Key Management Interoperability Protocol Specification Version 1.1

More documents

Recommendations

Info

123456789101112131415161718192021222324252627282930313233341 IntroductionThis document is intended as a specification of the protocol used for the communication between clientsand servers to perform certain management operations on objects stored and maintained by a keymanagement system. These objects are referred to as Managed Objects in this specification. Theyinclude symmetric and asymmetric cryptographic keys, digital certificates, and templates used to simplifythe creation of objects and control their use. Managed Objects are managed with operations that includethe ability to generate cryptographic keys, register objects with the key management system, obtainobjects from the system, destroy objects from the system, and search for objects maintained by thesystem. Managed Objects also have associated attributes, which are named values stored by the keymanagement system and are obtained from the system via operations. Certain attributes are added,modified, or deleted by operations.The protocol specified in this document includes several certificate-related functions for which there are anumber of existing protocols – namely Validate (e.g., SCVP or XKMS), Certify (e.g. CMP, CMC, SCEP)and Re-certify (e.g. CMP, CMC, SCEP). The protocol does not attempt to define a comprehensivecertificate management protocol, such as would be needed for a certification authority. However, it doesinclude functions that are needed to allow a key server to provide a proxy for certificate managementfunctions.In addition to the normative definitions for managed objects, operations and attributes, this specificationalso includes normative definitions for the following aspects of the protocol: The expected behavior of the server and client as a result of operations, Message contents and formats, Message encoding (including enumerations), and Error handling.This specification is complemented by three other documents. The Usage Guide [KMIP-UG] providesillustrative information on using the protocol. The KMIP Profiles Specification [KMIP-Prof] provides aselected set of conformance profiles and authentication suites. The Test Specification [KMIP-TC]provides samples of protocol messages corresponding to a set of defined test cases.This specification defines the KMIP protocol version major 1 and minor 1 (see 6.1).1.1 TerminologyThe key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULDNOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as describedin [RFC2119].For acronyms used in this document, see Appendix E. For definitions not found in this document, see[SP800-57-1].ArchiveAsymmetric key pair(key pair)AuthenticationAuthentication codeAuthorizationTo place information not accessed frequently into long-term storage.A public key and its corresponding private key; a key pair is used with apublic key algorithm.A process that establishes the origin of information, or determines anentity’s identity.A cryptographic checksum based on a security function (also known as aMessage Authentication Code).Access privileges that are granted to an entity; conveying an “official”kmip-spec-v1.1-cos01 21 September 2012Standards Track Work Product Copyright © OASIS Open 2012. All Rights Reserved. Page 8 of 164
sanction to perform a security function or activity.Certificate lengthCertification authorityCiphertextCompromiseConfidentialityCryptographicalgorithmCryptographic key(key)DecryptionDigest (or hash)Digital signature(signature)Digital SignatureAlgorithmEncryptionHashing algorithm (orhash algorithm, hashfunction)IntegrityThe length (in bytes) of an X.509 public key certificate.The entity in a Public Key Infrastructure (PKI) that is responsible forissuing certificates, and exacting compliance to a PKI policy.Data in its encrypted form.The unauthorized disclosure, modification, substitution or use of sensitivedata (e.g., keying material and other security-related information).The property that sensitive information is not disclosed to unauthorizedentities.A well-defined computational procedure that takes variable inputs,including a cryptographic key and produces an output.A parameter used in conjunction with a cryptographic algorithm thatdetermines its operation in such a way that an entity with knowledge ofthe key can reproduce or reverse the operation, while an entity withoutknowledge of the key cannot. Examples include:1. The transformation of plaintext data into ciphertext data,2. The transformation of ciphertext data into plaintext data,3. The computation of a digital signature from data,4. The verification of a digital signature,5. The computation of an authentication code from data,6. The verification of an authentication code from data and a receivedauthentication code.The process of changing ciphertext into plaintext using a cryptographicalgorithm and key.The result of applying a hashing algorithm to information.The