KMIP Conformance
The CORE server accepts KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server messages encoded using TTLV or JSON HTTPS profile. In particular, it accepts KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client requests on the TCP/IP port 5696 supporting the following payload formats:
- TTLV over TLS - KMIP Profiles v1.4
- TTLV over HTTPS - KMIP Profiles v1.4
- JSON over HTTPS - KMIP Profiles v1.4. See JSON Encoding.
The OASIS Key Management Interoperability Protocol (KMIP) is a network protocol. It defines the content, structure, and semantics of the messages transferred between the KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client and server. CORE supports KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server version V1.4 and is backward compatible with V1.x clients.
See:
Supported KMIP Objects
CORE Server supports the following KMIP Objects:
- Certificate ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.1)
- Symmetric key ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.2)
- Public key ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.3)
- Private key ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.4)
- Secret data ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.7)
- Opaque object ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 2.2.8)
Supported KMIP Attributes
CORE Server supports the following KMIP Attributes:
Attribute | KMIP Spec | Get | Add | Modify | Delete | Notes |
---|---|---|---|---|---|---|
Unique Identifier | 3.1 | ✓ | ||||
Name | 3.2 | ✓ | ✓ | ✓ | ✓ | 1 |
Object Type | 3.3 | ✓ | ||||
Cryptographic Algorithm | 3.4 | ✓ | ||||
Cryptographic Length | 3.5 | ✓ | ||||
Cryptographic Parameters | 3.6 | ✓ | 2 | |||
State | 3.22 | ✓ | ||||
Activation Date | 3.24 | ✓ | ||||
Deactivation Date | 3.27 | ✓ | ||||
Link | 3.35 | ✓ | ✓ | ✓ | ✓ | 3 |
Application-specific Information | 3.36 | ✓ | ✓ | ✓ | ✓ | |
Contact Information | 3.37 | ✓ | ✓ | ✓ | ✓ |
Notes:
- Uninterpreted Text String only.
- Scope: XTS cipher mode of AES only.
- The following link types: Private Key Link, Certificate Link, Replacement Object Link, Replaced Object Link. Cannot change Private Key Link and Certificate Link.
Supported KMIP Operations
CORE Server supports the following KMIP Client to Server Operations:
- Create ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.1)
- Create a key pair ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.2)
- Register (import) ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.3)
- Re-key ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.4)
- Re-key Key Pair ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.5)
- Derive Key ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.6)
- Locate ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.9)
- Check ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.10)
- Get ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.11) - See note below
- Get Attributes ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.12)
- Get Attribute List ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.13)
- Add Attribute ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.14)
- Modify Attribute ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.15)
- Delete Attribute ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.16)
- Activate ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.19)
- Revoke ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.20)
- Destroy ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.21)
- Query ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.25)
- Discover Versions ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.26)
- Encrypt ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.29)
- Decrypt ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.30)
- Sign ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.31)
- MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.33)
- MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. Verify ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.34)
- RNG Retrieve ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.35)
- RNG Seed ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4.36)
Note
Applicable if the Export
property is enabled in the materials' Cryptographic Usage Mask
- see [KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 3.19.
CORE Server supports the following additional KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server features:
- ID Placeholder ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4)
- Message Format ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 7)
- Authentication
Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity. ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 8) (using client certificate and credentials)
- TTLV encoding ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1)
- JSON Encoding
- Transport Requirements ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 10)
- Error Handling ([KMIP
Key Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 11) for any supported object, attribute, or operation
Note
AES keys may be used with the following Format Types (see [KMIPKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1.3.2.3): Raw or TransparentSymmetric. Any other format type results in an error.
Default: Raw.
Supported KMIP Enumerations
Supported Elliptic Curves
See Recommended Curve Enumeration.
P-256, P-384, P-521, SECP256K1, CURVE25519, CURVE448
Supported Cryptographic Algorithm
See Cryptographic Algorithm Enumeration.
- DES
- 3DES
- AES
- RSA
- DSA
- ECDSA
Elliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
- HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA1, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA224, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA256, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA384, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA512
- ECDH
Diffie–Hellman (ECDH) is a key agreement protocol used to establish shared secret by deriving it from EC keys.
- EC
- ChaCha20Poly1305
- SHA3-224, SHA3-256, SHA3-384, SHA3-512
- HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-224, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-256, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-384, HMAC
Hash-based Message Authentication Code - A MAC involving a cryptographic hash function and a secret cryptographic key.-SHA3-512
- Ed25519
- Ed448
Supported Block Cipher Mode
See Block Cipher Mode Enumeration.
- CBC
- ECB
- CFB
- OFB
- CTR
- CMAC
- GCM
- CCM
- AESKeyWrapPadding
- NISTKeyWrap
- AEAD