key management interoperability protocol profiles version 1 ......subhash sankuratripati...

kmip-crypto-profile-v1.0-wd06wd08 Working Draft 0608 11 7 October November 2012 Standards Track Draft Copyright © OASIS Open 2012. All Rights Reserved. of 40

Key Management Interoperability Protocol Crypto Profile Version 1.0

Working Draft 0708

25 7 NovemberOctober 2012

Technical Committee: OASIS Key Management Interoperability Protocol (KMIP) TC

Chairs: Robert Griffin ([email protected]), EMC Corporation Subhash Sankuratripati ([email protected]), NetApp

Editors:

Tim Hudson ([email protected]), Cryptsoft

Related work:

This specification is related to:

Key Management Interoperability Protocol Profiles Version 1.0. 01 October 2010. OASIS Standard. http://docs.oasis-open.org/kmip/profiles/v1.0/os/kmip-profiles-1.0-os.html.

Key Management Interoperability Protocol Specification Version 1.1. Latest version. http://docs.oasis-open.org/kmip/spec/v1.1/kmip-spec-v1.1.html

Key Management Interoperability Protocol Use Cases Version 1.1. Latest version. http://docs.oasis-open.org/kmip/usecases/v1.1/kmip-usecases-v1.1.html

Key Management Interoperability Protocol Usage Guide Version 1.1. Latest version.

http://docs.oasis-open.org/kmip/ug/v1.1/kmip-ug-v1.1.html

Abstract: Describes the use of KMIP operations to support cryptographic servers being performed by a KMIP server on behalf of a KMIP clientextensions to KMIP to support cryptographic operations.

Status: This Working Draft (WD) has been produced by one or more TC Members; it has not yet been voted on by the TC or approved as a Committee Draft (Committee Specification Draft or a Committee Note Draft). The OASIS document Approval Process begins officially with a TC vote to approve a WD as a Committee Draft. A TC may approve a Working Draft, revise it, and re-approve it any number of times as a Committee Draft.

Copyright © OASIS Open 2012. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

http://www.oasis-open.org/committees/kmip/

mailto:[email protected]

http://www.emc.com/


http://www.netapp.com/


http://www.cryptsoft.com/

http://docs.oasis-open.org/kmip/profiles/v1.0/os/kmip-profiles-1.0-os.html

http://docs.oasis-open.org/kmip/spec/v1.1/kmip-spec-v1.1.html

http://docs.oasis-open.org/kmip/usecases/v1.1/kmip-usecases-v1.1.html

http://docs.oasis-open.org/kmip/ug/v1.1/kmip-ug-v1.1.html

http://www.oasis-open.org/committees/process.php#dWorkingDraft

http://www.oasis-open.org/committees/process.php#committeeDraft

http://www.oasis-open.org/committees/process.php#standApprovProcess

http://www.oasis-open.org/who/intellectualproperty.php


Table of Contents

1 Introduction ......................................................................................................................................... 54

1.1 Terminology ...................................................................................................................................... 54

1.2 Normative References ...................................................................................................................... 54

1.3 Non-Normative References .............................................................................................................. 54

2 Crypto Profile ...................................................................................................................................... 65

2.1 Encrypt Operation ............................................................................................................................. 87

2.2 Decrypt Operation ........................................................................................................................... 109

2.3 Sign Operation .............................................................................................................................. 1210

2.4 Signature Verify Operation ........................................................................................................... 1411

2.5 Hash Operation ............................................................................................................................. 1613

2.6 MAC Operation ............................................................................................................................. 1714

2.7 MAC Verify Operation ................................................................................................................... 1815

2.8 RNG Operation ............................................................................................................................. 2016

2.9 Message Encoding ....................................................................................................................... 2318

2.9.1 Cryptographic Algorithm ........................................................................................................ 2318

2.9.2 RNG Algorithm Base Object .................................................................................................. 2318

2.9.3 Tags ....................................................................................................................................... 2419

2.9.4 Operation Enumeration ......................................................................................................... 2619

2.9.5 RNG Algorithm Enumeration ................................................................................................. 2721

2.9.6 DRBG Algorithm Enumeration .............................................................................................. 2821

2.9.7 FIPS186 Variation Enumeration ............................................................................................ 2821

3 Conformance Clauses .................................................................................................................... 2923

3.1 Base Crypto Server Clause .......................................................................................................... 2923

3.1.1 Implementation Conformance ............................................................................................... 2923

3.1.2 Conformance of a Base Crypto Server ................................................................................. 2923

3.2 Base Crypto Client Clause ............................................................................................................ 2923


3.2.2 Conformance of a Base Crypto Client ................................................................................... 2923

3.3 RNG Crypto Server Clause .......................................................................................................... 3024


3.3.2 Conformance of a RNG Crypto Server ................................................................................. 3024

3.4 RNG Crypto Client Clause ............................................................................................................ 3024


3.4.2 Conformance of a RNG Crypto Client ................................................................................... 3024

3.5 Advanced Crypto Server Clause .................................................................................................. 3125


3.5.2 Conformance of an Advanced Crypto Server ....................................................................... 3125

3.6 Advanced Crypto Client Clause .................................................................................................... 3125


3.6.2 Conformance of an Advanced Crypto Client ......................................................................... 3125

4 Crypto Profile Test Cases .............................................................................................................. 3327

4.1 Base Crypto Tests ........................................................................................................................ 3327

4.1.1 Test Case: Encrypt with Known Symmetric Key ................................................................... 3327


4.1.2 Test Case: Decrypt with Known Symmetric Key ................................................................... 3327

