer SDKVersion, Discover ProtocolVersions, Query Server Basic, Query ServerExtensions, Query Advanced Capabili�es
• Split Key (Mul�-Party Controls)Create Split Key, Join Split Key
• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete
• Generic Mul�-Protocol Key HandlingGetKey, PutKey, DelKey
• Request/Response HandlingRecording, Replaying, Batching, Bulk DataLoading
• Client Creden�al HandlingPassword-protected TLS Creden�als, DeviceCreden�als, IBM TKLM/SKLM
• Advanced Cryptographic Client1.2
• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2
• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• PKCS#11 Client2.0
• Quantum Safe Client2.0
• RNG Cryptographic Client1.2
• Storage Array With SED Client• Suite-B Min LOS_128 Client1.x
• Suite-B Min LOS_192 Client1.x
• Symmetric Key Lifecycle Client• Tape Library Client• XML Client
• TTLV• HTTPS/TTLV
• HTTPS/JSON• HTTPS/XML
• KeyNexus• Kryptus• MarkLogic• Oracle• SafeNet• Thales
• Cryptso�• DellEMC• Forne�x• Gemalto• HyTrust• IBM
• Townsend Security• Trend Micro• Unbound• U�maco• Vormetric
KMIP Client Examples
Supported KMIP Client Profiles
Supported KMIP Opera�ons
Supported KMIP Object Types Supported Cryptographic Providers
Supported KMIP Encodings
Supported KMIP Server Vendors
R
KEY MANAGEMENTINTEROPERABILITYPROTOCOL
KMIP
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• Guaranteed interoperability with allreleased KMIP server products
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX Support available
KEY FEATURESKMIP SERVER SDKC, JAVAA complete range of vendor-independent key management solu�ons.
Cryptso�’s Key Management Interoperability Protocol (KMIP) SDKs let yourapidly add interoperable, standards-based, enterprise key managementcapability to your exis�ng server solu�ons.
Cryptso�’s C and Java SDKs are all pure na�ve code not wrapped versions,ensuring the most op�mised, portable code for your applica�on.
Reduce �me to market, KMIP-enable your server solu�ons within days, notmonths, using our comprehensive collec�on of example code provided by themarket leader in key management SDKs.
From specialised embedded systems through to scalable, whole of enterpriseand government solu�ons, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.
HSMKMS-SGX KMIP
KMIP Server SDK
KMIP Client SDKC C++ C# JAVA PYTHON
C JAVA
Supported KMIP Client Vendors
R
• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML
• Simple Clients Opera�onsLocate Objects, Create and Return Objects
• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML
• KMIP Standard Opera�onsCreate, Register, Destroy, Get, GetA�ribute List, Get A�ributes, Create KeyPair, Re-Key, Re-Key Key Pair1.1, Archive,Recover, Ac�vate, Derive Key
• Server Cryptographic Opera�ons1.2
Encrypt, Decrypt, Sign, Signature Verify,MAC, MAC Verify, Hash
• Managing A�ributesAdd, Modify, Delete A�ribute
KMIP SERVER SDK - SPECIFICATIONSC, JAVA
• HSQLDB java
• SQLite3• MySQL 5,6,7,8
• Oracle 11.x, 12.x• SQL Server 2003+• IBM DB2 9 & 10
• PostgreSQL 8 & 9
• TTLV• HTTPS/TTLV
• HTTPS/JSON• HTTPS/XML
• Random Number Generator (RNG)1.2
Retrieve Server RNG, Seed Server RNG
• Split Key (Mul�-Party Controls)1.2
Create Split Key, Join Split Key
• Crea�ng KeysSimple, Advanced, Extensions
• Determine Capabili�esServer SDK Version, Discover ProtocolVersions1.1 , Query Server Basic, QueryServer Extensions1.1 , Query AdvancedCapabili�es1.3
• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete
• Request/Response HandlingRecording, Replaying, Batching, Bulk DataLoading
