Key Management Interoperability Protocol

The Key Management Interoperability Protocol (KMIP) is a communication protocol between key management systems and encryption systems. The KMIP standard effort is governed by the Organization for the Advancement of Structured Information Standards (OASIS).

Description

A KMIP server stores and controls Managed Objects such as Symmetric and Asymmetric keys, Certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Objects have core Base Object properties such as key length and value, as well as extended Attributes that can include user defined attributes.

Each object is identified by an immutable, unique object identifier, as well as a mutable Name attribute. Key objects can be Created on the server (with the server generating the key value) or Registered with key values provided by the client. The Get operation will then retrieve them based on the unique identifier, and their attributes can be Modified. A Locate operation is also provided to find objects based on their attributes using a simple query language. There are also CA functions to sign certificates and verify certificate chains.

KMIP is a network protocol rather than an application programming interface like PKCS11. It has a binary format consisting of nested Tag, Type, Length and Value (TTLV) structures which is similar to but different from ASN.1 encoding. The TTLV is normally transmitted raw, but it may optionally be wrapped in HTTPS. TLS is mandated for link level security in communication between clients and servers.

KMIP also defines a set of profiles which are subsets of the KMIP specification showing common usage for a particular context like a storage array or a tape library where subsets of KMIP are used.

History

KMIP was initially submitted to OASIS for standardization on February 12, 2009. The specification was voted on by members of the KMIP technical committee. Version 1.0 was formally ratified on October 1, 2010.^[1]

By 2010 some vendors released or announced planned release dates for updates to their key management products to support KMIP.^[2] Vendors demonstrated interoperability at the RSA Conferences held in in March 2010, February 2011,^[3] 2012,^[4] 2013 ^[5] and 2014.^[6]

Use case examples for KMIP outline how messages are formatted and communicated between a KMIP client and a KMIP server in available in a variety of formats.^[7]

Summary of interoperability results between vendors from plug-fests and interoperability showcases organised by the OASIS KMIP technical committee.^[8]

There were about sixty-four participants from about thirty organizations on the committee as at January 2012. Eleven companies demonstrated support for the standard in the 2012 RSA conference.^[9] Version 1.1 was drafted in July 2011, and approved in January 2013.^[10] The first official committee specification draft of Version 1.2 was posted in October 2013.^[11] Version 1.2 is currently in public review.^[12]

The OASIS KMIP Technical Committee maintains a list of known (to the TC members) KMIP implementations on the KMIP TC Wiki.^[13]

The Storage Networking Industry Association (SNIA) announced a formal KMIP conformance testing program in 2014.^[14]

Known SDK implementations

• Cryptsoft (Clients in C, Java, C-Sharp and Python, Servers in C and Java)^[15]
• OASIS KMIP TC Wiki - known KMIP implementations^[16]
• Open Source KMIP Server (C Sharp)) ^[17]
• Open Source KMIP Client (Java) ^[18]
• Project 6 Research (Client in C++) ^[19]

See also

• Encryption
• IEEE P1619 Security in Storage Working Group
• Key (cryptography)
• Key management

References

1. ↑ Mary McRae (October 1, 2010). "Approval of KMIP v1.0 and KMIP Profiles v1.0 as OASIS Standards". tc-announce (Mailing list). Retrieved October 7, 2013. 
2. ↑ IBM (August 24, 2010). "IBM Centralizes Management of Encryption Keys Via KMIP". Archived from the original on January 5, 2011. Retrieved October 7, 2013. 
3. ↑ "KMIP Interoperability Demonstration". OASIS. 
4. ↑ "KMIP Interoperability Demonstration at RSA 2012". OASIS. 
5. ↑ "OASIS Security Standards Showcase at RSA Conference & Exposition 2013". OASIS. 
6. ↑ "OASIS Security Standards Showcase at RSA Conference & Exposition 2014". OASIS. 
7. ↑ Cryptsoft (2012-01-27). "KMIP Use Cases". Retrieved 2013-10-07. 
8. ↑ "Summary of interoperability results between vendors". 
9. ↑ Eleven Companies Demonstrate Support for KMIP
10. ↑ "Key Management Interoperability Protocol Specification Version 1.1". Official web site. OASIS. 2013-01-24. Retrieved 2013-10-07. 
11. ↑ "Key Management Interoperability Protocol Specification Version 1.2". Official web site. OASIS. 2013-10-31. Retrieved 2013-12-21. 
12. ↑ "30-day Public Reviews for 12 #KMIP Committee Specification Drafts and 2 KMIP Committee Note Drafts". Official web site. OASIS. 2014-03-20. Retrieved 2014-03-20. 
13. ↑ "OASIS KMIP TC Wiki - known KMIP implementations". 
14. ↑ "SNIA KMIP Test Program Announced". Official web site. SNIA. 2014-02-24. Retrieved 2014-03-20. 
15. ↑ Cryptsoft. "Key Management Interoperability Protocol SDKs". Cryptsoft. Retrieved October 7, 2013. 
16. ↑ "OASIS KMIP Wiki - known KMIP implementations". 
17. ↑ "Open source KMIP Server". Retrieved March 20, 2014. 
18. ↑ "KMIP4J Open Source Implementation". 
19. ↑ "SKC Secure KMIP Client SDK". Project 6 Research. 

External links

• "OASIS KMIP Technical Committee".