TH ETRUSTE DSECURIT YPROVIDE RTOYOU R · R • Full OASISKMIP compliance versions:1.0,1.1,1.2,1.3,1.4,2.0* • Gua ranteedinterope rability Withall releasedKMIPse rver products •

R

R

THE TRUSTED SECURITY PROVIDER TO YOURTRUSTED SECURITY PROVIDERCRYPTSOFT is a privately held Australian company that operates worldwide in the enterprise key managementsecurity market. Cryptsoft’s Key Management Interoperability Protocol (KMIP) and PKCS#11 so�ware developmentkits (SDKs) are the market’s preferred OEM solutions.

Cryptsoft’s solutions have been selected by prominent global companies for interoperable enterprise keymanagement and encryp�on technology in their storage, infrastructure & security and cloud products.Cryptso� is committed to the development of standards based security so�ware and is an OASIS FoundationalSponsor, SNIA and SSIF Vo�ng Member.

STANDARDS AND ASSOCIATIONS

The Cryptsoft Quality ManagementSystem is certified to ISO 9001:2015

Cryptsoft is an OASIS FoundationalSponsor and an active member andcontributor to the KMIP and PKCS#11technical committees

KMIP STANDARD PKCS#11 STANDARD

Cryptsoft is a voting member ofthe Storage Networking IndustryAssocia�on (SNIA) and the StorageSecurity Industry Forum (SSIF)

R

KMIP ADOPTION – KMIP EMBEDDED IN MAJORENTERPRISE PRODUCTS

“I DIDN’T KNOW YOU DID THAT?”

STORAGE INFRASTRUCTUREAND SECURITY

CLOUD

• Disk Arrays, Flash Storage Arrays

• NAS Appliances

• Tape Libraries, Virtual Tape Libraries

• Encryp�ng Switches

• Storage Key Managers

• Storage Controllers

• Storage Opera�ng Systems

• Key Managers

• Hardware Security Modules

• Encryp�on Gateways

• Virtualization Managers

• Virtual Storage Controllers

• Network Compu�ng Appliances

• Secure Applica�onDevelopment

• Key Managers

• Compliance Pla�orms

• Informa�on Managers

• Enterprise Gateways and Security

• Enterprise Authen�cation

• Endpoint Security

• Financial Services Applica�ons

• Banking Applica�ons

R

• Full OASIS KMIP complianceversions: 1.0, 1.1, 1.2, 1.3, 1.4, 2.0*

• Guaranteed interoperabilityWith all released KMIP products

• Cross-Language Support▫ Clients in C, C++, C#, Javaand Python

▫ Servers in C and Java

KEY FEATURESKEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEYMANAGEMENT SOLUTIONCryptsoft’s Key Management SDKs enable rapid addi�on of interoperablekey management func�onality to your exis�ng products.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs havebeen integrated into the majority of all KMIP products on the markettoday, elimina�ng the need for rework to interact with anothervendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptso� has thetechnology and the relationships to ensure your product delivers itsmaximum potential.

Using the Cryptsoft SDKs in ANSI C, C++, C#, Java and Python, you cansupport KMIP key management protocols with a single, consistentinterface and provide your customers with a complete vendorindependent key management solu�on to manage all of the points ofencryp�on within your enterprise.

POINTS OF ENCRYPTION

1 1 3

3

3

2

4

4

1

1 2

1 Applica�on Level

2 Filesystem Level

LEGEND

3 Network Level

4 Device Level

PC

PC

Server File Server

Server

Appliance

Appliance

Appliance

Network

Source: ISO/IEC 27040 - Information technology- Security techniques - Storage security

Storage Array

NAS

Tape Library

Features• Comprehensive example code• Source licence option• Supports KMIP v1.0, v1.1, v1.2, v1.3, 1.4, 2.0*

R

• Supports proprietary key management protocols(op�onal plugins to C SDK)

Supported Databases• Oracle MySQL• Oracle Database• Microsoft SQL Server• SQLite

• IBM DB2• PostgreSQL• Embedded (lightweight)• HSQLDB java

Supported Hardware Security Modules and Random Number Generators• SafeNet - Luna PCI (RNG/HSM) [PKCS#11]• SafeNet - Protect Server (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Connect (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Edge (RNG/HSM) [PKCS#11]• Thales e-Security - nShield Solo (RNG/HSM) [PKCS#11]• U�maco CryptoServer CSe10 PCIe/LAN (RNG/HSM) [PKCS#11]• U�maco CryptoServer CSe100 PCIe/LAN (RNG/HSM) [PKCS#11]• Whitewood EntropyEngine (RNG)

• ID Quantique - Quan�s USB (RNG) [Vendor]• ID Quantique - Quan�s PCI (RNG) [Vendor]• ID Quantique - Quan�s PCIe (RNG) [Vendor]• Fei�an - ePass [PKCS#11]• Oracle - SCA6000 [PKCS#11]• SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11]• SafeNet - Luna CA (RNG/HSM) [PKCS#11]

• Android [OATH-TOTP] [So� Token]• Cryptso� [OATH-TOTP]• Fei�an [OATH-HOTP/TOTP]• Apple [OATH-TOTP] [So� Token]

Supported One Time Password Devices• Mi-Token [OATH-TOTP] [So� Token]• RSA Security SecurID [SecurID]• Litheware Tombé [OATH-HOTP] [YubiKey]• Yubico [OATH-HOTP/TOTP] [YubiKey]

Client SDK Products Server SDK Products• KMIP C Client SDK• KMIP C++ Client SDK• KMIP C# Client SDK• KMIP Java Client SDK• KMIP Python Client SDK• KMIP C Client Layered Protocol SDKs for Proprietary Protocols• KMIP C Client PKCS11 Adapter• KMIP RKM/DPM C Client SDK• KMIP C Client Oracle TDE & Microso� BitLocker• KMIP C Client Layered Protocol SDK• KMIP C Interoperability Test Suite• KMIP Java Interoperability Test Suite• Online Test Service (XML/JSON)