4.1.3 Test Case: Encrypt and Decrypt with Known Symmetric Key .............................................. 3327

4.1.4 Test Case: Encrypt with New Symmetric Key ....................................................................... 3327

4.1.5 Test Case: Decrypt with New Symmetric Key ....................................................................... 3428

4.1.6 Test Case: Encrypt and Decrypt with New Symmetric Key .................................................. 3428

4.2 RNG Crypto Tests ........................................................................................................................ 3428

4.2.1 Test Case: RNG seed ........................................................................................................... 3428

4.2.2 Test Case: RNG retrieve ....................................................................................................... 3428

4.3 Advanced Crypto Tests ................................................................................................................ 3529

4.3.1 Test Case: Sign with Known Asymmetric Key ...................................................................... 3529

4.3.2 Test Case: Signature Verify with Known Asymmetric Key .................................................... 3529

4.3.3 Test Case: Sign and Signature Verify with Known Asymmetric Key .................................... 3529

4.3.4 MAC with Known Key ............................................................................................................ 3529

4.3.5 MAC with Known Key ............................................................................................................ 3630

4.3.6 Test Case: MAC and MAC Verify with Known Key ............................................................... 3630

Appendix A. Acknowledgments ......................................................................................................... 3831

Appendix B. Work Items .................................................................................................................... 3932

Appendix C. Changes ........................................................................................................................ 4033


1 Introduction For normative definition of the elements of KMIP see the KMIP Specification ([KMIP-SPEC-1_0 and KMIP-SPEC-1_1]) and the KMIP Profiles ([KMIP-PROF]).

Illustrative guidance for the implementation of KMIP clients and servers is provided in the KMIP Usage Guide ([KMIP-UG]) and KMIP Use Cases ([KMIP_UC]).

This profile defines the necessaryoutlines the use of KMIP operations to support cryptographic servers being performed by a KMIP server on behalf of a KMIP client.encoding rules for the transport of KMIP TTLV messages via the Hypertext Transfer Protocol ([RFC2616]) over TLS as specified in HTTP over TLS ([RFC2818]).

1.1 Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].

1.2 Normative References

[RFC1945] T. Berners-Lee, R. Fielding, H. Frystyk, Hypertext Transfer Protocol -- HTTP/1.0, http://www.ietf.org/rfc/rfc1945.txt, IETF RFC 1945, May 1996.

[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.

[RFC2246] T. Dierks and C. Allen, The TLS Protocol, Version 1.0, IETF RFC 2246, Jan 1999, http://www.ietf.org/rfc/rfc2246.txt

[RFC2616] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, Hypertext Transfer Protocol -- HTTP/1.1, http://www.ietf.org/rfc/rfc2616.txt, IETF RFC 2616, June 1999.

[RFC2818] E. Rescorla, HTTP over TLS, IETF RFC 2818, May 2000, http://www.ietf.org/rfc/rfc2818.txt

[KMIP-SPEC-1_0] OASIS Standard, Key Management Interoperability Protocol Specification Version 1.0, October 2010, http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.doc

[KMIP-SPEC-1_1] Key Management Interoperability Protocol Specification Version 1.1. http://docs.oasis-open.org/kmip/spec/v1.1/csd01/kmip-spec-v1.1-csd01.doc Committee Specification Draft 01.1 December 2011.

[KMIP-PROF] Key Management Interoperability Protocol Usage Guide Version 1.1. 01 December 2011. OASIS Standard. http://docs.oasis-open.org/kmip/profiles/v1.1/cd01/kmip-profiles-1.1-cd-01.doc

1.3 Non-Normative References

[KMIP-UG] Key Management Interoperability Protocol Usage Guide Version 1.1. http://docs.oasis-open.org/kmip/ug/v1.1/kmip-ug-v1.1-cnd01.doc Committee Note Draft, 1 December 2011,

[KMIP-TC] Key Management Interoperability Protocol Test Cases Version 1.1. http://docs.oasis-open.org/kmip/usecases/v1.1/kmip-usecases-v1.1-cnd01.doc, Committee Note Draft, 1 December 2011.

http://www.ietf.org/rfc/rfc1945.txt





http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.doc

http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.doc

http://docs.oasis-open.org/kmip/spec/v1.1/csd01/kmip-spec-v1.1-csd01.doc

http://docs.oasis-open.org/kmip/profiles/v1.1/cd01/kmip-profiles-1.1-cd-01.doc#_blank

http://docs.oasis-open.org/kmip/profiles/v1.1/cd01/kmip-profiles-1.1-cd-01.doc#_blank

http://docs.oasis-open.org/kmip/ug/v1.1/kmip-ug-v1.1-cnd01.doc

http://docs.oasis-open.org/kmip/usecases/v1.1/kmip-usecases-v1.1-cnd01.doc


2 Crypto Profile The KMIP protocol supports creation and registration of managed objects and export retrieval of managed objects in both plaintext and optionally wrapped with another managed objectin wrapped format. The KMIP protocol also includes supports for a subset of the operations necessary for certificate management (certifying certificate requests and validating certificate changes). KMIP defines a range of Hash-based and MAC- based derivation options.

KMIP does not currently specify direct cryptographic operations (although both the client and server depend on cryptographic operations within the TLS protocol in order to operate).

This profile defines additional KMIP operations for cryptographic operations using managed objects for encryption, decryption, signature generation, signature verification, MAC generation, MAC verification, and random number generation.or retrieve, and random number generator seed.

KMIP clients and servers that support the cryptographic operations should be mindful of selecting the level of protection for the communication channel (the TLS connection) that provides sufficient protection of the plaintext data included in any of the cryptographic operations and commensurate with the security strength of the operation.