• Administra�onCreate, Modify, Delete Users, Par��ons,Groups, Manage Group Privileges, Serialize,Deserialize, Managed Objects
• DatabaseSchema Management and Migra�on,Fixture Loading, SQL Replay
• Simple ServersQuery, No�fy, Put
• JCE ExamplesKey Store Provider
• Advanced Cryptographic Server1.2
• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2
• Complete Server Basic
• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• PKCS#11 Server2.0
• Quantum Safe Server2.0
• RNG Cryptographic Server1.2
• Storage Array With SED Server• Suite-B Min LOS_128 Server1.x
• Suite-B Min LOS_192 Server1.x
• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server
• CSC• DataStax• Dell• DellEMC• ETI-NET• Forne�x• Fujitsu
• Gemalto• Hewle� Packard
Enterprise• Hitachi Data
Systems• Huawei• HyTrust
• IBM• Integrated
Research• Intersystems• Iskraemeco• MarkLogic• NetApp
• Netskope• Panzura• Pluribus Networks• Quantum• Reduxio• RSD SA• SafeNet
• ADDGrup• BDT• Bracket• Brocade• Cohesity• Cisco• Cryptso�
• Sepaton• Skyhigh Networks• SpectraLogic• Trend Micro• TrustedConcepts• VMWare• Ze�aset
KMIP Server Examples
Supported KMIP Server Profiles
Supported Databases Supported Cryptographic Providers
Supported KMIP Encodings
• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 3.0.x (dev)• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0 (op�on)
• Oracle JCE Java
• IBM JCE Java
• RSA BSAFE Crypto-J Java
• Bouncy Castle JCE Java
• Ac�vate• Add A�ribute• Adjust A�ribute2.0
• Alloca�on• Archive• Cancel• Cer�fy• Check• Create• Create Key Pair
• Create Split Key1.2
• Decrypt1.2
• Delegated Login2.0
• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1
• Encrypt1.2
• Export1.4
• Get
• Get A�ribute List• Get A�ributes• Get Usage
Alloca�on• Hash1.2
• Import1.4
• Interop2.0
• Join Split Key1.2
• Locate• Log2.0
• Login2.0
• Logout2.0
• MAC1.2
• MAC Verify1.2
• Modify A�ribute• No�fy• Obtain Lease• PKCS112.0
• Poll• Put
• Query• Re-Cer�fy• Recover• Register• Re-Key• Re-Key Key Pair• Re-Provision2.0
• Revoke• RNG Retrieve1.2
• RNG Seed1.2
• Set A�ribute2.0
• Set Endpoint Role2.0
• Sign1.2
• Signature Verify1.2
• Validate
Supported KMIP Opera�ons
RELATEDPRODUCTS
KEY BENEFITS
R
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• Available as a binary SDK or as aservice- Source license op�on
• Comprehensive test cases- KMIP Test Cases- KMIP Profile Test Cases
Cryptso�’s Key Management Interoperability Protocol (KMIP)Test Suites letyou rapidly confirm the interoperability status of your product. Designed tosupport the different test cases and profiles in the KMIP standard you canensure that your applica�on’s design can be thoroughly tested to deliverinteroperability with a range of other KMIP clients and servers.
The Cryptso� KMIP Test Suites provide full coverage for each version of KMIP(1.0, 1.1, 1.2, 1.3, 1.4 and 2.0*) that can be configured to support the level ofKMIP required for your applica�on. In addi�on if your applica�on is based onone of the KMIP profiles then you can apply only the relevant profiles to fullysupport your requirements.
Reduce �me to market and release with the confidence provided by datadriven tes�ng.
KEY FEATURES
KMIP INTEROPERABILITY TESTSUITECOMPLETE VERIFICATION SOLUTION
Suppor�ng Cryptso�'s full OASIS KMIP SDK the test suites support Cryptso� Cand Java based SDKs as well as offering Web and Cloud based services.
Cryptso� Test Suites are available for all published and working dra� versionsof the OASIS KMIP Standard.
