SlideShare a Scribd company logo

Open Source KMIP Implementation

Download as PPT, PDF
S
sedukull

KMIP stands for key management interoperability protocol. Provides simple binary and TTLV variant protocol to manage various cryptographic key cycles for enterprise needs viz., for enterprise applications, data encryption etc.

Software
1 of 19
The OASIS KMIP Standard: Interoperability for the cryptographic ecosystems Santhosh Kumar Edukulla Email : santhoshedukulla@apache.org 1
Session Highlights: 2 • Prevalent cryptographic ecosystems in enterprises, and their problems. • Solution for above mentioned problems and interoperability in terms of KMIP. • KMIP and KMIS Overview. • Free KMIPKMIS Library implemented in python. • Q && A
3 Problems: •In an enterprise, often, multiple environments have their own cryptographic management systems, and so their own key management systems. •In an enterprise, many of these cryptographic environments have their own protocols, so a not standardized approach. Multiple vendors, different specifications, varied arrangements etc. •Key exchange in terms of agent implementations are required for multiple platforms, multiple application infrastructures EX: C++, JAVA , .NET, windows, Linux etc. •Multiple key distribution mechanisms, varied storages for secured keys, security issues, not so easy retrievals, standards, compliances issues etc. •Managing key lifecycles, key continuance, version, upgrade, audit issues etc.
4 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLAN VPN Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System CRM Problem 1: Emai l
5 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLAN VPN Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System CRM Problem2: Emai l Disparate, Often Proprietary Protocols
6 Enterprise Cryptographic Environments Enterprise Key Management Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Key Management Interoperability Protocol Enterprise Applications Email eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM Solution : KMIP as an interoperable protocol supports enterprise cryptographic environments:
7
8 • Its an open standard, easier to maintain, reduces complexity, solves interoperability problem. Formulated by OASIS(Organization for the advancement of structural information standards) • The Key Management Interoperability Protocol (KMIP), enables key lifecycle management, it supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other shared secrets • KMIP offers developers, templates to simplify the development and use of KMIP-enabled applications. • KMIP defines the protocol for cryptographic client and key-management server communication. It tries to establish a single, comprehensive protocol for the communication between enterprise key management systems and encryption systems. It’s a binary protocol format with TTLV format. • Defines all cryptographic entities as managed objects, attributes, operations supported etc. • Supports various key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects.
9 • As mentioned earlier, it’s a binary protocol with TTLV format.
10 KMIP protocol flow: Key Client Key Server API Internal representation Transport Internal representation Transport KMIP Encode KMIP Encode KMIP Decode KMIP Decode API KMIP
11 KMIP Technical Committee was established in OASIS in April 2009 Submissions included at the time of TC creation included draft specification, usage guide and use cases Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. KMIP V1.0 standard approved end-September 2010 Current KMIP Version: 1.2 && 1.3 Version 1.4 : In Progress
12 Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification •Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction. •Define a set of normative constraints for employing KMIP within a particular environment or context of use. •Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors. Three profiles defined in V1.0 •Secret data •Symmetric key store •Symmetric key foundry Profiles are further qualified by authentication suite •TLS V1.0 / V1.1 •TLS V1.2
13 Types of managed object that are managed by KMIP include:- • Symmetric Keys. • Public and Private Keys. • Certificates and PGP Keys. • Split Keys. • Secret Data (passwords). • Opaque Data for client and server defined extensions. The operations provided by KMIP include • Create • Get • Register • Add Attributes, Get Attributes, and Modify Attributes • Locate • Re-Key • Create Key Pair • (Re-)Certify • Split and Join n of m keys. • Encrypt, Decrypt, MAC etc.
• KMIS is a kmip implementation which can run as service, providing cryptographic key management facilities to various enterprise entities like applications etc. Enterprise application these days are agile and are of varied platforms. • Enterprise applications for their cryptographic requirements, needs to communicate with KMS. So, different applications in different platforms need to know about KMIP, instead KMIS does that in an abstracted way and provides machine independent way of communicating with KMS. • It acts as an interface between KMS(Key Management SolutionServer) and enterprise applications through easy to use API.s • KMIP library can run as an agent and well be integrated with applications, but, using an agent based solution tightly couples the applications with a given agent, and different agents are required for different application platforms. • Few vendors provides KMIP, KMIS facilities, but are commercial and costly. • The current implementation aims to solve this dependency and decouples dependencies, through an abstracted simple easy to use service in a secured way. 14
KMS(HSM) <= = > KMIS <= = > Applications Components: •KMS : Key Management Server, HSM Appliance, where actual keys are generated, stored, maintained, destroyed etc. •KMIS: Key Management Integration Service, An Integration Service operating between enterprise entities and KMS. •Different enterprise entities. 15
• Using KMIP, we will retrieve few keys. • Using KMIP, we will create few keys.
18 References: • http://docs.oasis-open.org/kmip/spec/v1.2/os/kmip-spec-v1.2-os.html • http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf • Google.com Github Links: • https://github.com/sedukull/pykmip-ws • https://github.com/OpenKMIP/PyKMIP
19 Santhosh Kumar Edukulla Email : santhoshedukulla@apache.org •Thanks to Peter and team. Questions: ? if “I KNOW”: return AnswerFactory.get_answer (“AnswerType”) else: “will find out and let you know”

