|
The Key Management Interoperability Protocol (KMIP) is a communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also defines messages that can be used to perform cryptographic operation on a server such as encrypt and decrypt. The KMIP standard is now widely accepted in the industry. At the 2015 RSA Conference 14 vendors demonstrated interoperable clients and servers that are commercially available. The KMIP standard effort is governed by the OASIS standards body. Technical details can also be found on the KMIP page.〔(Kmip Page https://wiki.oasis-open.org/kmip )〕 With the addition of cryptographic operations, there is considerable overlap between KMIP and the PKCS #11 HSM API. The PKCS #11 standard is now also managed by Oasis, and it is a stated goal of the technical committees to align the two standards. ==Description== A KMIP server stores and controls ''Managed Objects'' such as Symmetric and Asymmetric keys, Certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Operations are provided to create, locate, retrieve and update managed objects. Each managed object has an immutable ''Value'' such as a key block that contains a cryptographic key. They also contain mutable ''Attributes'' which can be used to store meta data about the keys. Some attributes are derived directly from the Value, such as the cryptographic algorithm and length of a key. Other attributes are defined in the specification for the management of objects such as the Application Specific Identifier which is usually derived from tape identification data. Additional identifiers can be defined by the server or client as need by the application. Each object is identified by a unique and immutable object identifier that is generated by the server and is used to Get object values. Managed objects may also be given a number of mutable but globally unique ''Name'' attribute which can be used to Locate objects. The types of managed object that are managed by KMIP include:- * Symmetric Keys. * Public and Private Keys. * Certificates and PGP Keys. * Split Keys. * Secret Data (passwords). * Opaque Data for client and server defined extensions. The operations provided by KMIP include * Create -- to create a new managed object such as a symmetric key, and return the identifier. * Get -- to retrieve an object's value given its unique identifier. * Register -- to store an externally generated key value. * Add Attributes, Get Attributes, and Modify Attributes -- to manipulate the attributes of a managed object. * Locate -- to retrieve a list of objects based on a conjunction of predicates. * Re-Key -- to create a new key that can replace an existing key. * Create Key Pair -- create asymmetric keys. * (Re-)Certify -- to certify a certificate. * Split and Join n of m keys. * Encrypt, Decrypt, MAC etc. -- cryptographic operations performed on the key management server. * Operations to implement the NIST key life cycle. Each key has a cryptographic state such as initial, Active, Deactive, Compromised. Operations are provided that manipulate the state in conformance with the NIST life cycle guidelines. The dates of each transformation are recorded, such as the date that a key was activated. Dates can be specified into the future so that keys automatically become unavailable for specified operations as they expire. KMIP is a network protocol rather than an application programming interface like PKCS #11. It has a binary format consisting of nested Tag, Type, Length and Value (TTLV) structures which is similar to but different from ASN.1 encoding. TLS is mandated for link level security in communication between clients and servers. The TTLV is normally transmitted raw, but it may optionally be wrapped in HTTPS. Profiles also provide well defined XML and JSON encodings of the protocol for environments where binary is not appropriate. KMIP also defines a set of profiles which are subsets of the KMIP specification showing common usage for a particular context like a storage array or a tape library where subsets of KMIP are used. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Key Management Interoperability Protocol」の詳細全文を読む スポンサード リンク
|