• Reduce risk• Easy to use• Public Interoperability test results• Accelerate your �me to market
KMIP TEST CASESKMIP PROFILES • KMIP C Test Suite SDK
• KMIP Java Test Suite SDK• KMIP Web Test Suite SDK• KMIP Cloud Test Suite SDK
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
100
200
300
400
500
600
700
KMIP v1.2
KMIP v1.1
KMIP v1.0
KMIP v1.3
KMIP v1.4
KMIP v2.0
R
Cryptso� KMIP Test Suites provide full coverage of all versions of the OASISKMIP standard as well as all of the currently defined profiles as defined in eachof the available versions of the KMIP Standard. These test suites are used to testagainst all vendors and are used in the annual OASIS KMIP Interoperabilitytes�ng.
Ensure that your applica�on has full coverage and interoperability by using theCryptso� KMIP Test Suite today.
COMPREHENSIVE TEST COVERAGE
• Advanced Cryptographic Server1.2
• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2
• Complete Server Basic
• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• PKCS#11 Server2.0
• Quantum Safe Server2.0
• RNG Cryptographic Server1.2
• Storage Array With SED Server• Suite-B Min LOS_128 Server1.x
• Suite-B Min LOS_192 Server1.x
• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server
• Advanced Cryptographic Client1.2
• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2
• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• PKCS#11 Client2.0
• Quantum Safe Client2.0
• RNG Cryptographic Client1.2
• Storage Array With SED Client• Suite-B Min LOS_128 Client1.x
• Suite-B Min LOS_192 Client1.x
• Symmetric Key Lifecycle Client• Tape Library Client• XML Client
KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION
COMPLETE KMIP PROFILE COVERAGE
Supported KMIP Server Profiles
Supported KMIP Client Profiles
Global Test Infrastructure
KMIP v1.2KMIP v1.1KMIP v1.0 KMIP v1.3 KMIP v1.4 KMIP v2.0
TESTING ALL VERSIONS OF KMIP
R
Figure 1 - Mul�ple Key Stores
PC
Server Tape Library
Network
Flash Array Key Store 1
Key Store 2
Key Store 3
Storage Array
KEY BENEFITS
KEY FEATURES
Modern enterprises can have a wide array of storage technologies distributedthroughout the organiza�on. This may be because of adop�on of newtechnology or the many acquisi�ons and mergers of business units that havetaken place over �me. The one common requirement that most modernenterprises all have is storage.
The obvious solu�on to managing a secure storage solu�on is to ensure thatall data is encrypted at rest or in transmission. For many organiza�ons thismay be a regulatory requirement or based on sound business and riskmanagement reasons. With increasing volumes of data that an organiza�onstores, the need to encrypt that data with a similarly increasing volume ofencryp�on keys introduces a new problem. For these data assets to be used,those keys need to be available.
In many large enterprises, this means millions of keys under management withmany thousands of keys in use at any given �me.
Without a common standard for key management a large enterprise can havea range of disparate key stores with varying levels of support for differenttypes of equipment leading to incompa�bili�es and differing managementand audit requirements.
OASIS KMIP provides an industry supported standards compliantinteroperability protocol for key management. This allows operators ofstorage solu�ons to integrate products from mul�ple vendors which can makeuse of an interoperable way to generate, store, manage and retrieveencryp�on keys across all the elements of their storage solu�on. In addi�onthis allows for products from different vendors to be integrated into acohesive system and s�ll interoperate.
These advanced features mean that organiza�ons are no longer locked intostorage solu�ons from a single vendor or may also provide a reduc�on in riskin their storage solu�on as they can grow, reduce, or update theirimplementa�on in a more flexible manner tailored to their current needs.
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• Guaranteed interoperability with allreleased KMIP products
• Cross-Language Support- Clients in C, C++, C#, Java andPython
- Servers in C and Java• Supports wide range of security
objects:- Symmetric keys- Asymmetric keys- Cer�ficates- Authen�ca�on- Authoriza�on- Tokens
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX Support available
• Low risk• Easy to use• Extensively deployed• Proven technology for security
object management• Public Interoperability test results• Reduce your �me to market• Gain access to an extensive KMIP
ecosystem
STORAGE
R
RELATEDPRODUCTSCryptso�’s range of KMIP SDKs have been used to enable a wide range of
storage and storage infrastructure solu�ons with encryp�on and enterprisekey management capability. From tape libraries through tradi�onal disk basedstorage to hyper-converged flash arrays, deployment of KMIP technologyensures a deployment of data at rest security solu�ons within a mul�-vendorenterprise.