[[ Updates to [KMIP-SPEC-1_1] 4 adding paragraphs at the end ]]

Multi-part cryptographic operations (operations where a stream of data is provided in multiple requests from a client to a server) are optionally supported by all cryptographic operations.

For multi-part cryptographic operations the following sequence is performed

1. On the first request

a. Set the Init Indicator to True

b. Provide the Cryptographic Parameters (if the parameters are not associated with the managed object or are different)

c. Provide the Data

d. Provide the IV/Counter/Nonce if an IV/Counter/Nonce is required by the operation and there is no IV/Counter/Nonce associated with the managed object and the Random IV is not set to True in the Cryptographic Parameters

e. Preserve the Correlation Value returned in the reply for subsequent requests

f. Use the Data output (if any) from the response

2. On subsequent requests

a. Provide the Correlation Value from the response to the first reply

b. Use the next block of Data output (if any) from the response

3. On the final request

a. Provide the Correlation Value from the response to the first reply

b. Set the Final Indicator to True

c. Use the final block of Data output (if any) from the response

Single-part cryptographic operations (operations where a single input is provided and a single response returned) the following sequence is performed:

1. On each request

a. Set the Init Indicator to True

b. Set the Final Indicator to True

c. Provide the Cryptographic Parameters (if the parameters are not associated with the managed object are different)


d. Provide the Data

e. Provide the IV/Counter/Nonce if an IV/Counter/Nonce is required by the operation and there is no IV/Counter/Nonce associated with the managed object and the Random IV is not set to True in the Cryptographic Parameters

f. Preserve the Correlation Value returned in the reply for subsequent requests

g. Use the Data output from the response


2.1 Encrypt Operation

[[ Addition to [KMIP-SPEC-1_1] section 4 as a new Operation ]]

This operation requests the server to perform an encryption operation on the provided data using a Managed Cryptographic Object as the key for the encryption operation.

The request contains information about the cryptographic parameters (mode and padding method) if not already specified against the managed object, the data to be encrypted, and the operational initialization vector to use (unless the request requests that the server generate a Random IV to return to the client). The server does not store or otherwise manage the IV provided by the client or returned by the server.

Correlation Value, Init Indicator, Final Indicator are used for single or multi-part operations as outlined in Section 2.

The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the encryption operation.

The success or failure of the operation is indicated by the Result Status (and if failure the Result Reason) in the response header.

Request Payload

Object REQUIRED Description

Unique Identifier, see [KMIP-SPEC-1_1] 3.1

YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the encryption operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.

Correlation Value No Specifies the existing stream or by-parts cryptographic operation (as returned from a previous call to this operation).

Init Indicator No Initial operation as Boolean (reset state)

Final Indicator No Final operation as Boolean (reset state)

Cryptographic Parameters, see [KMIP-SPEC-1_1] 3.6

No The Cryptographic Parameters (Block Cipher Mode, Padding Method) corresponding to the particular encryption method requested.

Data No The data to be encrypted (as a Byte String).

IV/Counter/Nonce No The initialization vector, counter or nonce to be used (where appropriate).

Table 1: Encrypt Request Payload


Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the encryption operation.

Correlation Value No Specifies the stream or by-parts value to be provided in subsequent calls to this operation for performing cryptographic operations.

Data No The encrypted data (as a Byte String).

IV/Counter/Nonce No The value used if the Cryptographic Parameters specified Random IV and the IV/Counter/Nonce value was not provided in the request and the algorithm requires the provision of an IV/Counter/Nonce.

Table 2: Encrypt Response Payload


2.2 Decrypt Operation


This operation requests the server to perform a decryption operation on the provided data using a Managed Cryptographic Object as the key for the decryption operation.

The request contains information about the cryptographic parameters (mode and padding method), the data to be decrypted, and the operational initialization vector to use.


The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the decryption operation.


Request Payload



YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the decryption operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.





No The Cryptographic Parameters (Block Cipher Mode, Padding Method) corresponding to the particular decryption method requested.

Data No The data to be decrypted (as a Byte String).

IV/Counter/Nonce No The initialization vector, counter or nonce to be used (where appropriate).

Table 3: Decrypt Request Payload


Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the decryption operation.


Data No The decrypted data (as a Byte String).

IV/Counter/Nonce No The value used if the Cryptographic Parameters specified Random IV and the IV/Counter/Nonce value was not provided in the request.

Table 4: Decrypt Response Payload


2.3 Sign Operation


This operation requests the server to perform a signature operation on the provided data using a Managed Cryptographic Object as the key for the signature operation.

The request contains information about the digital signature algorithm or cryptographic algorithm and hash algorithm and the data to be signed.


The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the signature operation.


Request Payload



YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the signature operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.





No The Cryptographic Parameters (Block Cipher Mode, Padding MethodDigital Signature Algorithm or Cryptographic Algorithm and Hashing Algorithm) corresponding to the particular signature generation method requested. Refer to the Digital Signature Algorithm [KMIP-SPEC-1_1] 3.16.

Data No The data to be signed (as a Byte String).

Table 5: Sign Request Payload


Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the signature operation.


Data No The signed data (as a Byte String).

Table 6: Sign Response Payload


2.4 Signature Verify Operation


This operation requests the server to perform a verify signature operation on the provided data using a Managed Cryptographic Object as the key for the verify operation.

The request contains information about the digital signature algorithm or cryptographic algorithm and hash algorithm, the signature to be verified and optionally the data that was passed to the Signing operation (for those algorithms which require the original data to verify a signature).


The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the optional data recovered from the signature (for those signature algorithms where data recovery from the signature is supported). The validity of the signature is indicated by the Validity Indicator field.