Recommended

OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxAtif Raees
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshChristian Posta
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Vietnam Open Infrastructure User Group
 

Recommended

OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxAtif Raees
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshChristian Posta
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Vietnam Open Infrastructure User Group
 
Hot tutorials
Hot tutorialsHot tutorials
Hot tutorialsKanagaraj M
 
Routebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxRoutebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxDhruv Sharma
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)Sandip Basnet
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaVietnam Open Infrastructure User Group
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfNelAlv1
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updatesMichal Rostecki
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStackVictor Zhang
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPassAruba, a Hewlett Packard Enterprise company
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackVietnam Open Infrastructure User Group
 
Présentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La CantinePrésentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La CantineIkoula
 
VMware Site Recovery Manager
VMware Site Recovery ManagerVMware Site Recovery Manager
VMware Site Recovery ManagerJürgen Ambrosi
 
OpenStack Tutorial
OpenStack TutorialOpenStack Tutorial
OpenStack TutorialBret Piatt
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?Katherine Golovinova
 
API’s and Micro Services 0.5
API’s and Micro Services 0.5API’s and Micro Services 0.5
API’s and Micro Services 0.5Richard Hudson
 

More Related Content

What's hot

Routebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxRoutebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxDhruv Sharma
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)Sandip Basnet
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfNelAlv1
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updatesMichal Rostecki
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStackVictor Zhang
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
Présentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La CantinePrésentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La CantineIkoula
 
VMware Site Recovery Manager
VMware Site Recovery ManagerVMware Site Recovery Manager
VMware Site Recovery ManagerJürgen Ambrosi
 
OpenStack Tutorial
OpenStack TutorialOpenStack Tutorial
OpenStack TutorialBret Piatt
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 

What's hot (20)

Hot tutorials
Hot tutorialsHot tutorials
Hot tutorials
 
Routebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxRoutebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptx
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
Database in Microservices - (2nd PostgreSQL Conference Nepal 2023)
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updates
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStack
 
Présentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La CantinePrésentation CloudStack by Ikoula pour les Start-up @ La Cantine
Présentation CloudStack by Ikoula pour les Start-up @ La Cantine
 
VMware Site Recovery Manager
VMware Site Recovery ManagerVMware Site Recovery Manager
VMware Site Recovery Manager
 
OpenStack Tutorial
OpenStack TutorialOpenStack Tutorial
OpenStack Tutorial
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 

Similar to Open Source KMIP Implementation

Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?Katherine Golovinova
 
API’s and Micro Services 0.5
API’s and Micro Services 0.5API’s and Micro Services 0.5
API’s and Micro Services 0.5Richard Hudson
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementDevOps.com
 
Securing the Cloud Native Stack
Securing the Cloud Native StackSecuring the Cloud Native Stack
Securing the Cloud Native StackApcera
 
Securing the Cloud Native stack
Securing the Cloud Native stackSecuring the Cloud Native stack
Securing the Cloud Native stackHector Tapia
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Slobodan Sipcic
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Anne Starr
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
IntroductorytocomputingAnne Starr
 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021Ieva Navickaite
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Jim Bugwadia
 
Helm summit 2019_handling large number of charts_sept 10
Helm summit 2019_handling large number of charts_sept 10Helm summit 2019_handling large number of charts_sept 10
Helm summit 2019_handling large number of charts_sept 10Shikha Srivastava
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Microservice Architecture Patterns, by Richard Langlois P. Eng.
Microservice Architecture Patterns, by Richard Langlois P. Eng.Microservice Architecture Patterns, by Richard Langlois P. Eng.
Microservice Architecture Patterns, by Richard Langlois P. Eng.Richard Langlois P. Eng.
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleRam Vennam
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMichael Ducy
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
 
Disruptive Trends in Application Development
Disruptive Trends in Application DevelopmentDisruptive Trends in Application Development
Disruptive Trends in Application DevelopmentWaveMaker, Inc.
 