Cryptso�’s range of SDKs ensure this can be realized in your products suchthat your customers can deploy them straight into their enterprises withoutthe need to conduct mul�ple rounds of point to point tes�ng – we’ve donethe hard part for you.
From deployment into brand new product lines, to integra�on into wellrespected products for feature parity or compliance, our customers benefitfrom millions of mul�-vendor test runs and a deep understanding of relevantstandards. With decades of experience of implemen�ng encryp�on and keymanagement systems from embedded hardware through to so�ware andvirtualized systems, we enable our customers’ products to achieve marketparity for data security within weeks.
Some of Cryptso�’s storage clients include:
Servers:• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX
Module SDK• KMIP Server Administra�on
Interface (C/Java)• KMIP Server VM Annual
Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary
Protocols• KMIP C Server (PKCS#11/HSM/RNG)
Module• KMIP C Server (PKCS#11/HSM/RNG)
SGX Module• KMIP C Server (Audit/Analy�cs)
Module• KMIP C Server OTP Module• KMIP Interoperability Test Suite
(C/Java)• KMIP Server Online Test ServiceClients:• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module
SDK• KMIP C Client PKCS#11 Adapter• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite
(C/Java)• KMIP Client Online Test Service
PC
Server Tape Library
KMIPNetwork
Flash Array
Storage Array
Figure 2 - OASIS KMIP Key Store
STORAGE (Con�nued)
R
Ensuring protec�on and privacy of data is a responsibility of all modernorganiza�ons.
For organiza�ons which operate in an environment driven by statutes andregula�ons, or organiza�ons with managed business and risk managementguidelines, the ability to demonstrate an audit-able, reliable, best-prac�ceapproach to protec�on and privacy of data (assets) is essen�al.
In a highly distributed environment comprising of mul�ple physical loca�onswith varying hardware and so�ware solu�ons, the need to have a commonstandard approach for management of the security informa�on that protectsdata is cri�cal.
Data has a life-cycle involving crea�on, use and destruc�on with storage andmovement between systems.
Data-in-use, data-in-mo�on, and data-at-rest all require protec�on. Protec�ngdata using encryp�on necessitates management of the encryp�on keys usedto protect the data. With organiza�ons storing increasing volumes of data,there is a correspondingly increasing volume of encryp�on keys that need tobe managed.
In many large organiza�ons, this can mean many millions of keys undermanagement with many thousands of keys in use at any given �me. In orderto provide a guarantee of access to the data, a tested and proven keymanagement solu�on is necessary.
A common standard for encryp�on key management within a largeorganiza�on eliminates opera�onal incompa�bili�es, improves bothmanagement and audit capabili�es and substan�ally reduces costs.
Cryptso�’s KMIP SDKs and associated technologies are already in use withglobal vendors securing data in use, in mo�on and at rest; securing data onpremises, in private and public clouds; securing data on-device and data off-device.
Storage Array
Tape Library
Mobile Device
Workstation
Key Manager
Flash Array
ApplicationServers
Firewall
Medical Device
Applications
Switch andLink Encryptor
Data in Use Data in Motion Data at Rest
KMIP
HSM
Data Center - Private/Public CloudWorkplace
APP
FW
APP
APP
KEY BENEFITS
KEY FEATURES
• Low risk• Easy to use• Extensively deployed• Proven technology for security
object management• Public Interoperability test results• Reduce your �me to market• Gain access to an extensive KMIP
ecosystem
• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• KMIP SDKs interoperable with allreleased KMIP server/clientproducts
• PKCS#11 SDKs compliant with OASISPKCS#11 versions: 2.40, 3.0*
• Cross-Language Support- Clients in C, C++, C#, Java andPython
- Servers in C and Java• Supports wide range of security
objects:- Symmetric keys- Asymmetric keys- Cer�ficates- Authen�ca�on- Authoriza�on- Tokens
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX Support available
SECURING DATA
R
Your data and systems are now under a�ack more than ever before. Thesolu�on to this problem has always been to make use of encryp�on toensure that data if exposed is not able to be accessed by an unauthorizeduser. However with the growth of informa�on systems being used toimprove service and produc�vity this means that the tradi�onal use of ahardware key manager to generate and manage encryp�on keys is now thebo�leneck in widely distributed or cloud managed services.