Request Payload



YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the verification operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.





No The Cryptographic Parameters (Digital Signature Algorithm or Cryptographic Algorithm and Hashing AlgorithmBlock Cipher Mode, Padding Method) corresponding to the particular signature verification method requested. Refer to the Digital Signature Algorithm [KMIP-SPEC-1_1] 3.16.

Data No The data that was signed (as a Byte String).

Signature Data Yes The signature to be verified (as a Byte String).

Table 7: Signature Verify Request Payload


Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the verification operation.


Validity Indicator, see [KMIP-SPEC-1_1] 9.1.3.2.23

No An Enumeration object indicating whether the signature is valid, invalid, or unknown.

Data No The optional recovered data (as a Byte String).

Table 8: Signature Verify Response Payload


2.5 Hash Operation


This operation requests the server to perform a hash on the provided data using a Managed Cryptographic Object as the key for the signature operation.

The request contains information about the hash algorithm in the cryptographic parameters and the data to be hashed.



Request Payload






Yes The Cryptographic Parameters (Block Cipher Mode, Padding MethodHash Algorithm) corresponding to the particular signature generationhash method requested.

Data Yes The data to be hashed (as a Byte String).

Table 9: Digest Request Payload

Response Payload



Data No The data hashed data (as a Byte String).

Table 10: Digest Response Payload


2.6 MAC Operation


This operation requests the server to perform a message authentication code (MAC) operation on the provided data using a Managed Cryptographic Object as the key for the signature operation.

The request contains information about the MAC algorithm in the cryptographic parameters and the data to be MACed.


The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the MAC operation.


Request Payload



YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the MAC operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.





No The Cryptographic Parameters (Block Cipher Mode, Padding MethodCryptographic Algorithm) corresponding to the particular signature MAC generation method requested.

Data No The data to be MACed (as a Byte String).

Table 11: MAC Request Payload

Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the MAC operation.


Data No The data MACed (as a Byte String).

Table 12: MAC Response Payload


2.7 MAC Verify Operation


This operation requests the server to perform a message authentication code (MAC) verify operation on the provided data using a Managed Cryptographic Object as the key for the MAC operation.

The request contains information about the MAC algorithm in the cryptographic parameters and the data to be MAC verified.


The response contains the Unique Identifier of the Managed Cryptographic Object used as the key. The validity of the MAC is indicated by the Validity Indicator field.

Request Payload



YesNo The Unique Identifier of the Managed Cryptographic Object that is the key to use for the verification operation. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.





No The Cryptographic Parameters (Block Cipher Mode, Padding MethodCryptographic Algorithm) corresponding to the particular signature MAC verification method requested. Refer to the Digital Signature Algorithm [KMIP-SPEC-1_1] 3.16.

Data No The data to be MAC verified (as a Byte String).

Table 13: MAC Verify Request Payload


Response Payload



Yes The Unique Identifier of the Managed Cryptographic Object that is the key used for the verification operation.


Validity Indicator, see [KMIP-SPEC-1_1] 9.1.3.2.23

No An Enumeration object indicating whether the MAC is valid, invalid, or unknown.

Table 14: MAC Verify Response Payload


2.8 RNG Operation


This operation requests the server to request output from a Random Number Generator.

The request contains information (all items are optional) about the requested RNG type parameters (algorithm), the quality of entropy provided expressed as a security strength required and an optional offset into the RNG stream and optional seeding material.

The server may elect to ignore the information provided by the client (i.e. not accept the seeding material).

The server may elect to return a different RNG to the one requested by the client or may return an error if the requested RNG is not supported or is otherwise unavailable.


For RNGs which support the concept of variable offsets within an RNG output stream the offset value can be provided by the client.

The response contains the RNG algorithm (which may not have been provided in the request), optionally the quality security strength of the output claimed by the RNGof the entropy returned, and the RNG output bytes.


Note: looking at the RNG Algorithm indicates that we should probably have an RNG Parameters which contains the RNG standard and the various building blocks in terms of curves, digests, MACs, block ciphers (with cryptographic length) rather than a single “combined” RNG algorithm enumeration.


Request Payload


RNG Parameters No The random number generator algorithm. If the client does not request a specific RNG algorithm the server is free to select any RNG that it supports.




Entropy Security StrengthQuality No The requested claimed security strength entropy quality of the seed data (in bits)

Offset No The optional offset into the random number generator output stream at which output should be returned.

Personalization String No The optional personalization string.

Data No The data to be provided as a seed to the random number generator

Data Padding Bits No The number of zero bits of padding prepended to the first byte of data if the bit count is not a multiple of 8.

Data Length No The amount of entropy to be returned (in bytes).

Table 15: RNG Retrieve Request Payload


Response Payload



RNG AlgorithmParameters Yes The random number generator parameters including the RNG algorithm. If the system does not claim a specific RNG algorithm the RNG Algorithm Unspecified will be returned as the RNG Algorithm value.

Entropy QualitySecurity Strength No The requested claimed security strength entropy quality of the output (in bits) if known

Data No The random number generator output (in bytes).

Data Padding Bits No The number of zero bits of padding prepended to the first byte of Data if the RNG output bit count is not a multiple of 8.

Table 16: RNG Retrieve Response Payload


2.9 Message Encoding

The following additions are required to [KMIP-SPEC-1_1] to define the tag values and operation enumeration values required for this profile. These additions could also be applied to [KMIP-SPEC-1_0].

