KMIP Conformance
The CORE server accepts KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server messages encoded using TTLV or JSON HTTPS profile. In particular, it accepts KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client requests on the TCP/IP port 5696 supporting the following payload formats:
- TTLV over TLS - KMIP Profiles v1.4
- TTLV over HTTPS - KMIP Profiles v1.4
- JSON over HTTPS - KMIP Profiles v1.4. See JSON Encoding.
The OASIS Key Management Interoperability Protocol (KMIP) is a network protocol. It defines the content, structure, and semantics of the messages transferred between the KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client and server. CORE supports KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server version V1.4 and is backward compatible with V1.x clients.
See:
Supported KMIP Objects
CORE Server supports the following KMIP Objects:
- Certificate ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.1)
- Symmetric key ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.2)
- Public key ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.3)
- Private key ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.4)
- Secret data ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.7)
- Opaque object ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.8)
Supported KMIP Attributes
CORE Server supports the following KMIP Attributes:
| Attribute | KMIP Spec | Get | Add | Modify | Delete | Notes |
|---|---|---|---|---|---|---|
| Unique Identifier | 3.1 | ✓ | ||||
| Name | 3.2 | ✓ | ✓ | ✓ | ✓ | 1 |
| Object Type | 3.3 | ✓ | ||||
| Cryptographic Algorithm | 3.4 | ✓ | ||||
| Cryptographic Length | 3.5 | ✓ | ||||
| Cryptographic Parameters | 3.6 | ✓ | 2 | |||
| State | 3.22 | ✓ | ||||
| Activation Date | 3.24 | ✓ | ||||
| Deactivation Date | 3.27 | ✓ | ||||
| Link | 3.35 | ✓ | ✓ | ✓ | ✓ | 3 |
| Application-specific Information | 3.36 | ✓ | ✓ | ✓ | ✓ | |
| Contact Information | 3.37 | ✓ | ✓ | ✓ | ✓ |
Notes:
- Uninterpreted Text String only.
- Scope: XTS cipher mode of AES only.
- The following link types: Private Key Link, Certificate Link, Replacement Object Link, Replaced Object Link. Cannot change Private Key Link and Certificate Link.
Supported KMIP Operations
CORE Server supports the following KMIP Client to Server Operations:
- Create ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.1)
- Create a key pair ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.2)
- Register (import) ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.3)
- Re-key ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.4)
- Re-key Key Pair ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.5)
- Derive Key ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.6)
- Locate ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.9)
- Check ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.10)
- Get ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.11) - See note below
- Get Attributes ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.12)
- Get Attribute List ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.13)
- Add Attribute ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.14)
- Modify Attribute ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.15)
- Delete Attribute ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.16)
- Activate ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.19)
- Revoke ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.20)
- Destroy ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.21)
- Query ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.25)
- Discover Versions ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.26)
- Encrypt ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.29)
- Decrypt ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.30)
- Sign ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.31)
- MACMessage Authentication Code - for example, CMAC, GMAC, HMAC. ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.33)
- MACMessage Authentication Code - for example, CMAC, GMAC, HMAC. Verify ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.34)
- RNG Retrieve ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.35)
- RNG Seed ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.36)
Note
Applicable if the Export property is enabled in the materials' Cryptographic Usage Mask - see [KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 3.19.
CORE Server supports the following additional KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server features:
- ID Placeholder ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4)
- Message Format ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 7)
- AuthenticationProcess used to achieve sufficient confidence in the binding between the Entity and the presented Identity. ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 8) (using client certificate and credentials)
- TTLV encoding ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1)
- JSON Encoding
- Transport Requirements ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 10)
- Error Handling ([KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 11) for any supported object, attribute, or operation
Note
AES keys may be used with the following Format Types (see [KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1.3.2.3): Raw or TransparentSymmetric. Any other format type results in an error.
Default: Raw.
Supported KMIP Enumerations
Supported Elliptic Curves
See Recommended Curve Enumeration.
P-256, P-384, P-521, SECP256K1, CURVE25519, CURVE448
Supported Cryptographic Algorithm
See Cryptographic Algorithm Enumeration.
- DES
- 3DES
- AES
- RSA
- DSA
- ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
- HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA1, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA224, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA256, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA384, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA512
- ECDHDiffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
- EC
- ChaCha20Poly1305
- SHA3-224, SHA3-256, SHA3-384, SHA3-512
- HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-224, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-256, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-384, HMACHash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-512
- Ed25519
- Ed448
Supported Block Cipher Mode
See Block Cipher Mode Enumeration.
- CBC
- ECB
- CFB
- OFB
- CTR
- CMAC
- GCM
- CCM
- AESKeyWrapPadding
- NISTKeyWrap
- AEAD