The solu�on is to move the data encryp�on services closer to the point of use.
Cryptso� Client and Server KMIP SDKs are designed to u�lize the Intel(R)So�ware Guard Extensions to be able to run all or some of the KMIPfunc�onality within the trusted execu�on environment providing theapplica�on with a hardware protected enclave to ensure that encryp�on keysor other security informa�on now has the same level of hardware protec�onthat was previously available only to specialist security devices.
This means that applica�ons and data are protected using the same easymanagement processes that can control applica�ons.
Cryptso� SDKs support the full range of op�ons for Intel SGX allowing securityto be improved for every worksta�on and server in the organiza�on,simplifying management and security of keys and providing hardware basedsecurity that was previously unaffordable.
Cryptso� Client/Server components available for hardware protec�on with Intel® SGX
SECURING DATA WITH SGX RELATEDPRODUCTSServers:• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX
Module SDK• KMIP Server Administra�on
Interface (C/Java)• KMIP Server VM Annual
Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary
Protocols• KMIP C Server (PKCS#11/HSM/RNG)
Module• KMIP C Server (PKCS#11/HSM/RNG)
SGX Module• KMIP C Server (Audit/Analy�cs)
Module• KMIP C Server OTP Module• KMIP Interoperability Test Suite
(C/Java)• KMIP Server Online Test ServiceClients:• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module
SDK• KMIP C Client PKCS#11 Adapter• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite
(C/Java)• KMIP Client Online Test Service
Other Components
Integration Interfaces
Client/Server Code
TLS Handling
Cryptographic Provider
Protocol Handling
Other Components
Integration Interfaces
Client/Server Code
TLS Handling
Cryptographic Provider
Protocol Handling
Integration Modules Integration Modules
Security Object Store Security Object Store
#### #### #### #### ******************** #### #### #### #### ********************
SGX
Protected
R
OASIS KMIP is a widely accepted open standard for the management of arange of security objects including symmetric and asymmetric keys,cer�ficates, and user or vendor defined objects. Based on acommunica�ons protocol which defines message formats for the fulllifecycle of keys stored on a key management server.
Clients can request a server to perform the full key management lifecyclefor key opera�ons. These opera�ons are grouped together in the tablebelow in func�onal groups allowing for maximum flexibility for keyopera�ons.
The KMIP open standard for key management allows applica�onprogrammers to develop the logic of their applica�ons for their businesspurpose free from the complexi�es of key management and to restassured that their applica�on can be developed once and will interoperatewith key managers from a range of vendors.
Talk to an account manager today to evaluate how Cryptso� canimplement key management lifecycle in your applica�on.
Set A�ribute2.0
Log2.0
Set Endpoint Role2.0
Join Split Key1.2
Register
Validate
ESTABLISH
RETRIEVE
ROTATE
Cer�fyCreateCreate Key Pair
Create Split Key1.2
Derive KeyImport1.4
Decrypt1.2
Encrypt1.2
Hash1.2
MAC1.2
MAC Verify1.2
PKCS112.0
RNG Retrieve1.2
RNG Seed1.2
Sign1.2
Signature Verify1.2
Ac�vateArchiveDestroy
RecoverRevoke
Export1.4
GetGet A�ributeGet A�ribute List
Alloca�onCheck
Get Usage Alloca�onObtain Lease
Add A�ributeAdjust A�ribute2.0
Delete A�ributeModify A�ribute
Re-Cer�fyRe-Key
Re-Key Key Pair
CancelPoll
Query
Discover Versions1.1
Interop2.0
USAGE
INFO
STATEMANAGE
Locate
KMIP FUNDAMENTALS
OTHER
CRYPTOGRAPHIC
CLIENT
SERVER
No�fyPut
AUTHENTICATION Delegated Login2.0
Login2.0
Logout2.0
Re-Provision2.0
The range of KMIP Compliant KeyManagement SDKS from Cryptso�supports:
• Full OASIS KMIP compliance forversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*
• KMIP SDKs interoperable with allreleased KMIP server/client products
• Available as a binary SDK- Source license op�on
• Comprehensive example code- Custom examples available for rapidintegra�on
KEY FEATURES
R
• Storage solu�ons and appliances• Network infrastructure• Security applica�ons• Database management• Embedded solu�ons• Security hardware management• Gateways and endpoints• Financial Services and banking
applica�ons• Defense and IC applica�ons• Audi�ng and compliance
TYPICAL USESCryptso�’s Key Management SDKs have been incorporated into a wide rangeof products that are leading the market in interoperable key management.
