key management death match
play

Key Management Death Match? Marc Massar, CISSP, NSA-IAM DEEPSEC - PowerPoint PPT Presentation

Aug 31, 2023 •453 likes •769 views

Key Management Death Match? Marc Massar, CISSP, NSA-IAM DEEPSEC IDSC2009 Competing KM Standards Technical Deep Dive Introduction 2 The Problem Why So Many Key Management Products? More Problems Interoperability The

  1. Key Management Death Match? Marc Massar, CISSP, NSA-IAM DEEPSEC IDSC2009 Competing KM Standards Technical Deep Dive

  2. Introduction 2  The Problem – Why So Many Key Management Products?  More Problems – Interoperability  The Contenders  Details of the Standards/Protocols 11/19/2009

  3. 3

  4. Click icon to add picture Click icon to add picture So Many Keys, So Little Time 4 11/19/2009

  5. The Problem – The Many Uses of Crypto 5 Enterprise Cryptographic Environments Collaboration & File Server Portals Content Mgmt Disk Production Systems Arrays Backup Database LAN VPN WAN System Replica Backup Disk Enterprise eCommerce Applications Applications CRM Business Backup Staging Analytics Tape Dev/Test Email Obfuscation Key Key Key Key Key Managemen Managemen Managemen Managemen Managemen t System t System t System t System t System Key Key Key Managemen Managemen Managemen t System t System t System 11/19/2009

  6. And More – Interoperability 6 Enterprise Cryptographic Environments Collaboration & File Server Portals Content Mgmt Disk Production Systems Arrays Backup Database LAN VPN WAN System Replica Backup Disk Enterprise eCommerce Applications Applications CRM Business Backup Staging Analytics Tape Dev/Test Email Obfuscation Disparate, Often Proprietary Protocols Key Key Key Key Key Managemen Managemen Managemen Managemen Managemen t System t System t System t System t System Key Key Key Managemen Managemen Managemen t System t System t System 11/19/2009

  7. And More – The Many Uses of Crypto 7 - Certificate - Symmetric - Asymmetric - Other Client Server Network Storage Web System Network Encrypted Encrypted Client Data Encryption Encryption (SSL Database Database Protection (EFS) Management Accelerators) Management Management Secure Middleware and Router Router Encrypted T Encrypted T ape ape Communications App. Server Encryption Encryption Key Key (Outlook) Management Management Management Management Management Strong Auth for Remote Mainframe Mainframe Firewalls Firewalls NAS NAS Access (VPN) Disk Encryption Disk Encryption SSH SSH Switches Switches SANS SANs (BitLocker) (BitLocker) Management Management Wireless Wireless Encryption Encryption PGP PGP Wireless Wireless Offline Storage Offline Storage Management Management … … … … 11/19/2009

  8. Encryption is Business Critical 8  You don’t encrypt worthless information – you only encrypt the most important information  Encryption Impacts Your Business Processes!  It Matters Who Encrypts…And Matters More Who Decrypts!  Value Transfer from Data to Keys 11/19/2009

  9. Click icon to add picture Click icon to add picture The Contenders 9 11/19/2009

  10. The Contenders – KMIP 10  Key Management Interoperability Protocol Round 1 – KMIP  …will develop specification(s) for the interoperability of KM services with KM clients…will address anticipated customer requirements for KMIP is an open key lifecycle management (generation, refresh, distribution, tracking standard of use, life-cycle policies including states, archive, and destruction), backed by key sharing, and long-term availability of crypto objects of all types… OASIS with members  In Scope – Just about everything including IBM, EMC/RSA,  Out of Scope – Implementation and Thales, LSI, framework details NIST, SafeNet, and quite a few more. KMIP came out of the IEEE 1619.3 effort 11/19/2009

  11. The Contenders – IEEE 1619.3 11  1619.3 – A Sub-Committee of 1619 Round 2 - IEEE 1619.3 Working Group Formed as a  …standard defines methods for the storage, management, and sub- distribution of cryptographic keys used for the protection of stored committee of data. This standard augments existing KM methodologies to IEEE 1619 address issues specific to cryptographic protection of stored data. SISWG This includes stored data protected by compliant implementations (Security in of other standards in the IEEE 1619 family . Storage  In Scope – Protection of stored data Working Group ). Members (interfaces, methods, and algorithms) include Cisco,  Out of Scope – Transport Encryption, non- EMC/RSA, LSI, Vormetric, and storage use cases others. 11/19/2009