2.9.1 Cryptographic Parameters

[[ Updates to [KMIP-SPEC-1_1] 3.6 adding paragraphs and updating the table with three new rows at the end ]]

The Cryptographic Algorithm is also used to specify the parameters for the cryptographic operations defined in the Cryptographic Profile. For operations involving digital signatures either the Digital Signature Algorithm can be specified or the Cryptographic Algorithm and Hashing Algorithm combination.

Random IV can be used to request that the KMIP server generate an appropriate IV for a cryptographic operation that requires an IV. The generated Random IV is returned in the response to the cryptographic operation.

Object Encoding REQUIRED

Cryptographic Parameters Structure

Block Cipher Mode Enumeration, see 9.1.3.2.14

No

Padding Method Enumeration, see 9.1.3.2.15

No

Hashing Algorithm Enumeration, see 9.1.3.2.16

No

Key Role Type Enumeration, see 9.1.3.2.17

No

Digital Signature Algorithm Enumeration, see 9.1.3.2.7

No

Cryptographic Algorithm Enumeration, see 9.1.3.2.13

No

Random IV Boolean No

2.9.2 RNG Parameters

[[ Addition to [KMIP-SPEC-1_1] section 2.1 as a new Base Object ]]

The RNG Parameters base object is a structure that contains a set of OPTIONAL fields that describe certain RNG parameters to be used when performing cryptographic operations involving a RNG. Specific fields pertain only to certain types of RNGs.

The RNG Algorithm SHALL be specified and if the algorithm implemented is unknown then the Unspecified enumeration SHALL be used.

If the cryptographic building blocks used within the RNG are known they MAY be specified in combination of the remaining fields within the RNG Parameters structure.


Object Encoding REQUIRED

RNG Parameters Structure

RNG Algorithm Enumeration, see 9.1.3.2.34 (below)

Yes

Cryptographic Algorithm

Enumeration, see 9.1.3.2.13

No

Cryptographic Length Integer No

Hashing Algorithm Enumeration, see 9.1.3.2.16

No

DRBG Algorithm Enumeration, see 9.1.3.2.35 (below)

No

Recommended Curve Enumeration, see 9.1.3.2.5

No

FIPS186 Variation Enumeration, see 9.1.3.2.36 (below)

No

2.9.3 Data


This is used in requests and responses in cryptographic operations that require data to be passed between the client and the server.

Object Encoding

Data Byte String

2.9.4 Data Length


This is used in requests in cryptographic operations to indicate the amount of data expected in a response.

Object Encoding

Data Length Integer

2.9.5 Signature Data


This is used in requests and responses in cryptographic operations that require signature data to be passed between the client and the server.

Object Encoding

Signature Data Byte String


2.9.6 Init Indicator


This is used in requests and responses in cryptographic operations to support single-part and multi-part (streaming operations).

Object Encoding

Init Indicator Boolean

2.9.7 Final Indicator


This is used in requests and responses in cryptographic operations to support single-part and multi-part (streaming operations).

Object Encoding

Final Indicator Boolean

2.9.8 Correlation Value


This is returned in each response to a multi-part cryptographic operation that requires subsequent requests.

Object Encoding

Correlation Value Byte String

2.9.9 Personalization String


This is provided in cryptographic operations using RNGs which require a personalization string to be specified.

Object Encoding

Personalization String Byte String

2.9.10 Data Padding Bits


For RNG input or output that is not an even multiple of 8 bits this specifies the number of zero bits of padding prepended to the first byte of data (if the bit count is not a multiple of 8).

Object Encoding

Data Padding Bits Integer

2.9.12.9.11 Tags

[[ Addition to [KMIP-SPEC-1_1] 9.1.3.1 Tags table at end ]]

Tag

Object Tag Value


Tag

Object Tag Value

Data 4200B8

Signature Data 4200B9

Data Length 4200BA

RNG Algorithm 4200BB

Entropy Quality 4200BC

Seed Quality 4200BD

Init Indicator 4200BE4200BC

Final Indicator 4200BF4200BD

Correlation Value 4200C04200BE

Personalization String 4200BF

RNG Parameters 4200C0

Security Strength 4200C1

Data Padding Bits 4200C2

DRBG Algorithm 4200C3

FIPS186 Variation 4200C4

Random IV 4200C5

2.9.22.9.12 Operation Enumeration

[[ Addition to [KMIP-SPEC-1_1] 9.1.3.2.27 table at end ]]

Operation

Name Value

Encrypt 0000001F

Decrypt 00000020

Sign 00000021

Signature Verify 00000022

MAC 00000023

MAC Verify 00000024

RNG 00000025

Hash 00000026


2.9.32.9.13 RNG Algorithm Enumeration

[[ Addition to [KMIP-SPEC-1_1] as 9.1.3.2.32 34 as a new enumeration ]]

Note: looking at the RNG Algorithm indicates that we should probably have an RNG Parameters which contains the RNG standard and the various building blocks in terms of curves, digests, MACs, block ciphers (with cryptographic length) rather than a single “combined” RNG algorithm enumeration.

Operation

Name Value

Unspecified 00000001

FIPS 186-2 GP x-Original SHA-1 00000002

FIPS 186-2 GP x-Change Notice SHA-1 00000003

ANSI X9.31 AES-128

ANSI X9.31 AES-256

Hash_Based DRBG SHA-1 00000006

HMAC DRBG SHA-256 00000007

CTR DRBG AES-256 00000008

DRBG 00000003

NRBG 00000004

ANSI X9.31 00000005

ANSI X9.62 00000006

Extensions 8XXXXXXX

Note: the user should be aware that a number of these algorithms are no longer recommended for general use and/or are deprecated. They are included for completeness.

RNG Algorithm needs to handle at least all the algorithms that can be tested under FIPS140-2 and the DRBG algorithms from NIST SP800-90A and NRBG algorithms from NIST SP800-90C.