Micro service session 1
Micro service session 1Micro service session 1
Micro service session 1Amin Arab
 
Service-Level Objective for Serverless Applications
Service-Level Objective for Serverless ApplicationsService-Level Objective for Serverless Applications
Service-Level Objective for Serverless Applicationsalekn
 

Similar to Open Source KMIP Implementation (20)

Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?Migrating from a monolith to microservices – is it worth it?
Migrating from a monolith to microservices – is it worth it?
 
API’s and Micro Services 0.5
API’s and Micro Services 0.5API’s and Micro Services 0.5
API’s and Micro Services 0.5
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
 
Securing the Cloud Native Stack
Securing the Cloud Native StackSecuring the Cloud Native Stack
Securing the Cloud Native Stack
 
Securing the Cloud Native stack
Securing the Cloud Native stackSecuring the Cloud Native stack
Securing the Cloud Native stack
 
Webinar : Microservices and Containerization
Webinar : Microservices and ContainerizationWebinar : Microservices and Containerization
Webinar : Microservices and Containerization
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
Introductorytocomputing
 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
 
Helm summit 2019_handling large number of charts_sept 10
Helm summit 2019_handling large number of charts_sept 10Helm summit 2019_handling large number of charts_sept 10
Helm summit 2019_handling large number of charts_sept 10
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Microservice Architecture Patterns, by Richard Langlois P. Eng.
Microservice Architecture Patterns, by Richard Langlois P. Eng.Microservice Architecture Patterns, by Richard Langlois P. Eng.
Microservice Architecture Patterns, by Richard Langlois P. Eng.
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as Scale
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
Disruptive Trends in Application Development
Disruptive Trends in Application DevelopmentDisruptive Trends in Application Development
Disruptive Trends in Application Development
 
Micro service session 1
Micro service session 1Micro service session 1
Micro service session 1
 
Service-Level Objective for Serverless Applications
Service-Level Objective for Serverless ApplicationsService-Level Objective for Serverless Applications
Service-Level Objective for Serverless Applications
 