• KMIP C Server SDK• KMIP Java Server SDK• KMIP Alert Server SDK• KMIP Server VM Subscrip�on (Annual - C or Java)• KMIP Server Administra�on Interface

(for C or Java Server SDK)• KMIP C Proxy Servers for Proprietary Protocols• KMIP C Server Integra�on Modules (PKCS11, HSM, RNG)• KMIP C Server Integra�on Module (SGX)• KMIP C Server Integra�on Module (Audit/Analy�cs)• KMIP C Server OTP Server Module

KEY MANAGEMENT SDKSCOMPLETE VENDOR-INDEPENDENT KEYMANAGEMENT SOLUTION

R


• Guaranteed interoperabilityWith all released KMIP serverproducts

• Extensive range of supportedpla�orms▫ Custom platform ports on request

• Available as a binary SDK▫ Source license option

• Comprehensive example code▫ Custom examples available -rapid integra�on

• Supported on over 35 differentpla�orms▫ Including Linux, Windows,

Embedded▫ https://www.cryptso�.com/pla�orms/

KEY FEATURESKMIP CLIENT SDKSC, C++, C#, JAVA, PYTHONA complete range of vendor-independent key management solu�ons

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKslet you rapidly add interoperable, standards-based, enterprise keymanagement capability to your exis�ng applica�ons.

Reduce �me to market, KMIP-enable your solution within days,not months, using our comprehensive collection of example codeprovided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole ofenterprise solutions, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.

KMIP Server SDKc java

java pythonc++ c#cKMIP Client SDK

KMIPHSM

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL FIPS 2.0• OpenSSL 0.9.8 (op�on)• Sun/Oracle JCE• IBM JCE

R

KMIP CLIENT SDKSC, C++, C#, JAVA, PYTHONKMIP Client Examples

KMIP Object Types Supported Cryptographic Providers• Cer�ficate• Opaque Object• PGP Key

• RSA BSAFE MES 3.x, 4.x (op�on)• RSA BSAFE Share-C (op�on)• RSA BSAFE Crypto-J• Bouncy Castle JCE• wolfSSL

• Private Key• Public Key• Secret Key

• Split Key• Symmetric Key• Template

Supported KMIP Operations• Ac�vate• Add A�ribute• Archive• Cancel• Cer�fy• Check• Create

• Create Key Pair• Create Split Key1.2• Decrypt1.2• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1

• Encrypt1.2• Get• Get Attribute List• Get A�ributes• Get Usage Alloca�on• Hash1.2

• Join Split Key1.2

• Locate• MAC1.2

• MAC Verify1.2• Modify A�ribute• No�fy• Obtain Lease• Poll

• Put• Register• Register Query• Re-cer�fy• Recover• Re-key• Re-key Key Pair1.1

• Revoke• RNG Retrieve1.2

• RNG Seed1.2

• Sign1.2

• Signature Verify1.2• Validate

• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML

• Simple ServersQuery, No�fy, Put

• Simple ClientsLocate Objects, Create andReturn Objects

• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML

• KMIP Standard Opera�onsCreate, Register, Destroy, Get, GetA�ribute List, Get A�ributes,Create Key Pair, Re-key, Re-key KeyPair1.1,Archive, Recover, Ac�vate, Derive Key

• Crea�ng KeysSimple, Advanced, Extensions

• Managing A�ributesAdd, Modify, Delete A�ribute

• Linear Tape Open (LTO)LTO-4 Key Management, LTO-5/6 KeyManagement, KAD, AKAD, UKADnaming, Generic LTO-4

• Random Number Generator (RNG)1.2

Retrieve Server RNG, Seed Server RNG• Server Cryptographic Opera�ons1.2

Encrypt, Decrypt, Sign, Signature VerifyMAC, MAC Verify, Hash

• Determine Capabili�esServer SDK Version, Discover ProtocolVersions1.1, Query Server Basic , QueryServer Extensions1.1, Query AdvancedCapabili�es1.3

• Split Key (Mul�-Party Controls)1.2

Create Split Key, Join Split Key• Cryptso� Vendor Extensions

SQL Insert, SQL Update, SQL Delete• Generic Mul�-protocol Key Handling c

Get Key, Put Key, Del Key• Request/Response Handling

Recording, Replaying, Batching,Bulk Data Loading

• Client Creden�al HandlingPassword-protected TLS Creden�alsDevice Creden�als, IBM TKLM/SKLM

Supported KMIP Profiles• Advanced Cryptographic Client1.2• Advanced Symmetric Key Foundry Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B MinLOS_128 Client• Suite-B MinLOS_192 Client• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

Supported Encodings

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

Supported KMIP Servers

• IBM• RSA• MarkLogic• Thales• Trend Micro• Vormetric

• Cryptso�• Dell• Fornetix• Hewle� Packard

Enterprise• HyTrust

R


• Guaranteed interoperabilityWith all released KMIP serverproducts

• Extensive range of supportedpla�orms▫ Custom platform ports on request

• Available as a binary SDK▫ Source license option

• Comprehensive example code▫ Custom examples available -rapid integra�on

• Supported on over 35 differentpla�orms▫ Including Linux, Windows,

Embedded▫ https://www.cryptso�.com/pla�orms/

KEY FEATURESKMIP SERVER SDKSC, JAVAA complete range of vendor-independent key management solu�ons

Cryptsoft’s Key Management Interoperability Protocol (KMIP) SDKslet you rapidly add interoperable, standards-based, enterprise keymanagement capability to your exis�ng applica�ons.