  12. The Contenders - EKMI 12 Round 3 –  Enterprise Key Management Infrastructure EKMI  …TC will create use-case(s) that describe how and where the protocols it intends to create, will be used Another OASIS  …TC will define symmetric key management protocols… committee.  …ensure cross-implementation interoperability, the TC will create a This one test suite…will allow different implementations of this protocol to be formed before certified… KMIP and includes  …TC will provide guidance on how a symmetric key-management members from infrastructure may be secured using asymmetric keys… Red Hat, CA,  …in conjunction with other standards organizations that focus on Wells Fargo, disciplines outside the purview of OASIS, the TC will provide input on PayPal, and how such enterprise KM infrastructures may be managed… PrimeKey.  …conduct other activities that educate users…  In Scope – All symmetric secrets secured using the defined KM Infrastructure  Out of Scope – Asymmetric KM, some implementation details 11/19/2009

  13. The Contenders – IETF KeyProv 13 Round 4 – IETF  Provisioning of Symmetric Keys KeyProv Provisioning of  …to define protocols and data formats necessary Symmetric Keys. This committee has been for provisioning of symmetric cryptographic keys inactive and active again recently and has and associated attributes...consider use cases participation from NIST, ActivIdentity, related to use of Shared Symmetric Key T okens. and others. Released Other use cases may be considered for the DSKPP – Dynamic Symmetric Key purpose of avoiding unnecessary restrictions in Provisioning Protocol and PSKC – Portable the design and ensure…future extensibility. Symmetric Key Container  In Scope – Provisioning of Symmetric keys (think existing devices)  Out of Scope – Asymmetric keys, specific implementations 11/19/2009

  14. Click icon to add picture Click icon to add picture Sizing Up the Competition 14 11/19/2009

  15. KMIP Overview 15  Community Draft Level – version 1.0  Binary Protocol  TTLV – T ag T ype Length Value  Standard defines – Objects, Attributes, and Operations  Objects – Base Objects like Key Block, Key Value, Key Wrapping Data  Objects – Managed Objects like Certificates, Keys, Key parts, template data  Attributes – Identifier, State, Usage Limits, Algorithm, Length, Issuer, Application data  Operations – Create, Register, Re-Key, Derive, Get, Modify Attributes, Activate, Revoke, Destroy  List not all inclusive 11/19/2009

  16. IEEE 1619.3 Overview 16  Draft 7 August 2009 – Probably a draft 8 soon  Defines a KM architecture model, KM Conceptual model, Lifecycle model, KM Sequence models, Object models, and Operation models  These models are all specific to “data at rest”  Does NOT define a message between actors  Proposed adoption of KMIP binary protocol for communication between actors  Defines Key naming extensively – global uniqueness  Also calls for XML message not yet defined…likely to adopt something that one of the other committees proposes (EKMI, IETF, or XML from KMIP) 11/19/2009

  17. EKMI Overview 17  SKSML – Symmetric Key Services Markup Language 1.0 PR02 Draft 8  Mobile – SKSML available as well  Committee defines not only the semantics of symmetric key exchange (XML – SKSML) but also the components required to make that exchange secure  SKMS, SKS, SKCL, uses PKI as the trust mechanism for key exchange  Very well defined set of Requests/Responses to cover multiple use cases 11/19/2009

  18. IETF KeyProv Overview 18  Leverages RFC4758 – CT-KIP (Cryptographic T oken Key Initialization Protocol)  DSKPP – 1.0 draft 9  PSKC – 1.0 draft 4  Symmetric Key Format doc – 1.0 draft 6  Does not define an architecture per se, but does outline the use cases around provisioning keys to Internet accessible cryptographic systems  Covers typical Client – Server interactions  Defines “entities” that are actors in the use cases  DSKPP allows for 2-pass and 4-pass messages between client and server 11/19/2009