Providing both Client and Server SDKs, Cryptso� KMIP SDKs have beenintegrated into the majority of all KMIP products on the market today,elimina�ng the need for rework to interact with another vendor’s endpoint.
As the security market’s preferred KMIP vendor, Cryptso� has the technologyand the rela�onships to ensure your product delivers its maximum poten�aland can interoperate with a wide range of KMIP based products from a rangeof vendors allowing easy adop�on of your product.
KMIP CLIENTS AND SERVERS
CLIENTS
SERVERS
PKCS#11 SDKsProviders:• PKCS#11 C Provider SDK• PKCS#11 C Provider SGX Module
SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module
SDK• PKCS#11 C++ Provider SDK• PKCS#11 C++ Provider SGX Module
SDK• PKCS#11 C# Provider SDK• PKCS#11 C# Provider SGX Module
SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module
SDK• PKCS#11 Python Provider SDK• PKCS#11 Python Provider SGX
Module SDK• PVCS#11 Provider Online Test
ServiceConsumers:• PKCS#11 C Consumer SDK• PKCS#11 C Consumer SGX Module
SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX
Module SDK• PKCS#11 C++ Consumer SDK• PKCS#11 C++ Consumer SGX
Module SDK• PKCS#11 C# Consumer SDK• PKCS#11 C# Consumer SGX Module
SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX
Module SDK• PKCS#11 Python Consumer SDK• PKCS#11 Python Consumer SGX
Module SDK• PVCS#11 Consumer Online Test
Service
R
Cryptso� PKCS#11 Key Management SDKs allow you to access a range ofHardware Security Modules (HSM) and other cryptographic devices(smartcards, tokens, etc) which support the PKCS#11 standard using standardAPIs and standard protocols.
These devices support applica�ons which require the use of a hardware-basedcryptographic tokens. Tradi�onally these have been deployed only for high-value special purpose opera�ons and prior to KMIP 2.0 and PKCS#11 3.0these were implemented requiring use of a vendor specific protocol encodingfor the PKCS#11 API. Each vendor provided separate, incompa�ble clientso�ware, which only accessed specific devices, exacerba�ng implementa�onand management issues.
Many vendors extended the capability of PKCS#11 with addi�onal func�onsoutside of the defined extension interface within the PKCS#11 standard. Manyvendors implemented incompa�ble interpreta�ons of the standard andprovided a variety of vendor-specific mechanisms and behaviours. Many usersfound vendor specific extensions caused unnecessary complexity andincompa�bility for their applica�ons programmers, testers and deploymentprocesses.
PKCS#11 SDKs
Cryptso� has a wide range of PKCS#11 SDKs in a number of languages (C, C++,C#, Java and Python) which provide standards compliant interfaces forconsuming cryptographic keys and cer�ficates. In addi�on Cryptso� also has arange of so�ware based PKCS#11 provider SDKs to allow for access tocryptographic tokens and opera�ons.
The illustra�on below shows a simplified applica�on deployment environmentwith a number of applica�ons with PKCS#11 consumer APIs accessing a singleCryptso� PKCS#11 Provider for their key opera�ons.