Reduce �me to market, KMIP-enable your solution within days,not months, using our comprehensive collection of example codeprovided by the market leader in key management SDKs.

From specialised embedded systems through to scalable, whole ofenterprise solutions, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.

KMIP Server SDKc java

java pythonc++ c#cKMIP Client SDK

KMIPHSM

R

KMIP SERVER SDKSC, JAVAKMIP Server Examples

• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML

• Simple Clients Opera�onsLocate Objects, Create and Return Objects

• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM,XML

• KMIP Standard Opera�onsCreate, Register, Destroy, Get, Get AttributeList, Get Attributes, Create Key Pair, Re-key, Re-key Key Pair1.1, Archive, Recover,Ac�vate, Derive Key

• Server Cryptographic Opera�ons1.2

Encrypt, Decrypt, Sign, Signature Verify,MAC, MAC Verify, Hash

Supported Databases Supported Cryptographic Providers Supported Encodings• HSQLDB• SQLite3• MySQL 5.x• Oracle 11.x, 12.x

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0• Sun/Oracle JCE• IBM JCE• RSA BSAFE Crypto-J• Bouncy Castle JCE

• SQL Server 2003+• IBM DB2 9 & 10• PostgreSQL 8 & 9

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

Supported KMIP Operations• Ac�vate• Add A�ribute• Archive• Cancel• Cer�fy• Check• Create

• Create Key Pair• Create Split Key1.2• Decrypt1.2• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1• Encrypt1.2

• Get• Get Attribute List• Get A�ributes• Get Usage Alloca�on• Hash1.2

• Join Split Key1.2• Locate

• MAC1.2

• MAC Verify1.2• Modify A�ribute• No�fy• Obtain Lease• Poll• Put

• Register• Register Query• Re-cer�fy• Recover• Re-Key• Re-key Key Pair1.1• Revoke

• RNG Retrieve1.2

• RNG Seed1.2

• Sign1.2

• Signature Verify1.2• Validate

• Managing A�ributesAdd, Modify, Delete A�ribute

• Random Number Generator (RNG)1.2

Retrieve Server RNG, Seed Server RNG• Split Key (Mul�-Party Controls)1.2

Create Split Key, Join Split Key• Crea�ng Keys

Simple, Advanced, Extensions• Determine Capabili�es

Server SDK Version, Discover ProtocolVersions1.1, Query Server Basic, QueryServer Extensions1.1,Query Advanced Capabili�es1.3

• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Request/Response HandlingRecording, Replaying, Batching,Bulk Data Loading

• AdministrationCreate, Modify, Delete Users, Par�tions,Groups, Manage Group Privileges,Serialize, Deserialize Managed Objects

• DatabaseSchema Management and Migra�onFixture Loading, SQL Replay

• Simple ServersQuery, No�fy, Put

• JCE ExamplesKey Store Provider

Supported KMIP Profiles• Advanced Cryptographic Server1.2• Advanced Symmetric Key Foundry Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Basic Symmetric Key Foundry Server• HTTPS Server• Intermediate Symmetric Key Foundry Server• JSON Server• Opaque Managed Object Store Server• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B MinLOS_128 Server• Suite-B MinLOS_192 Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

Supported KMIP Clients

• Dell• ETI-NET• Fornetix• Hewle� Packard

Enterprise

• Hitachi DataSystems

• IBM• IR• Iskraemeco

• MarkLogic• NetApp• Netskope• Panzura• Quantum

• RSD• Sepaton• Spectra Logic• Trend Micro

• BDT• Brocade• Cryptso�• DataStax

R

Cryptsoft’s Key Management Interoperability Protocol (KMIP) TestSuites let you rapidly confirm the interoperability status of yourproduct. Designed to support the different test cases and profiles inthe KMIP standard you can ensure that your applica�on’s design canbe thoroughly tested to deliver interoperability with a range of otherKMIP clients and servers.

The Cryptso� KMIP Test Suites provide full coverage for each versionof KMIP (1.0, 1.1, 1.2, 1.3, 1.4 and 2.0) that can be configured tosupport the level of KMIP required for your applica�on. In addition ifyour applica�on is based on one of the 15 KMIP profiles then you canapply only the relevant profiles to fully support your requirements.

Reduce �me to market and release with the confidence provided bydata driven testing.

Backed by a global support network, Cryptsoft’s KMIP SDKs offer atotal key management solu�on.


• Available as a binary SDK or asa service▫ Source license option

• Comprehensive test cases▫ KMIP Test Cases▫ KMIP Profile Test Cases

KEY FEATURES

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

Test Report

SKFF-M-1-101

SKFF-M-2-10

SKFF-M-3-10

SKFF-M-4-10

SKFF-M-5-10

SKFF-M-6-10

SKFF-M-7-10

SKFF-M-8-10

SKFF-M-9-10

SKFF-M-10-10

2

3

4

5

6

7

8

9

10

15%

25%

5%

12%

15%

20%

18%

5%

20%

10%

--

--

--

--

--

--

--

--

--

--

Test ID %&#

Define

Transform

ExecuteAnalyse

R

Asymmetric Key Lifecycle

Cryptographic Services (Advanced Cryptographic)

Cryptographic Services (Advanced-OAEP)

Cryptographic Services (Basic Cryptographic)

Cryptographic Services (RNG)

HTTPS (MessageEncoding)

JSON (MessageEncoding)

XML (MessageEncoding)