  19. Click icon to add picture Click icon to add picture The Messages 19 11/19/2009

  20. Message Layout – KMIP 20 Get Unique identifier Unique … operation 04 4 0000000A 06 24 1f165d65-cbbd-4bd6-9867-80e0b390acf9 Identifier tag type length value tag type length value Tag Type Length Value Attribute Structure <varies> Tag Type Length Value Attribute String <varies> “Application Specific ID” Name Attribute Integer 4 2 Index Attribute Structure <varies> Tag Type Length Value Value App. String <varies> “ssl” Name App. String <varies> “www.example.com” ID 11/19/2009

Recommend

ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R

ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R

ASP.NET MVC / Ruby on Rails Death Match Saturday, October 6, 12 1 ASP .NET MVC / R UBY ON R AILS D EATH M ATCH James Kovacs Technical Evangelist, JetBrains @jameskovacs | jameskovacs.com james.kovacs@jetbrains.com Saturday,

470 views • 23 slides
Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA,

Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA,

Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA, RRT Michigan Dept. of Community Health MATCH Model Six or more home visits by AE-C Physician care conference (AE-C + client/family + HCP)

185 views • 15 slides
Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim,

Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim,

Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim, Grants Management Officer David Colangeli, Financial Management Specialist Administration for Community Living Office of Grants Management July

769 views • 39 slides
Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave of Lily and James Potter Death is bad Despite its inevitability, we spend massive amounts of time, money, and effort, trying to fight death

437 views • 17 slides
Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death processes Biarth and death processes Bo Friis Nielsen 1 Limiting behaviour of birth and death processes Next week 1 DTU Informatics Finite state

309 views • 7 slides
The Fundamentals of f Engineering Librarianship Collection Management: Making the Best Match

The Fundamentals of f Engineering Librarianship Collection Management: Making the Best Match

The Fundamentals of f Engineering Librarianship Collection Management: Making the Best Match Between the Needs of Your Users and the Information Resources You Can Afford Tom Volkening Engineering Librarian Michigan State University Email:

447 views • 16 slides
Talking About Death &amp; Dying existence embraces both life and death, and in a way death

Talking About Death &amp; Dying existence embraces both life and death, and in a way death

Talking About Death &amp; Dying existence embraces both life and death, and in a way death is the test of the meaning of life. If death is devoid of meaning, then life is absurd. Lifes ultimate meaning remains obscure unless it is

321 views • 10 slides
for information such as the birth place, birth date and parents' names of the deceased. What

for information such as the birth place, birth date and parents' names of the deceased. What

Indexes and Sources of Info on Deaths, Obituaries, Burials Death records are primary source records because they are completed at, or close to, the time of the death by someone who was present at the death. Death records are especially helpful,

66 views • 5 slides
Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age

Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age

Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age Profession Favorite color Favorite song Favorite thing to do Yesterdays LTC Match.com All about census Matches

709 views • 19 slides
Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
Near-Death Experiences: What if anything might they tell us about life after death? Walter L.

Near-Death Experiences: What if anything might they tell us about life after death? Walter L.

Near-Death Experiences: What if anything might they tell us about life after death? Walter L. Bradley, Ph.D., P.E. ASA Annual MeetingGordon College July 29, 2018 If you were to die tonight. Would you cease to exist? Would you no

647 views • 31 slides
1 EMS: Out of Hospital Cardiac Arrest ACC/AHA/HRS: Sudden Cardiac Death ACC/AHA/HRS, 2006:

1 EMS: Out of Hospital Cardiac Arrest ACC/AHA/HRS: Sudden Cardiac Death ACC/AHA/HRS, 2006:

U.S. Mortality by Death Certificates Redefining Sudden Cardiac Death: Insights from the 500,000 San Francisco POstmortem 400,000 Systematic invesTigation of # deaths/year 300,000 Sudden Cardiac Death Study 200,000 100,000 17 December

275 views • 16 slides
management of patients with ventricular arrhythmias and the prevention of sudden cardiac death

management of patients with ventricular arrhythmias and the prevention of sudden cardiac death