FIPS 140-2 RNG VS

Algorithm FIPS 186-2, FIPS 186-2 General Purpose Algorithm, ANSI X9.62, ANSI X9.31

RNG Generators For FIPS 186-2: x-Original, k-Original, x-Change Notice, k-Change Notice

For FIPS 186-2 General Purpose Algorithm: x-Original, x-Change Notice

Curves For ANSI X9.62: P-192, P-224, P-256, P-384, P-512, K-163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409, B-571

Core Algorithm For ANSI X9.31 after January 2005: TDES-3Key, TDES-2Key, AES-128Key, AES-192Key, AES-256Key

G Function FIPS 186-2 and ANSI X9.62: SHA-1, DES


2.9.14 DRBG Algorithm Enumeration

[[ Addition to [KMIP-SPEC-1_1] as 9.1.3.2.35 as a new enumeration ]]

Operation

Name Value


Dual-EC 00000002

Hash 00000003

HMAC 00000004

CTR 00000005

Extensions 8XXXXXXX

2.9.15 FIPS186 Variation Enumeration

[[ Addition to [KMIP-SPEC-1_1] 9.1.3.2.36 as a new enumeration ]]

Operation

Name Value


GP x-Original 00000002

GP x-Change Notice 00000003

x-Original 00000004

x-Change Notice 00000005

k-Original 00000006

k-Change Notice 00000007

Extensions 8XXXXXXX

Note: the user should be aware that a number of these algorithms are no longer recommended for general use and/or are deprecated. They are included for completeness.


3 Conformance Clauses Implementations conformant to this profile SHALL support one or more of the base profiles defined within section 3 of [KMIP-PROF] along with one or more conformance clauses including the sub-clauses of each clause below.

3.1 Base Crypto Server Clause

This proposal builds on the KMIP server conformance clauses in [KMIP-PROF] to provide the most basic functionality that would be expected of a conformant KMIP server – the ability to accept requests for encryption and decryption operations from a KMIP client.

3.1.1 Implementation Conformance

An implementation is a conforming Base Crypto Server Clause if it meets the conditions as outlined in the following section.

3.1.2 Conformance of a Base Crypto Server

An implementation conforms to this specification as a Base Crypto Server if it meets the following conditions:

1. Supports the conditions required by the KMIP Server conformance clauses ([KMIP-Spec] 12.1)

2. Supports the Encrypt client-to-server operation (2.1)

3. Supports the Decrypt client-to-server operation (2.2)

3.2 Base Crypto Client Clause

This proposal builds on the KMIP client conformance clauses in [KMIP-PROF] to provide the most basic functionality that would be expected of a conformant KMIP client – the ability to request encryption and decryption operations from a KMIP server.


An implementation is a conforming Base Crypto Client Clause if it meets the conditions as outlined in the following section.

3.2.2 Conformance of a Base Crypto Client

An implementation conforms to this specification as a Base Crypto Client if it meets the following conditions:

1. Supports the conditions required by the KMIP Client conformance clauses ([KMIP-Spec] 12.2)

2. Supports the Encrypt and/or Decrypt client-to-server operation (2.1 and/or 2.2)


3.3 RNG Crypto Server Clause

This proposal builds on the KMIP server conformance clauses in [KMIP-PROF] to provide the most basic functionality that would be expected of a conformant KMIP server – the ability to accept requests for RNG operations from a KMIP client.


An implementation is a conforming RNG Crypto Server Clause if it meets the conditions as outlined in the following section.

3.3.2 Conformance of a RNG Crypto Server

An implementation conforms to this specification as a RNG Crypto Server if it meets the following conditions:


2. Supports the RNG client-to-server operation (2.8)

3.4 RNG Crypto Client Clause

This proposal builds on the KMIP client conformance clauses in [KMIP-PROF] to provide the most basic functionality that would be expected of a conformant KMIP RNG client – the ability to request RNG output from a KMIP server.


An implementation is a conforming RNG Crypto Client Clause if it meets the conditions as outlined in the following section.

3.4.2 Conformance of a RNG Crypto Client

An implementation conforms to this specification as a Base Crypto Client if it meets the following conditions:




3.5 Advanced Crypto Server Clause

This proposal builds on the KMIP server conformance clauses in [KMIP-PROF] to provide advanced functionality that would be expected of a conformant KMIP client – the ability to request encryption, decryption, signature, and signature verification, Hash, MAC, MAC Verify and RNG operations from a KMIP client.


An implementation is a conforming Advanced Crypto Server Clause if it meets the conditions as outlined in the following section.

3.5.2 Conformance of an Advanced Crypto Server

An implementation conforms to this specification as an Advanced Crypto Server if it meets the following conditions:


2. Supports the Encrypt client-to-server operation including multi-part capability (2.1)

3. Supports the Decrypt client-to-server operation including multi-part capability (2.2)

4. Supports the Sign client-to-server operation including multi-part capability (2.3)

5. Supports the Signature Verify client-to-server operation including multi-part capability (2.4)

6. Supports the Hash client-to-server operation including multi-part capability (2.5)

7. Supports the MAC client-to-server operation including multi-part capability (2.6)

8. Supports the MAC Verify client-to-server operation including multi-part capability (2.7)


3.6 Advanced Crypto Client Clause

This proposal builds on the KMIP client conformance clauses in [KMIP-PROF] to provide the advanced functionality that would be expected of a conformant KMIP client – the ability to request encryption, decryption, signature, and signature verification, Hash, MAC, MAC Verify and RNG operations from a KMIP server.