OpaqueManaged Object Store

Storage Array with Self Encryp�ng Drive

Symmetric Key Foundry for FIPS 140

Symmetric Key Lifecycle

SuiteB minLOS_128 Authen�cation

SuiteB minLOS_192 Authen�cation

Tape Library

KMIP 1.0AKLC-M-1-10 SKFF-M-11-10 SKFF-O-5-10 TC-313-10 TC-94-10AKLC-M-2-10 SKFF-M-12-10 SKFF-O-6-10 TC-314-10 TC-95-10AKLC-M-3-10 SKFF-M-2-10 SKLC-M-1-10 TC-315-10 TC-ECC-1-10AKLC-O-1-10 SKFF-M-3-10 SKLC-M-2-10 TC-32-10 TC-ECC-2-10MSGENC-HTTPS-1-10 SKFF-M-4-10 SKLC-M-3-10 TC-41-10 TC-ECC-3-10MSGENC-JSON-1-10 SKFF-M-5-10 SKLC-O-1-10 TC-51-10 TC-NP-1-10MSGENC-XML-1-10 SKFF-M-6-10 TC-101-10 TC-61-10 TC-NP-2-10OMOS-M-1-10 SKFF-M-7-10 TC-111-10 TC-71-10 TL-M-1-10OMOS-O-1-10 SKFF-M-8-10 TC-121-10 TC-72-10 TL-M-2-10SASED-M-1-10 SKFF-M-9-10 TC-131-10 TC-81-10 TL-M-3-10SASED-M-2-10 SKFF-O-1-10 TC-132-10 TC-82-10SASED-M-3-10 SKFF-O-2-10 TC-134-10 TC-91-10SKFF-M-1-10 SKFF-O-3-10 TC-311-10 TC-92-10SKFF-M-10-10 SKFF-O-4-10 TC-312-10 TC-93-10

KMIP 1.1AKLC-M-1-11 SKFF-M-2-11 SKLC-M-3-11 TC-152-11 TC-72-11AKLC-M-2-11 SKFF-M-3-11 SKLC-O-1-11 TC-153-11 TC-81-11AKLC-M-3-11 SKFF-M-4-11 SUITEB-128-M-1-11 TC-161-11 TC-82-11AKLC-O-1-11 SKFF-M-5-11 SUITEB-192-M-1-11 TC-171-11 TC-91-11MSGENC-HTTPS-1-11 SKFF-M-6-11 TC-101-11 TC-181-11 TC-92-11MSGENC-JSON-1-11 SKFF-M-7-11 TC-111-11 TC-182-11 TC-93-11MSGENC-XML-1-11 SKFF-M-8-11 TC-112-11 TC-311-11 TC-94-11OMOS-M-1-11 SKFF-M-9-11 TC-121-11 TC-312-11 TC-95-11OMOS-O-1-11 SKFF-O-1-11 TC-122-11 TC-313-11 TC-ECC-1-11SASED-M-1-11 SKFF-O-2-11 TC-131-11 TC-314-11 TC-ECC-2-11SASED-M-2-11 SKFF-O-3-11 TC-132-11 TC-315-11 TC-ECC-3-11SASED-M-3-11 SKFF-O-4-11 TC-133-11 TC-32-11 TC-NP-1-11SKFF-M-1-11 SKFF-O-5-11 TC-134-11 TC-41-11 TC-NP-2-11SKFF-M-10-11 SKFF-O-6-11 TC-141-11 TC-51-11 TL-M-1-11SKFF-M-11-11 SKLC-M-1-11 TC-142-11 TC-61-11 TL-M-2-11SKFF-M-12-11 SKLC-M-2-11 TC-151-11 TC-71-11 TL-M-3-11

KMIP 1.2AKLC-M-1-12 CS-RNG-M-1-12 SKFF-M-8-12 TC-142-12 TC-AESXTS-1-12AKLC-M-2-12 CS-RNG-O-1-12 SKFF-M-9-12 TC-151-12 TC-DERIVEKEY-1-12AKLC-M-3-12 CS-RNG-O-2-12 SKFF-O-1-12 TC-152-12 TC-DERIVEKEY-2-12AKLC-O-1-12 CS-RNG-O-3-12 SKFF-O-2-12 TC-153-12 TC-DERIVEKEY-3-12CS-AC-M-1-12 CS-RNG-O-4-12 SKFF-O-3-12 TC-161-12 TC-DERIVEKEY-4-12CS-AC-M-2-12 MSGENC-HTTPS-1-12 SKFF-O-4-12 TC-171-12 TC-DERIVEKEY-5-12CS-AC-M-3-12 MSGENC-HTTPS-M-1-12 SKFF-O-5-12 TC-181-12 TC-ECC-1-12CS-AC-M-4-12 MSGENC-JSON-1-12 SKFF-O-6-12 TC-182-12 TC-ECC-2-12CS-AC-M-5-12 MSGENC-JSON-M-1-12 SKLC-M-1-12 TC-311-12 TC-ECC-3-12CS-AC-M-6-12 MSGENC-XML-1-12 SKLC-M-2-12 TC-312-12 TC-I18N-1-12CS-AC-M-7-12 MSGENC-XML-M-1-12 SKLC-M-3-12 TC-313-12 TC-I18N-2-12CS-AC-M-8-12 OMOS-M-1-12 SKLC-O-1-12 TC-314-12 TC-I18N-3-12CS-BC-M-1-12 OMOS-O-1-12 SUITEB_128-M-1-12 TC-315-12 TC-MDO-1-12CS-BC-M-10-12 SASED-M-1-12 SUITEB_192-M-1-12 TC-32-12 TC-MDO-2-12CS-BC-M-11-12 SASED-M-2-12 SUITEB-128-M-1-12 TC-41-12 TC-MDO-3-12CS-BC-M-12-12 SASED-M-3-12 SUITEB-192-M-1-12 TC-51-12 TC-NP-1-12CS-BC-M-13-12 SKFF-M-1-12 TC-101-12 TC-61-12 TC-NP-2-12CS-BC-M-14-12 SKFF-M-10-12 TC-111-12 TC-71-12 TC-PGP-1-12CS-BC-M-2-12 SKFF-M-11-12 TC-112-12 TC-72-12 TC-REKEY-1-12CS-BC-M-3-12 SKFF-M-12-12 TC-121-12 TC-81-12 TC-SJ-1-12CS-BC-M-4-12 SKFF-M-2-12 TC-122-12 TC-82-12 TC-SJ-2-12CS-BC-M-5-12 SKFF-M-3-12 TC-131-12 TC-91-12 TC-SJ-3-12CS-BC-M-6-12 SKFF-M-4-12 TC-132-12 TC-92-12 TC-SJ-4-12CS-BC-M-7-12 SKFF-M-5-12 TC-133-12 TC-93-12 TL-M-1-12CS-BC-M-8-12 SKFF-M-6-12 TC-134-12 TC-94-12 TL-M-2-12CS-BC-M-9-12 SKFF-M-7-12 TC-141-12 TC-95-12 TL-M-3-12