2015 ESC Guidelines for the management of patients with ventricular arrhythmias and the prevention of sudden cardiac death The Task Force for the Management of Patients with Ventricular Arrhythmias and the Prevention of Sudden Cardiac Death

768 views • 27 slides
CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The

CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The

South Platte River River Vision Program CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The Greenway Foundation will provide 60% design of the following elements: ! Multi-use river access, including

369 views • 16 slides
Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match

Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match

1 Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match w &gt; 10 is compatible with the packing speedup a seed match is extended to a gapless alignment What is the significance of w ? 2 w

531 views • 31 slides
Death of a Project Manager Death of a Project Manager December 12, 2013 4 The SA Government is

Death of a Project Manager Death of a Project Manager December 12, 2013 4 The SA Government is

Death of a Project Manager Death of a Project Manager December 12, 2013 4 The SA Government is responding The world has changed THE WORLD HAS CHANGED Are we trying to solve new challenges with outdated tools? Has project management? Does it

568 views • 11 slides
When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie,

When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie,

When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie, Kun Sun , Qi Li, Guofei Gu, and Mingwei Xu Outline SDN Overview Background on SDN Rule Installation A New Vulnerability: Buffered Packet

443 views • 33 slides
Aldosterone levels and death in AMI Death according to quartiles Death according to tertiles of

Aldosterone levels and death in AMI Death according to quartiles Death according to tertiles of

A ldosterone L ethal effects B lockade in A cute myocardial infarction T reated with or without R eperfusion to improve O utcome and S urvival at S ix months follow-up F. Beygui, G. Cayla, V. Roule, F. Roubille, N. Delarche, J. Silvain, E. Van

297 views • 10 slides
Welcome to your home church! How you can join Christs victory over death Death is natural

Welcome to your home church! How you can join Christs victory over death Death is natural

Welcome to your home church! How you can join Christs victory over death Death is natural Tuesdays with Morrie: Death is as natural as life. The fact that we make such a big hullabaloo over it is all because we dont see ourselves

298 views • 14 slides
AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At

AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At

AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At Match Day 4. After Match Day CLUB DEVELOPMENT CONFERENCE SUNDAY 17TH MARCH YOUR ROLE Team organisation Paperwork Link between

503 views • 18 slides
2019 Mixed &amp; Girls Juniors (U12 U18) THANK YOU !!!! For VOLUNTEERING Agenda

2019 Mixed &amp; Girls Juniors (U12 U18) THANK YOU !!!! For VOLUNTEERING Agenda

Managers Meeting 2019 Mixed &amp; Girls Juniors (U12 U18) THANK YOU !!!! For VOLUNTEERING Agenda Paperwork ! The Season Rules of the Game Codes of Conduct Coaching Philosophy Match Card Management Match Day

510 views • 33 slides
Critical Incident Stress Management A matter of life and death Steve Foye Why is this

Critical Incident Stress Management A matter of life and death Steve Foye Why is this

Critical Incident Stress Management A matter of life and death Steve Foye Why is this important? 2005 BVA Report found suicide rate among vets is nearly four times the national average 2010 paper, Veterinary Surgeons and Suicide: A

280 views • 26 slides
A PERF ERFECT T MATCH TCH FOR R GOLF F SUC UCCESS SS CONSULTING | | DEV DEVELOPMENT |P

A PERF ERFECT T MATCH TCH FOR R GOLF F SUC UCCESS SS CONSULTING | | DEV DEVELOPMENT |P

A PERF ERFECT T MATCH TCH FOR R GOLF F SUC UCCESS SS CONSULTING | | DEV DEVELOPMENT |P |PROJECT MANAGEMENT | | CONSTRUCTION INTRODUCTION Working Together Our director Gary Ashfield and the companys team have over 35 years in

419 views • 19 slides
Co Connection Advisor Match Consultants | Firm Overview Q1 2020 |

Co Connection Advisor Match Consultants | Firm Overview Q1 2020 |

Experience Creates Co Connection Advisor Match Consultants | Firm Overview Q1 2020 | info@advisormatchconsultants.com About Advisor Match Consultants Overview Advisor Match Consultants (AMC) Advisor Match Consultants was founded by Roger

665 views • 12 slides

More recommend