Recently uploaded

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 

Recently uploaded (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 

Open Source KMIP Implementation

  • 1. The OASIS KMIP Standard: Interoperability for the cryptographic ecosystems Santhosh Kumar Edukulla Email : santhoshedukulla@apache.org 1
  • 2. Session Highlights: 2 • Prevalent cryptographic ecosystems in enterprises, and their problems. • Solution for above mentioned problems and interoperability in terms of KMIP. • KMIP and KMIS Overview. • Free KMIPKMIS Library implemented in python. • Q && A
  • 3. 3 Problems: •In an enterprise, often, multiple environments have their own cryptographic management systems, and so their own key management systems. •In an enterprise, many of these cryptographic environments have their own protocols, so a not standardized approach. Multiple vendors, different specifications, varied arrangements etc. •Key exchange in terms of agent implementations are required for multiple platforms, multiple application infrastructures EX: C++, JAVA , .NET, windows, Linux etc. •Multiple key distribution mechanisms, varied storages for secured keys, security issues, not so easy retrievals, standards, compliances issues etc. •Managing key lifecycles, key continuance, version, upgrade, audit issues etc.
  • 4. 4 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLAN VPN Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System CRM Problem 1: Emai l
  • 5. 5 Enterprise Cryptographic Environments Key Management System Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Enterprise Applications eCommerce Applications Business Analytics Dev/Test Obfuscation WANLAN VPN Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System CRM Problem2: Emai l Disparate, Often Proprietary Protocols
  • 6. 6 Enterprise Cryptographic Environments Enterprise Key Management Disk Arrays Backup Disk Backup Tape Backup System Collaboration & Content Mgmt Systems File Server Portals Production Database Replica Staging Key Management Interoperability Protocol Enterprise Applications Email eCommerce Applications Business Analytics Dev/Test Obfuscation WAN LAN VPN CRM Solution : KMIP as an interoperable protocol supports enterprise cryptographic environments:
  • 7. 7
  • 8. 8 • Its an open standard, easier to maintain, reduces complexity, solves interoperability problem. Formulated by OASIS(Organization for the advancement of structural information standards) • The Key Management Interoperability Protocol (KMIP), enables key lifecycle management, it supports legacy and new cryptographic-enabled applications, supporting symmetric keys, asymmetric keys, digital certificates, and other shared secrets • KMIP offers developers, templates to simplify the development and use of KMIP-enabled applications. • KMIP defines the protocol for cryptographic client and key-management server communication. It tries to establish a single, comprehensive protocol for the communication between enterprise key management systems and encryption systems. It’s a binary protocol format with TTLV format. • Defines all cryptographic entities as managed objects, attributes, operations supported etc. • Supports various key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic objects.
  • 9. 9 • As mentioned earlier, it’s a binary protocol with TTLV format.
  • 10. 10 KMIP protocol flow: Key Client Key Server API Internal representation Transport Internal representation Transport KMIP Encode KMIP Encode KMIP Decode KMIP Decode API KMIP
  • 11. 11 KMIP Technical Committee was established in OASIS in April 2009 Submissions included at the time of TC creation included draft specification, usage guide and use cases Initial membership included most significant vendors in cryptographic solutions and key management and has continued to grow. KMIP V1.0 standard approved end-September 2010 Current KMIP Version: 1.2 && 1.3 Version 1.4 : In Progress
  • 12. 12 Purpose is to define what any implementation of the specification must adhere to in order to claim conformance to the specification •Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction. •Define a set of normative constraints for employing KMIP within a particular environment or context of use. •Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors. Three profiles defined in V1.0 •Secret data •Symmetric key store •Symmetric key foundry Profiles are further qualified by authentication suite •TLS V1.0 / V1.1 •TLS V1.2
  • 13. 13 Types of managed object that are managed by KMIP include:- • Symmetric Keys. • Public and Private Keys. • Certificates and PGP Keys. • Split Keys. • Secret Data (passwords). • Opaque Data for client and server defined extensions. The operations provided by KMIP include • Create • Get • Register • Add Attributes, Get Attributes, and Modify Attributes • Locate • Re-Key • Create Key Pair • (Re-)Certify • Split and Join n of m keys. • Encrypt, Decrypt, MAC etc.
  • 14. • KMIS is a kmip implementation which can run as service, providing cryptographic key management facilities to various enterprise entities like applications etc. Enterprise application these days are agile and are of varied platforms. • Enterprise applications for their cryptographic requirements, needs to communicate with KMS. So, different applications in different platforms need to know about KMIP, instead KMIS does that in an abstracted way and provides machine independent way of communicating with KMS. • It acts as an interface between KMS(Key Management SolutionServer) and enterprise applications through easy to use API.s • KMIP library can run as an agent and well be integrated with applications, but, using an agent based solution tightly couples the applications with a given agent, and different agents are required for different application platforms. • Few vendors provides KMIP, KMIS facilities, but are commercial and costly. • The current implementation aims to solve this dependency and decouples dependencies, through an abstracted simple easy to use service in a secured way. 14
  • 15. KMS(HSM) <= = > KMIS <= = > Applications Components: •KMS : Key Management Server, HSM Appliance, where actual keys are generated, stored, maintained, destroyed etc. •KMIS: Key Management Integration Service, An Integration Service operating between enterprise entities and KMS. •Different enterprise entities. 15
  • 16.
  • 17. • Using KMIP, we will retrieve few keys. • Using KMIP, we will create few keys.
  • 18. 18 References: • http://docs.oasis-open.org/kmip/spec/v1.2/os/kmip-spec-v1.2-os.html • http://xml.coverpages.org/KMIP/KMIP-FAQ.pdf • Google.com Github Links: • https://github.com/sedukull/pykmip-ws • https://github.com/OpenKMIP/PyKMIP
  • 19. 19 Santhosh Kumar Edukulla Email : santhoshedukulla@apache.org •Thanks to Peter and team. Questions: ? if “I KNOW”: return AnswerFactory.get_answer (“AnswerType”) else: “will find out and let you know”

Editor's Notes

  1. Join by april 9th
  2. Join by april 9th