Cryptso�’s PKCS#11 Provider includes provision for a high capacity securityobject data store which is able to support mul�ple applica�ons in addi�on toallowing for par��oning of objects within a tenant (full mul�-tenancysupport). This provides flexibility when building and deploying applica�onswithin your environment.
Cryptso� PKCS#11 Consumer and Provider SDKS are available to helpstreamline your development, test and produc�on environments allowing youto deploy and change secure applica�ons in a simple and manageable way.
Application
Application
VendorAPI
VendorAPI
HSM
HSM
Application PKCS#11API
CryptsoftPKCS#11Provider
Application
Application
PKCS#11API
PKCS#11API
Application PKCS#11API
R
945483
Cryptso� has worked with a number of standards bodies to provide addi�onalsecurity op�ons for developers building key management solu�ons in to theirproducts.
Op�ons are available for Fast IDen�ty Online (FIDO) Universal Second Factor(U2F) and OATH compliant One Time Password (OTP) which allows developersto include this func�onality in their opera�ons as well as increase the securityof the key management solu�on itself.
• Strong two-factor authen�ca�on• Support for OATH compliant �me-
based TOTP devices• Support for mul�ple OTP hardware
tokens• Support for variable length OTP
hardware tokens• Integrated with OASIS KMIP for
client authen�ca�on and seedprovisioning
• Configurable seed management• Capability for Mul�-Device seeds
• OASIS KMIP Compliant• Provides configurable
control of authen�cation
KEY BENEFITS
Cryptso�’s OASIS KMIP products support the Fast IDen�ty Online (FIDO)Universal Second Factor (U2F) types of tokens. Cryptso�’s Server and ClientSDKs provide developers with the tools to provision and manage keys whichcan be used by these commonly available hardware tokens.
Cryptso�’s KMIP SDKs allow the developer to fully integrate OTP and U2Ftokens into their managed security solu�on.
• KMIP C Server SDK• KMIP C Server Administra�on
Interface• KMIP C ServerOTP Server Module• KMIP C Server Integra�on Module
(HSM)• KMIP Java Server SDK• KMIP C SDK• KMIP C++ SDK• KMIP C# SDK• KMIP Java SDK• KMIP Python Client
RELATEDPRODUCTS
AUTHENTICATION SDKs
OTP SUPPORT
U2F SUPPORT
Cryptso�’s OTP solu�on is based on open standards and allows the developerto create enterprise solu�ons to manage the full lifecycle of the seed recordsthat underpin the security in an OTP solu�on. This ensures that only theenterprise has access to the seed records, and the enterprise has full controlover the provisioning, usage, and de-provisioning of tokens.
Time based One Time Password (TOTP) tokens provide users with a secureand reliable hardware device to integrate standards-based hardware two-factor authen�ca�on.
Two-factor authen�ca�on withTOTP combines something you know (yourpassword) with something you have (a unique number sequence generated bya hardware device). Both of these factors are required to authen�cate whichsubstan�ally improves the security proper�es when compared to a singlefactor authen�ca�on solu�on.
The non-predictable variable length digit token output is derived from boththe secret seed record and the on-board real�me clock (RTC). A singlehardware token can be programmed for variable output and variable �meintervals (30 or 60 seconds) ensuring a solu�on is easily tailored to theenterprise security context that the developer is building.
Two (or more) tokens ini�alised withthe same seed value can be used forperson-to-person two-factor authen�ca�on solu�ons, en�rely independent ofany server infrastructure.
The same seed record can also be loaded into so�ware based TOTP solu�onsallowing for a mixed hardware and so�ware deployment context that can bemanaged by the same infrastructure.
KEY FEATURES
Cryptso� is a member of theFIDO (Fast IDen�ty Online) Alliance
R
[email protected] WWW.CRYPTSOFT.COM+61 7 3103 0321 | US +1 650 918 4362
@CRYPTSOFTCRYPTSOFT-SECURITY-SPECIALISTS@CRYPTSOFT
Copyright © 2019 Cryptso� Pty Ltd. All rights reserved. All trademarks, service marks, trade names, product names and logos are property of their respec�ve owners.
2019-03