KMIP 1.3AKLC-M-1-13 CS-BC-M-8-13 SKFF-M-7-13 TC-MDO-1-13 TC-Q-RNGS-6-13AKLC-M-2-13 CS-BC-M-9-13 SKFF-M-8-13 TC-MDO-2-13 TC-Q-S2C-1-13AKLC-M-3-13 CS-RNG-M-1-13 SKFF-M-9-13 TC-MDO-3-13 TC-Q-S2C-2-13AKLC-O-1-13 CS-RNG-O-1-13 SKLC-M-1-13 TC-NP-1-13 TC-Q-S2C-PROF-1-13CS-AC-M-1-13 CS-RNG-O-2-13 SKLC-M-2-13 TC-NP-2-13 TC-Q-S2C-PROF-2-13CS-AC-M-2-13 CS-RNG-O-3-13 SKLC-M-3-13 TC-OFFSET-1-13 TC-Q-VAL-1-13CS-AC-M-3-13 CS-RNG-O-4-13 SKLC-O-1-13 TC-OFFSET-2-13 TC-Q-VAL-2-13CS-AC-M-4-13 MSGENC-HTTPS-M-1-13 SUITEB_128-M-1-13 TC-OTP-1-13 TC-REKEY-1-13CS-AC-M-5-13 MSGENC-JSON-M-1-13 SUITEB_192-M-1-13 TC-OTP-2-13 TC-RNG-ATTR-1-13CS-AC-M-6-13 MSGENC-XML-M-1-13 TC-AESXTS-1-13 TC-OTP-3-13 TC-RNG-ATTR-2-13CS-AC-M-7-13 OMOS-M-1-13 TC-CREG-1-13 TC-OTP-4-13 TC-SJ-1-13CS-AC-M-8-13 OMOS-O-1-13 TC-CREG-2-13 TC-OTP-5-13 TC-SJ-2-13CS-BC-M-1-13 SASED-M-1-13 TC-CREG-3-13 TC-PGP-1-13 TC-SJ-3-13CS-BC-M-10-13 SASED-M-2-13 TC-DERIVEKEY-1-13 TC-Q-CAP-1-13 TC-SJ-4-13CS-BC-M-11-13 SASED-M-3-13 TC-DERIVEKEY-2-13 TC-Q-CAP-2-13 TC-STREAM-ENC-1-13CS-BC-M-12-13 SKFF-M-1-13 TC-DERIVEKEY-3-13 TC-Q-CREG-1-13 TC-STREAM-ENC-2-13CS-BC-M-13-13 SKFF-M-10-13 TC-DERIVEKEY-4-13 TC-Q-PROF-1-13 TC-STREAM-ENCDEC-1-13CS-BC-M-14-13 SKFF-M-11-13 TC-DERIVEKEY-5-13 TC-Q-PROF-2-13 TC-STREAM-ENCDEC-13CS-BC-M-2-13 SKFF-M-12-13 TC-ECC-1-13 TC-Q-PROF-3-13 TC-STREAM-HASH-1-13CS-BC-M-3-13 SKFF-M-2-13 TC-ECC-2-13 TC-Q-RNGS-1-13 TC-STREAM-HASH-2-13CS-BC-M-4-13 SKFF-M-3-13 TC-ECC-3-13 TC-Q-RNGS-2-13 TC-STREAM-HASH-3-13CS-BC-M-5-13 SKFF-M-4-13 TC-I18N-1-13 TC-Q-RNGS-3-13 TL-M-1-13CS-BC-M-6-13 SKFF-M-5-13 TC-I18N-2-13 TC-Q-RNGS-4-13 TL-M-2-13CS-BC-M-7-13 SKFF-M-6-13 TC-I18N-3-13 TC-Q-RNGS-5-13 TL-M-3-13

