KMIP v.1.3: Server Enhancements for Custom Security Attributes

Contributors: Charles White

9 July 2014

Version 0.1

References:

[KMIP-Spec] Key Management Interoperability Protocol Specification Version 1.2.Committee Specification Draft 01, Public Review Draft 01, 9 January 2014.

http://docs.oasis-open.org/kmip/spec/v1.2/csprd01/kmip-spec-v1.2-csprd01.doc

[NIST SP800-130] E. Barker, M. Smid, D. Branstad, S. Chokhani, A Framework for Designing Cryptographic Key Management Systems, NIST Special Publication 800-130, August 2013.

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-130.pdf

[NIST SP800-152] E. Barker, D. Branstad , M. Smid, A Profile for U.S. Federal Cryptographic Key Management Systems, NIST Special Publication 800-152, January 2014.

http://csrc.nist.gov/publications/drafts/800-152/draft_sp_800_152_2nd.pdf

Issue Statement

This proposal covers an addition to the KMIP 1.2 specification to implement custom security attributes that are used to define security metadata that is associated with managed cryptographic objects. Custom Security Attributes in practice are used to define information such as the source of key material, the security classification of key material, or utilization of key material. In more general terms, custom security attributes represent a means to designate what key metadata needs to be secure. In utilization custom security attributes can be consumed by both the client and server in informing key management and utilization.

In that regard, designation of sensitive attributes can also be extended to existing attributes such as Cryptographic Algorithm, Cryptographic Length, Cryptographic Parameters, Cryptographic Domain Parameters, Compromise Occurrence Date, Compromise Date, and Revocation Reason


Proposed Changes to the KMIP Specification

This section documents changes required to the KMIP Specification in adding support for Custom Security Attributes.

3.44 Custom Security Attribute

A Custom Security Attribute is a client- or server-defined attribute intended for security information used for creation, modification, storage, and distribution of key material. Unlike Custom Attributes, Custom Security Attributes are created by the client and MAY be interpreted by the server, or are created by the server and MAY be interpreted by the client. All custom attributes created by the client SHALL adhere to a naming scheme, where the name of the attribute SHALL have a prefix of 'zx-'. All custom attributes created by the key management server SHALL adhere to a naming scheme where the name of the attribute SHALL have a prefix of ‘zy-'. The server MAY accept a client-created or modified attribute, where the name of the attribute has a prefix of ‘zy-‘. The tag type Custom Security Attribute is not able to identify the particular attribute; hence such an attribute SHALL only appear in an Attribute Structure with its name as defined in Section 2.1.1.

Object / Encoding
Custom Security Attribute / Any data type or structure. If a structure, then the structure SHALL NOT include sub structures / The name of the attribute SHALL start with 'zx-' or 'zy-'.

Table 136 Custom Security Attribute

SHALL always have a value / No
Initially set by / Client or Server
Modifiable by server / Yes, for server-created attributes
Modifiable by client / Yes, for client-created attributes
Deletable by client / Yes, for client-created attributes
Multiple instances permitted / Yes
When implicitly set / Create, Create Key Pair, Register, Derive Key, Activate, Revoke, Destroy, Certify, Re-certify, Re-key, Re-key Key Pair
Applies to Object Types / All Objects

Table 137: Custom Security Attribute Rules