Key Management Interoperability Protocol

Abstract: A key management protocol (such as Key Management Interoperability Protocol (KMIP)) is extended via set of one or more custom attributes to provide a mechanism by which clients pass additional metadata to facilitate enhanced key provisioning operations by a key management server. The protocol comprises objects, operations, and attributes. Objects are the cryptographic material (e.g., symmetric keys, asymmetric keys, digital certificates and so on) upon which operations are performed. Operations are the actions taken with respect to the objects, such as getting an object from a key management server, modifying attributes of an object and the like. Attributes are the properties of the object, such as the kind of object it is, the unique identifier for the object, and the like. According to this disclosure, a first custom server attribute has a value that specifies a keygroup name that can be used by the key management server to locate (e.g., during a Locate operation) key material associated with a named keygroup. A second custom server attribute has a value that specifies a keygroup name into which key material should be registered (e.g., during a Register operation) by the server. A third custom server attribute has a value that specifies a default keygroup that the server should use for the device passing a request that include the attribute. Using these one or more custom server attributes, the client taps into and consumes/contributes to the key management server's provisioning machinery.

Abstract: The widespread use of cryptographic technologies is complicated by inconsistencies and duplication in the key management systems supporting their applications. The proliferation of key management systems or protocols also results in higher operational and infrastructure costs, and fails in interoperability. Thus, it is essential to realize key management interoperability between different and heterogeneous cryptosystems. This paper presents a practical and separable key management system for heterogeneous public-key cryptosystems. We achieve the interoperability between different cryptosystems via cryptography approaches rather than communication protocols. With our scheme, each client can freely use any kindof cryptosystem that it likes. The proposed scheme has two advantages over the key management interoperability protocol introduced by the organization for the advancement of structured information standards. One is that all the related operations do not involve the communication protocol and thus no special restrictions are taken on the client devices. The other is that the proposed scheme does not suffer from single-point fault and bottleneck problems.

Abstract: Any information system using encryption tends to have its own key management infrastructure. In practice, we find a separate key management systems dedicated to application encryption, or database encryption, or file encryption etc. This emergent needs to several key management systems and multiple cryptographic algorithms are resolved by the new Key Management Interoperability Protocol (KMIP). This work specifies how the Key Management Interoperability Protocol (KMIP) can be included in Transport Layer Security (TLS) protocol in order to provide additional security features, flexibility, interoperability and authentication specially in distributed systems like Cloud Computing. Till now, authentication in TLS is limited to digital certificate and Kerberos. In this paper, we use the Key Management Interoperability Protocol to make an additional authentication option for TLS and we reduce handshake latency to 0-RTT for repeated handshakes and 1-RTT for full handshakes. We specify also the KMIP-TLS extension and its formal validation with AVISPA tool.

Abstract: A protocol stack type negotiation method and device. The method includes: sending a negotiation request message from the first negotiation device to the second negotiation device, wherein, the negotiation request message carries the protocol stack type supported by the first negotiation device, so the second negotiation device can select the protocol stack type supported by both the second negotiation device and the first negotiation device according to the protocol stack type as carried in the negotiation request message and supported by the first negotiation device; receiving the first negotiation response message responded for the negotiation request message from the second negotiation device; obtaining the protocol stack type supported by both the second and the second negotiation device according to the first negotiation response message. In the embodiments of the invention, the key management center KMC and client devices can select the same protocol stack type to setup the Key Management Interoperability Protocol KMIP sessions, and that the client devices and KMC select the protocol stack type automatically, without manual configuration and easy to maintain.