KMIP 1.4AKLC-M-1-14 CS-BC-M-3-14 SKFF-M-8-14 TC-MDO-1-14 TC-Q-S2C-1-14AKLC-M-2-14 CS-BC-M-4-14 SKFF-M-9-14 TC-MDO-2-14 TC-Q-S2C-2-14AKLC-M-3-14 CS-BC-M-5-14 SKLC-M-1-14 TC-MDO-3-14 TC-Q-S2C-PROF-1-14CS-AC-M-1-14 CS-BC-M-6-14 SKLC-M-2-14 TC-NP-1-14 TC-Q-S2C-PROF-2-14CS-AC-M-2-14 CS-BC-M-7-14 SKLC-M-3-14 TC-NP-2-14 TC-Q-VAL-1-14CS-AC-M-3-14 CS-BC-M-8-14 SUITEB_128-M-1-14 TC-OFFSET-1-14 TC-Q-VAL-2-14CS-AC-M-4-14 CS-BC-M-9-14 SUITEB_192-M-1-14 TC-OFFSET-2-14 TC-REKEY-1-14CS-AC-M-5-14 CS-BC-M-GCM-1-14 TC-AESXTS-1-14 TC-OTP-1-14 TC-RNG-ATTR-1-14CS-AC-M-6-14 CS-BC-M-GCM-2-14 TC-CERTATTR-1-14 TC-OTP-2-14 TC-RNG-ATTR-2-14CS-AC-M-7-14 CS-BC-M-GCM-3-14 TC-CREATE-SD-1-14 TC-OTP-3-14 TC-RSA-SIGN-DIGESTEDDATA-1-14CS-AC-M-8-14 CS-RNG-M-1-14 TC-CREG-1-14 TC-OTP-4-14 TC-SJ-1-14CS-AC-OAEP-1-14 MSGENC-HTTPS-M-1-14 TC-CREG-2-14 TC-OTP-5-14 TC-SJ-2-14CS-AC-OAEP-10-14 MSGENC-JSON-M-1-14 TC-CREG-3-14 TC-PGP-1-14 TC-SJ-3-14CS-AC-OAEP-2-14 MSGENC-XML-M-1-14 TC-CS-CORVAL-1-14 TC-PKCS12-1-14 TC-SJ-4-14CS-AC-OAEP-3-14 OMOS-M-1-14 TC-DERIVEKEY-1-14 TC-PKCS12-2-14 TC-STREAM-ENC-1-14CS-AC-OAEP-4-14 SASED-M-1-14 TC-DERIVEKEY-2-14 TC-Q-CAP-1-14 TC-STREAM-ENC-2-14CS-AC-OAEP-5-14 SASED-M-2-14 TC-DERIVEKEY-3-14 TC-Q-CAP-2-14 TC-STREAM-ENCDEC-1-14CS-AC-OAEP-6-14 SASED-M-3-14 TC-DERIVEKEY-4-14 TC-Q-CAP-3-14 TC-STREAM-HASH-1-14CS-AC-OAEP-7-14 SKFF-M-1-14 TC-DERIVEKEY-5-14 TC-Q-CREG-1-14 TC-STREAM-HASH-2-14CS-AC-OAEP-8-14 SKFF-M-10-14 TC-DERIVEKEY-6-14 TC-Q-PROF-1-14 TC-STREAM-HASH-3-14CS-AC-OAEP-9-14 SKFF-M-11-14 TC-ECC-1-14 TC-Q-PROF-2-14 TC-STREAM-SIGN-1-14CS-BC-M-1-14 SKFF-M-12-14 TC-ECC-2-14 TC-Q-PROF-3-14 TC-STREAM-SIGNVFY-1-14CS-BC-M-10-14 SKFF-M-2-14 TC-ECC-3-14 TC-Q-RNGS-1-14 TC-WRAP-1-14CS-BC-M-11-14 SKFF-M-3-14 TC-ECDSA-SIGN-14 TC-Q-RNGS-2-14 TC-WRAP-2-14CS-BC-M-12-14 SKFF-M-4-14 TC-ECDSA-SIGN-DIGESTEDDATA-1-14 TC-Q-RNGS-3-14 TC-WRAP-3-14CS-BC-M-13-14 SKFF-M-5-14 TC-I18N-1-14 TC-Q-RNGS-4-14 TL-M-1-14CS-BC-M-14-14 SKFF-M-6-14 TC-I18N-2-14 TC-Q-RNGS-5-14 TL-M-2-14CS-BC-M-2-14 SKFF-M-7-14 TC-I18N-3-14 TC-Q-RNGS-6-14 TL-M-3-14

KMIP v1.0 KMIP v1.1 KMIP v1.2 KMIP v1.3 KMIP v1.4

The Cryptso� KMIP Test Suites provide full coverage of the variousversions of KMIP as well as all of the currently defined profiles asdefined in each of the available versions of the KMIP Standard as usedin OASIS KMIP Interoperability testing.

Ensure that your applica�on has full coverage and interoperability byusing the Cryptso� KMIP Test Suite today.

Profile Test Cases

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

R

KEY FEATURES

KEY BENEFITS

SOLUTION: STORAGEModern enterprises can have a wide array of storage technologiesdistributed throughout their organizations, this may be because ofadoption of new technology or the many acquisitions and mergersof business units that have taken place over time. The one commonrequirement that most modern enterprises all have is storage.

The obvious solution to managing a secure storage solution is toensure that all data is encrypted at rest or in transmission. Formany organizations this may be a regulatory requirement or basedon sound business and risk management reasons. With increasingvolumes of data that an organization stores, the need to encrypt thatdata with a similarly increasing volume of encryption keys introducesa new problem. For these data assets to be used, those keys need to beavailable. In many large enterprises, this means millions of keys undermanagement with many thousands of keys in use at any given time.

With no common standard for key management a large enterprisecan have a range of disparate key stores with varying levels of supportfor different types of equipment leading to incompatibilities anddiffering management and audit requirements.

OASIS KMIP provides an industry supported standards compliantinteroperability protocol for key management. This allows operatorsof storage solutions to integrate products from mul�ple vendorswhich can make use of an interoperable way to generate, store,manage and retrieve encryp�on keys across all the elements in theirstorage solution. In addition this allows for products from differentvendors to interoperate. This means that organiza�ons are no longerlocked in to storage solutions from a single vendor or may alsoprovide a reduction in risk in their storage solu�on as they can grow,reduce, or update their implementa�on in a more flexible manner.