result of a cryptographic transformation of data that, when properlyimplemented with supporting infrastructure and policy, provides theservices of:1. origin authentication2. data integrity, and3. signer non-repudiation.A cryptographic algorithm used for digital signature.The process of changing plaintext into ciphertext using a cryptographicalgorithm and key.An algorithm that maps a bit string of arbitrary length to a fixed length bitstring. Approved hashing algorithms satisfy the following properties:1. (One-way) It is computationally infeasible to find any input thatmaps to any pre-specified output, and2. (Collision resistant) It is computationally infeasible to find any twodistinct inputs that map to the same output.The property that sensitive data has not been modified or deleted in ankmip-spec-v1.1-cos01 21 September 2012Standards Track Work Product Copyright © OASIS Open 2012. All Rights Reserved. Page 9 of 164
Page 1 and 2: Key Management InteroperabilityProt
Page 3 and 4: NoticesCopyright © OASIS Open 2012
Page 5 and 6: 3.18.1 Operations outside of operat
Page 7: 11.8 Certify ......................
Page 13 and 14: 11411511611711811912012112212312412
Page 15 and 16: 18818919019119219319419519619719819
Page 17 and 18: 23723823924024124224324424524624724
Page 19 and 20: 28628728828929029129229329429529629
Page 21 and 22: Value SHALL be TTLVencoded.32632732
Page 23 and 24: Object Encoding REQUIREDKey Materia
Page 25 and 26: 3763773782.1.7.11 Transparent ECDH
Page 27 and 28: Object Encoding REQUIREDSymmetric K
Page 29 and 30: 47447547647747847948048148248348448
Page 31 and 32: 50150250350450550650750850951051151
Page 33 and 34: SHALL always have a valueInitially
Page 35 and 36: 558559key contained within the Cert
Page 37 and 38: 577578579580581582583584585586X9, I
Page 39 and 40: 609Table 56: X.509 Certificate Iden
Page 45 and 46: 71571671771871972072172272372472572
Page 47 and 48: Default Operation Policy for Privat
Page 51 and 52: 81881982082182282382482582682782882
Page 53 and 54: 892893object is destroyed. This att
Page 57 and 58: 944945946indicates when the key man
Page 59 and 60:
9709719729733.34 FreshThe Fresh att
Page 61 and 62:
Application SpecificInformationObje
Page 63 and 64:
SHALL always have a valueInitially
Page 65 and 66:
Request PayloadObject REQUIRED Desc
Page 67 and 68:
Attribute REQUIRED SHALL contain th
Page 69 and 70:
1152115311541155115611571158As a re
Page 71 and 72:
AttributePrivate Key UniqueIdentifi
Page 73 and 74:
management server.11941195119611971
Page 75 and 76:
12361237123812391240124112421243124
Page 77 and 78:
12881289129012911292129312941295129
Page 79 and 80:
13241325132613271328132913301331133
Page 81 and 82:
Page 83 and 84:
Response PayloadObject REQUIRED Des
Page 85 and 86:
Page 87 and 88:
Response PayloadObject REQUIRED Des
Page 89 and 90:
15371538153915401541154215431544154
Page 91 and 92:
1588158915901591159215931594a list
Page 93 and 94:
16231624162516261627162816291630163
Page 95 and 96:
16651666166716681669167016711672167
Page 97 and 98:
17211722172317241725172617271728172
Page 99 and 100:
Option17911792179317941795Table 201
Page 101 and 102:
Request Batch ItemObject REQUIRED i
Page 103 and 104:
18311832183318341835183618371838183
Page 105 and 106:
18811882188318841885188618871888188
Page 107 and 108:
ObjectTagTag ValueCertificate Subje
Page 109 and 110:
ObjectPadding Methodkmip-spec-v1.1-
Page 111 and 112:
TagObjectTag ValueExtension Type420
Page 113 and 114:
19379.1.3.2.4 Wrapping Method Enume
Page 115 and 116:
19469.1.3.2.8 Split Key Method Enum
Page 117 and 118:
RC4 00000016RC5 00000017SKIPJACK 00
Page 119 and 120:
19649.1.3.2.17 Key Role Type Enumer
Page 121 and 122:
19759.1.3.2.21 Derivation Method En
Page 123 and 124:
19879.1.3.2.27 Operation Enumeratio
Page 125 and 126:
19939.1.3.2.30 Batch Error Continua
Page 127 and 128:
200820092010201110 TransportKMIP Se
Page 129 and 130:
Operation Failed20172018Table 249:
Page 131 and 132:
202411.5 Re-keyError Definition Res
Page 133 and 134:
203011.8 CertifyError Definition Re
Page 135 and 136:
Key Wrapping Specification contains
Page 137 and 138:
205011.18 Obtain LeaseError Definit
Page 139 and 140:
a certificate listOne or more of th
Page 141 and 142:
20952096209720982099210021012102210
Page 143 and 144:
CertificateSymmetric KeyPublic KeyP
Page 145 and 146:
22092210Appendix C. Tag Cross-Refer
Page 147 and 148:
Object Defined Type NotesInitializa
Page 149 and 150:
Object Defined Type NotesResult Mes
Page 151 and 152:
221322142215Appendix D. Operations
Page 153 and 154:
22192220222122222223222422252226222
Page 155 and 156:
22932294229522962297229822992300230
Page 157 and 158:
23482349235023512352235323542355235
Page 159 and 160:
24322433243424352436243724382439244
Page 161 and 162:
25162517251825192520252125222523252
Page 163 and 164:
2591Appendix G. Revision HistoryRev
show all

Key Management Interoperability Protocol Specification Version 1.1

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?