1 / 10

Enhancing KMIP Support for PKCS#12: Challenges and Solutions in Credential Management

This document delves into the integration of PKCS#12 within the Key Management Interoperability Protocol (KMIP) framework. PKCS#12 plays a vital role as a protected format for importing and exporting credentials like private keys and certificates. While its complex structure serves many vendors, it presents challenges including arbitrary key and certificate bundling. The paper discusses these challenges, examples of current usage, and proposals for adding PKCS#12 as a wrapping format alongside existing standards like PKCS#1 and PKCS#8, emphasizing password management considerations.

judah
Télécharger la présentation

Enhancing KMIP Support for PKCS#12: Challenges and Solutions in Credential Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KMIP PKCS#12 February 2014 Tim Hudson – tjh@cryptsoft.com 1

  2. Context PKCS#12 is used as the general protected import/export of credentials (private key, certificate, certificate chains) all password protected. Supporting this usage within KMIP is desirable as many vendors use this as the primary format for loading in client credentials or for providing server generated client credentials. 2

  3. Challenges PKCS#12 • Complex format • Contains arbitrary buckets of keys and certificates • Simple usage is common – private key, certificate, CA certificates (with possible intermediate chain) 3

  4. Example PKCS#8 Register 4

  5. Map as Key Wrapping Format • Add PKCS12 as a Key Format Type (to match PKCS#1, PKCS#8 existing usage) is simple • Adding PKCS12 as a Key Wrapping approach is less straight forward • Where does the password/passphrase go? • Same issue for PKCS#8 as for PKCS#12 5

  6. Key Wrapping 6

  7. Key Wrapping 7

  8. Example Current Usage Key To-Be-Wrapped Wrapping Key 8

  9. Example Current Usage 9

  10. Map as Key Wrapping Format • If PKCS#12 (and PKCS#8) are allowed as Key Wrapping Format values then • Which managed objects get packaged? • Which managed objects can this be used against? • PKCS#12 is used for both protected private key transport and bucket-of-certificates transport (trust chains) • Follow the links? • Works for Private Key and Public Key to Certificate • Doesn’t work for the chain – unless we add in the links using the new link types … • Reference a Secret Data managed object for the passphrase? 10

More Related