• Guaranteed interoperabilityWith all released KMIP products



• Supports wide range ofsecurity objects:▫ Symmetric keys▫ Asymmetric keys▫ Cer�ficates▫ Authen�cation▫ Authorization▫ Tokens

• Extensive example codeprovided

• Low risk

• Easy to use

• Extensively deployed

• Proven technology for securityobject management

• Public Interoperability testresults

• Reduce your time to market

• Gain access to an extensiveKMIP ecosystem

Figure 1 - Mul�ple Key Stores

PC

Server Tape Library

Network

Flash Array Key Store

Key Store

Key Store

Storage Array

R

RELATEDPRODUCTSCryptsoft’s range of KMIP SDKs have been used to enable a wide

range of storage and storage infrastructure solutions with encryp�onand enterprise key management capability. From tape librariesto hyper-converged flash arrays, deployment of KMIP technologyensures a deployment of data at rest security solutions within a multi-vendor enterprise.

Cryptsoft’s range of SDKs ensure this can be realized in your productssuch that your customers can deploy them straight into theirenterprises without the need to conduct multiple rounds of point topoint testing – we’ve done the hard part for you.

From deployment into brand new products lines, to integra�oninto well respected products for feature parity of compliance, ourcustomers benefit from millions of multi-vendor test runs and a deepunderstanding of relevant standards. With decades of experienceof implemen�ng encryp�on and key management systems fromembedded hardware through to so�ware and virtualized systems, weenable our customers’ products to hit market parity for data at restsecurity within weeks.

• KMIP C Server SDK

• KMIP C Server Administra�onInterface

• KMIP C Server Integra�onModule (HSM)

• KMIP C Interoperability TestSuite

• KMIP Java Server SDK

• KMIP Java ServerAdministra�on Interface

• KMIP Java Interoperability TestSuite


• KMIP C Client SDK

• KMIP C++ Client SDK

• KMIP C# Client SDK

• KMIP Java Client SDK

• KMIP Python Client

PC

Server Tape Library

Network

Flash Array

Key Store

Storage Array

KMIP

Figure 2 - Oasis KMIP Key Store

SOLUTION: STORAGE (CONT)

R

SOLUTION:INTERNET OF THINGSWithout having security that guarantees the integrity and privacyof personal data created, used, modified and retained by an IoTecosystem, IoT device manufacturers are not going to be able to buildand maintain the trust in their brand that IoT purchasers will demand.Put simply, ‘Security = Privacy = Sales’.

Securing personal data will require manufacturers of IoT devices to applysuitable protec�on to all device relevant and user specific data (‘IoTData’), at all times and places within the data lifecycle, whether at rest orin mo�on, while s�ll maintaining accessibility and interoperability. Thisdata will need to be secured both at-rest and in-motion. This will meancomplex security in storage and over network transmission.

Securing IoT devices will entail securing IoT Data in an ever-increasingnumber of loca�ons within an ever-increasing ecosystem – a problemCryptsoft can help solve.

Cryptsoft’s KMIP SDKs and associated technologies are already in usewith global vendors securing data at-rest and data in-motion; securingdata on premises, in private cloud; and in public cloud; securing dataon-device and data off-device.

KEY FEATURES• Full OASIS KMIP compliance

versions: 1.0, 1.1, 1.2, 1.3, 1.4, 2.0*

• Guaranteed interoperability



• Supports wide range ofsecurity objects:▫ Symmetric keys▫ Asymmetric keys▫ Cer�ficates▫ Authen�cation▫ Authorization▫ Tokens

• Available on a wide range ofopera�ng systems

• Extensive example codeprovided

KEY BENEFITS• Low risk

• Easy to use

• Extensively deployed

• Proven technology for securityobject management

• Public Interoperability testresults

• Reduce your time to market

• Gain access to an extensiveKMIP ecosystem

R

SOLUTION:INTERNET OF THINGS (CONT)

Cryptsoft’s exper�se also extends beyond commercial solu�onsto bespoke engineering for specific solution requirements, thinksatellite; automotive; health devices; surveillance Implementationsinclude integra�ng embedded mobile devices in industrial orautomo�ve use, head-end units for smart meters in the u�li�essupply market; management and control of keys and security in amixed enterprise market for securing industrial and medical devicesas well as devices controlling network accessible devices in homes,schools and other loca�ons.

Cryptsoft can also scale solutions up or down depending on specificrequirements, with the increasing power of IoT device and sensorcompute resources providing viable platforms for security solutions.

Cryptso� can help you to secure IoT Data throughout the full datalifecycle, while maintaining accessibility and interoperability.

RELATEDPRODUCTS• KMIP C Server SDK

• KMIP C Server Administra�onInterface


• KMIP C Server OTP ServerModule

• KMIP C Interoperability Test Suite


• KMIP Java ServerAdministra�on Interface

• KMIP Java Interoperability TestSuite


• KMIP C Client SDK

• KMIP C++ Client SDK

• KMIP C# Client SDK

• KMIP Java Client SDK


Figure 2 - Cryptso� KMIP SDKs provide a common security framework for IOT

R

SOLUTION:AUTHENTICATIONCryptso� has worked with a number of standards bodies to provideadditional security options for developers building key managementsolutions into their products.

Options are available for Fast IDentity Online (FIDO) Universal SecondFactor (U2F) and OATH compliant One Time Password (OTP) whichallows developers to include this functionality in their opera�ons aswell as increase the security of the key management solu�on itself.

OTP SUPPORTCryptsoft’s OTP solu�on is based on open standards and allows thedeveloper to create enterprise solutions to manage the full lifecycleof the seed records that underpin the security in an OTP solu�on. Thisensures that only the enterprise has access to the seed records, andthe enterprise has full control over the provisioning, usage, and de-provisioning of tokens.

Time based One Time Password (TOTP) tokens provide users with asecure and reliable hardware device to integrate standards-basedhardware two-factor authen�cation.