An implementation is a conforming Advanced Crypto Client Clause if it meets the conditions as outlined in the following section.

3.6.2 Conformance of an Advanced Crypto Client

An implementation conforms to this specification as an Advanced Crypto Client if it meets the following conditions:


2. Supports the Encrypt and/or Decrypt client-to-server operation including multi-part capability (2.1 and/or 2.2)

3. Supports the Sign and/or Signature Verify client-to-server operation including multi-part capability (2.3 and/or 2.4)

4. Supports the Hash client-to-server operation including multi-part capability (2.5)

5. Supports the MAC and/or MAC Verify client-to-server operation including multi-part capability (2.6 and/or 2.7)


6. Supports the RNG client-to-server operation including multi-part capability (2.8)

3.7 Advanced RNG Server Clause

This proposal builds on the KMIP server conformance clauses in [KMIP-PROF] to provide advanced functionality that would be expected of a conformant KMIP client.


An implementation is a conforming Advanced RNG Server Clause if it meets the conditions as outlined in the following section.

3.7.2 Conformance of an Advanced Crypto Server

An implementation conforms to this specification as an Advanced Crypto Server if it meets the following conditions:


2. Supports the RNG client-to-server operation with correlation value and offset (2.8)

3.8 Advanced RNG Client Clause

This proposal builds on the KMIP client conformance clauses in [KMIP-PROF] to provide the advanced functionality that would be expected of a conformant KMIP client.


An implementation is a conforming Advanced RNG Client Clause if it meets the conditions as outlined in the following section.

3.8.2 Conformance of an Advanced Crypto Client

An implementation conforms to this specification as an Advanced RNG Client if it meets the following conditions:


2. Supports the RNG client-to-server operation with correlation value and offset (2.8)


4 Crypto Profile Test Cases This section contains a test case that demonstrates the noted Crypto Profile.

Note: the specifics of the request and response messages for each test have not yet been documented.

4.1 Base Crypto Tests

A KMIP client supporting the Base Crypto Profile supports one or more of the following tests.

A KMIP server supporting the Base Crypto Profile supports all of the following tests.

4.1.1 Test Case: Encrypt with Known Symmetric Key

Register a symmetric key and perform encrypt using the symmetric key.

Time Request/Response messages

0 Register

1 Encrypt

2 Destroy

4.1.2 Test Case: Decrypt with Known Symmetric Key

Register a symmetric key and perform decrypt using the symmetric key.


0 Register

1 Decrypt

2 Destroy

4.1.3 Test Case: Encrypt and Decrypt with Known Symmetric Key

Register a symmetric key and perform both encrypt and decrypt operations using the symmetric key.


0 Register

1 Encrypt

2 Decrypt

3 Destroy

4.1.4 Test Case: Encrypt with New Symmetric Key

Create a symmetric key and perform encrypt using the symmetric key.


0 Create

1 Encrypt

2 Destroy


4.1.5 Test Case: Decrypt with New Symmetric Key

Create a symmetric key and perform decrypt using the symmetric key.

Note: Create followed by Decrypt is unusual but some applications actually do this relying on Decrypt and Encrypt being able to be used around the wrong way to get the same result.


0 Create

1 Decrypt

2 Destroy

4.1.6 Test Case: Encrypt and Decrypt with New Symmetric Key

Create a symmetric key and perform both encrypt and decrypt operations using the symmetric key.


0 Create

1 Encrypt

2 Decrypt

3 Destroy

4.2 RNG Crypto Tests

A KMIP client supporting the RNG Crypto Profile supports one or more of the following tests.

A KMIP server supporting the RNG Crypto Profile supports all of the following tests.

4.2.1 Test Case: RNG seed

Seed an RNG.


0 RNG (with seed parameters and not requesting output bytes)

4.2.2 Test Case: RNG retrieve

Retrieve output from an RNG.


0 RNG (with no seed parameters requesting output bytes)


4.3 Advanced Crypto Tests

A KMIP client supporting the Advanced Crypto Profile supports one or more of the following tests in addition to one or more of the RNG Crypto Tests and one or more of the Base Crypto Tests.

A KMIP server supporting the Advanced Crypto Profile supports all of the following tests in addition to all of the RNG Crypto Tests and all of the Base Crypto Tests.

4.3.1 Test Case: Sign with Known Asymmetric Key

Register an asymmetric key and perform sign using the asymmetric key.


0 Register

1 Sign

2 Destroy

4.3.2 Test Case: Signature Verify with Known Asymmetric Key

Register an asymmetric key and perform signature verification using the asymmetric key.


0 Register

1 Signature Verify

2 Destroy

4.3.3 Test Case: Sign and Signature Verify with Known Asymmetric Key

Register an asymmetric key and perform both and signature verification operations using the asymmetric key.


0 Register

1 Sign

2 Signature Verify

3 Destroy

4.3.4 MAC with Known Key

Register a key and perform MAC operations using the key.


0 Register

1 MAC

2 Destroy


4.3.5 MAC with Known Key

Register a key and perform MAC verification operations using the key.


0 Register

1 MAC

2 Destroy

4.3.6 Test Case: MAC and MAC Verify with Known Key

Register a key and perform both MAC and MAC verify operations using the key.


0 Register

1 MAC

2 MAC Verify

3 Destroy

4.3.7 Test Case: Multi-part Encrypt with Known Symmetric Key

Register a symmetric key and perform encrypt using the symmetric key.


0 Register

1 Encrypt (init)

2 Encrypt (update)

3 Encrypt (update)

4 Encrypt (final)

5 Destroy

4.3.8 Test Case: Multi-part Decrypt with Known Symmetric Key

Register a symmetric key and perform decrypt using the symmetric key.


0 Register

1 Decrypt (init)

2 Decrypt (update)

3 Decrypt (update)

4 Decrypt (final)

5 Destroy


4.3.9 Test Case: Multi-part Encrypt and Decrypt with New Symmetric Key

Create a symmetric key and perform both encrypt and decrypt operations using the symmetric key.


0 Create

1 Encrypt (init)

2 Encrypt (update)

3 Encrypt (update)

4 Encrypt (final)

5 Decrypt (init)

6 Decrypt (update)

7 Decrypt (update)

8 Decrypt (final)

9 Destroy

4.4 Advanced RNG Tests

A KMIP client supporting the Advanced RNG Profile supports one or more of the following tests in addition to one or more of the RNG Crypto Tests.

A KMIP server supporting the Advanced RNG Profile supports all of the following tests in addition to all of the RNG Crypto Tests.

4.4.1 Test Case: Streaming RNG

Register an asymmetric key and perform sign using the asymmetric key.


0 Client A: RNG

1 Client B: RNG using correlation value from Client A

2 Client A: RNG using correlation value and offset

3 Client B: RNG using correlation value from Client A and offset


Appendix A. Acknowledgments

The following individuals have participated in the creation of this specification and are gratefully acknowledged:

Elaine Barker, NIST

Tony Cox, Cryptsoft

Indra Fitzgerald, Hewlett-Packard

Robert Griffin, EMC Corporation

John Leiseboer, Quintessence Labs

Denis Pochuev, SafeNet

Subhash Sankuratripati, NetApp

Kiran Kumar Thota, VMware


Appendix B. Work Items

A number of choices were made during the production of this document which warrants additional discussion.

1. No new result reason codes have been defined for the operations and additional error conditions are likely and should be defined.

2. The success from Signature Verify and MAC Verify are currently indicated by the result status and could (should) be provided via a verify result using the Validity Indicator (9.1.3.2.23).

3. The Digital Signature Algorithm introduced in KMIP 1.1 does not fit with the Cryptographic Algorithm and Cryptographic Parameters way of processing things outlined in KMIP 1.0 and this needs further thought / discussion. Prior to its introduction everything was specified in terms of the algorithm building blocks rather than a particular combination of algorithms so the combination explosion in enumeration values was avoided.

4. This leads to four alternatives for handling addition of (for example) the asymmetric parameters (only one of which should be selected):

5. Add the Digital Signature Algorithm defined in KMIP 1.1 into the Cryptographic Parameters structure (at the end) so that all operations have a common Cryptographic Parameters value; or

6. Add Cryptographic Algorithm to the Cryptographic Parameters structure (and the end) so that all operations have a common Cryptographic Parameters value; or

7. Pass in both the Cryptographic Algorithm and the Cryptographic Parameters (and optionally the Digital Signature Algorithm) to each operation; or

8. Determine the Cryptographic Algorithm from the managed object reference.

9. The success or failure of the signature verification or MAC verification is returning a Validity Indicator (as per the current Verify operation) rather than using a result status and result reason to indicate errors (allowing separation of KMIP errors from logical failures). Should this approach be used? Should a separate validity indicator be defined for each type of verification or is it okay to re-use the indicator as per this profile.

1. The tests for each of the profiles need to be completed in terms of the request and response message details.

2. More tests need to be defined.

2. The list of profiles needs to be reviewed to determine if it is a reasonable set of profiles (e.g. we require the servers to support everything and the clients to only support one or more test).

3. No mechanism has been specified in this proposal for how a client can determine which RNGs are supported by a server. This should be added to the query operation in a separate proposal.

4. No mechanism has been specified in this proposal for how a client can determine which algorithms are supported by a server. This should be added to the query operation in a separate proposal.

5. No mechanism has been specified in this proposal for how a client can determine whether the streaming interface is supported by a server for a given operation. This should be added to the query operation in a separate proposal. The Advanced Server profile requires support for the streaming interface. The Advanced RNG Server profile requires support for the RNG streaming interface.

3.6. There is no mechanism for the client to indicate whether or not it wants to "share" and RNG instantiation or wants its own separate instance. This should be added in a separate proposal.


Appendix C. Changes

Working Draft 05 to Working Draft 06

Incorporated most feedback to date

Added Hash operation (no Hash Verify is required)

Combined RNG Retrieve and RNG Seed to be just RNG

Added optional personalization string to RNG parameters

Added generic streaming / by-parts interface to all operations (Init Indicator, Final Indicator, Correlation Value adjusting REQUIRED values)

Allowed Cryptographic Parameters to be not specified so that if not specified for an operation then the default Cryptographic Parameters value from the Managed Object can be used.


Corrected blank rows in some tables from edits adding in the streaming interface in edits introduced

Removed a number of rejected alternatives from Work Items

Added Digital Signature Algorithm and Cryptographic Algorithm into Cryptographic Parameters (rather than selecting one alternative over the other)

Included prose in section 2 describing the by-parts and single interface

Added additional work items from feedback which remain to be addressed

Allowed for non-byte length returns from an RNG as RNGs may not operation on byte boundaries

Move Cryptographic Parameters definition from Appendix B to Section 2.9


Added in additional items to go into 2.1 in spec for the other shared parameters for operations

Enabled support for using ID Placeholder for all operations that currently take a Unique Identifier

Adjusted text in a number of areas

Added in Advanced RNG Profiles

Added in multi-part notes to the Advanced Crypto Profiles

Added in test cases for multi-part operation

Added in test cases for Advanced RNG

key management interoperability protocol profiles version 1 ......subhash sankuratripati...

Documents