Two-factor authen�cation with TOTP combines something you know(your password) with something you have (a unique number sequencegenerated by a hardware device). Both of these factors are requiredto authen�cate – which substantially improves the security proper�eswhen compared to a single factor authentica�on solu�on.

The non-predictable variable length digit token output is derived fromboth the secret seed record and the on-board real time clock (RTC).A single hardware token can be programmed for variable outputand variable time intervals (30 or 60 seconds) ensuring a solu�on iseasily tailored to the enterprise security context that the developer isbuilding.

Two (or more) tokens initialised with the same seed value can be usedfor person-to-person two-factor authentica�on solutions, en�relyindependent of any server infrastructure.

The same seed record can also be loaded into so�ware based TOTPsolutions allowing for a mixed hardware and so�ware deploymentcontext that can be managed by the same infrastructure.

• Strong two-factorauthen�cation

• Support for OATH compliant�me-based TOTP devices

• Support for mul�ple OTPhardware tokens

• Support for variable lengthOTP hardware tokens

• Integrated with OASIS KMIPfor client authen�cation andseed provisioning

• Configurable seedmanagement

• Capability for Mul�-Deviceseeds

• OASIS KMIP Compliant

• Easy to use

• Provides configurable controlof authen�cation

KEY FEATURES

KEY BENEFITS

945483

R

• KMIP C Server SDK

• KMIP C ServerAdministra�on Interface

• KMIP C Server OTP ServerModule



• KMIP C SDK

• KMIP C++ SDK

• KMIP C# SDK

• KMIP Java SDK


RELATEDPRODUCTS

U2F SUPPORTCryptsoft’s OASIS KMIP products support the Fast IDentity Online(FIDO) Universal Second Factor (U2F) types of tokens. Cryptsoft’sServer and Client SDKS provide developers with the tools to provisionand manage keys which can be used by these commonly availablehardware tokens.

The FIDO U2F protocol uses standard public key cryptographytechniques to provide stronger authen�cation.

• During registra�on with an online service, the user’s client devicecreates a new key pair. It retains the private key and registers thepublic key with the online service.

• Authen�cation is done by the client device proving possession ofthe private key to the service by signing a challenge.

• The client’s private keys can be used only after they are unlockedlocally on the device by the user.

• The local unlock is accomplished by a user–friendly and secureac�on such as swiping a finger, entering a PIN, speaking into amicrophone, inser�ng a second–factor device or pressing a button.

• The FIDO protocols are designed from the ground up to protectuser privacy.

• The protocols do not provide informa�on that can be used by differentonline services to collaborate and track a user across the services.

Cryptsoft’s KMIP SDKs allow the developer to fully integrate U2Ftokens into their managed security solution.

SOLUTION:

R

KMIP FUNDAMENTALS

KMIPKEY MANAGEMENTINTEROPERABILITYPROTOCOL

ESTABLISH

RETRIEVE

ROTATE

SERVER

CLIENT

OTHER

CRYPTOGRAPHIC

CreateRegisterCreate Key Pair

Derive KeyCer�fy

RNG Retrieve1.2

RNG Seed1.2

Encrypt1.2

Decrypt1.2Sign1.2

Signature Verify1.2

Hash1.2

Mac1.2MacVerify1.2

Ac�vateArchiveRecover

RevokeDestroy

LocateGet A�ribute

Get Attribute ListGet

CheckObtain Lease

Get UsageAlloca�on

Add A�ributeModify A�ribute

Delete A�ribute

Re-keyRe-Cer�fy

Re-key Key Pair

QueryPoll

Cancel

No�fyPut

Discover Versions1.1Validate

USAGE

STATE

INFO

MANAGE

OASIS KMIP is a widely accepted open standard for the managementof a range of security objects including symmetric and asymmetrickeys, cer�ficates, and user or vendor defined objects. Based on acommunica�ons protocol which defines message formats for the fulllifecycle of keys stored on a key management server.

Clients can request a server to perform the full key managementlifecycle for key opera�ons. These opera�ons are grouped together inthe table below in func�onal groups allowing for maximum flexibilityfor key opera�ons. The KMIP open standard for key managementallows application programmers to develop the logic of theirapplica�ons for their business purpose free from the complexi�esof key management and to rest assured that their applica�on can bedeveloped once and will interoperate with key managers from a rangeof vendors.

R

• Storage solutions andappliances

• Network infrastructure

• Security applica�ons

• Database management

• Embedded solutions

• Security hardwaremanagement

• Gateways and endpoints

• Financial Services andbanking applica�ons

• Audi�ng and compliance

TYPICAL USESCryptsoft’s Key Management SDKs have been incorporated into awide range of products that are leading the market in interoperablekey management.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs havebeen integrated into the majority of all KMIP products on the markettoday, elimina�ng the need for rework to interact with anothervendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptso� has thetechnology and the relationships to ensure your product delivers itsmaximum potential and can interoperate with a wide range of KMIPbased products from a range of vendors allowing easy adoption ofyour product.

CLIENTS AND SERVERS

KMIPKEY MANAGEMENTINTEROPERABILITYPROTOCOL

CLIENTS

SERVERS

R

[email protected] WWW.CRYPTSOFT.COM+61 7 3103 0321 | US +1 650 918 4362

@CRYPTSOFTCRYPTSOFT-SECURITY-SPECIALISTS@CRYPTSOFT

Copyright © 2017 Cryptsoft Pty Ltd. All rights reserved. All trademarks, service marks, trade names, product names and logos are property of their respective owners.

2017-12

Documents

TH ETRUSTE DSECURIT YPROVIDE RTOYOU R · R • Full OASISKMIP compliance versions:1.0,1.1,1.2,1.3,1.4,2.0* • Gua ranteedinterope rability Withall releasedKMIPse rver products •