MulG-Vendor Key Management with KMIP
|
|
- Denis Warner
- 6 years ago
- Views:
Transcription
1 MulG-Vendor Key Management with KMIP Tim Hudson CTO Cryptso2 GS13A 19-May :35pm
2 Key Management
3 Key Management Standards q NSA EKMS q OASIS EKMI q ANSI X9.24 q IEEE P q NIST SP q NIST SP q NIST SP q ISO q OASIS KMIP q IETF KEYPROV 3
4 FIPS Key Management 4
5 NIST SP CKMS 5
6 NIST SP Federal KM Profile 6
7 OASIS Key Management Interoperability Protocol
8 MulG-Vendor Single IntegraGon Client Client Vendor Protocol - A Vendor Protocol - B Vendor Protocol - C Vendor Protocol - D KMIP Network Network Server A Server B Server C Server D Server A Server B Server C Server D Prior to KMIP each applicagon had to support each vendor protocol With KMIP each applicagon only requires support for one protocol 8
9 MulG-Vendor Single IntegraGon Positive Single Integration with single SDK Negative Common vocabulary Greater choice of technology providers Free interoperability without point-to-point testing Have to actually follow a standard Vocabulary may not match current usage May need to implement more than is strictly necessary 9
10 KMIP AdopGon KMIP embedded in major enterprise products Storage Disk Arrays, Flash Storage Arrays, NAS Appliances Tape Libraries, Virtual Tape Libraries Encryp7ng Switches Storage Key Managers Storage Controllers Storage Opera7ng Systems Infrastructure and Security Key Managers Hardware security modules Encryp7on Gateways Virtualiza7on Managers Virtual Storage Controllers Network Compu7ng Appliances Cloud Key Managers Compliance PlaAorms Informa7on Managers Enterprise Gateways and Security Enterprise Authen7ca7on Endpoint Security
11 KMIP Protocol Overview
12 KMIP Product & Technical Details KMIP is a standard wire protocol Key Client Key Server API API Internal RepresentaGon Internal RepresentaGon KMIP Encode KMIP Decode Message Format KMIP Encode KMIP Decode Transport TLSv1.0 or above Transport
13 KMIP Fundamentals 13
14 OASIS KMIP - Protocol Concepts Core Concepts Base Objects Protocol building blocks and parameter encoding Managed Objects Core concepts managed by KMIP Cryptographic Managed Objects (objects with key material) APributes Details related to or about a managed object Client-to-Server Opera7ons Opera7ons clients can send in requests to servers Server-to-Client Opera7ons Opera7ons servers can send in requests to clients Message Contents and Message Formats Request and Response protocol messages Message Encoding Binary Tag-Type-Length-Value Authen7ca7on See Profiles (Client Cer7ficates) Transport See Profiles (TLSv1.0 or TLSv1.2)
15 OASIS KMIP - Protocol Concepts Managed Objects have a Value Value is set at object crea7on Value cannot be changed Value may be incomplete Value may be in varying formats Managed Objects have an Object Type Cer7ficate Symmetric Key Public Key Private Key Split Key Template Secret Data Opaque Object PGP Key 1.2 Managed Objects have a set of A[ributes Every apribute has a string name Every apribute has a type May be simple types or complex types Some set by server once and cannot be changed Some set by client once and cannot be changed Most are singleton (only one instance) Server defined non-standard extensions are prefixed with y- in their string name Client defined non-standard extensions are prefixed with x- in their string name
16 OASIS KMIP - Protocol Concepts A[ributes for all Managed Objects Unique Iden7fier Object Type Ini7al Date Last Change Date Lease Time State* A[ributes for Managed Cryptographic Objects Cryptographic Algorithm Cryptographic Length Cryptographic Usage Mask Digest A[ributes for Managed CerGficate Objects Cer7ficate Type Cer7ficate Length X.509 Cer7ficate Iden7fier Ac7va7on Date Process Start Date Protect Stop Date Compromise Occurrence Date X.509 Cer7ficate Issuer X.509 Cer7ficate Subject
17 OASIS KMIP - Protocol Concepts Managed Object Life-cycle State Adopted from NIST SP Handled in State APribute Transi7ons via Opera7ons or pre-set triggers Dates of transi7ons recorded as APributes State A[ribute Pre-Ac7ve Ac7ve Deac7vated Compromised Destroyed Destroyed Compromised Date A[ributes Ini7al Date Destroy Date Last Change Date Archive Date Ac7va7on Date Deac7va7on Date Compromise Date Compromise Occurrence Date Process Start Date Protect Stop Date Validity Date Original Crea7on Date 1.2
18 OASIS KMIP - Protocol Concepts Message Encoding Binary Tag-Type-Length-Value format Op7onal JSON and XML encoding in KMIP 1.2 Cryptographic Usage Mask = Encrypt Decrypt Tag Type Length C C Value
19 OASIS KMIP - Protocol Concepts TTLV Encoding
20 OASIS KMIP - Protocol Concepts XML Encoding (optional KMIP 1.2 addition)
21 OASIS KMIP - Protocol Concepts JSON Encoding (optional KMIP 1.2 addition)
22 ImplementaGon Errors
23 ImplementaGon Errors Simple implementation errors q Invalid Padding q Invalid Encoding q Invalid Tag Values q Invalid Field Order q Invalid TLS usage q Missing Mandatory q Mandating Optional q Invalid sign 23
24 ImplementaGon Errors Complex implementa7on errors q Core concepts omiped q Special interpreta7on added q Conceptual confusion (Templates) q Unusual feature set selec7on q Assumed message sequences and content 24
25 ImplementaGon Errors Simple invalid encoding errors q The specifica7on includes clear text on encoding q The specifica7on includes examples of each encoding q The KMIP 1.0 Test Cases include the hexadecimal request and response sequences q Almost every vendor gets one or more of the encoding items wrong 25
26 ImplementaGon Errors Item Length An Item Length is a 32-bit binary integer, transmi5ed big-endian, containing the number of bytes in the Item Value. Data Type Structure Integer Long Integer Big Integer Enumeration Boolean Text String Byte String Date-Time Interval Length Varies, multiple of Varies, multiple of Varies Varies 8 4 Actual Implementation Errors q No padding q Padding before rather than at end of value q Padding missing for some types q Padding added for types that do not require padding If the Item Type is Structure, then the Item Length is the total length of all of the sub-items contained in the structure, including any padding. If the Item Type is Integer, Enumeration, Text String, Byte String, or Strings SHALL be padded with the minimal number of bytes following the Item Value to obtain a multiple Value. 26
27 ImplementaGon Errors - SoluGon Simple invalid encoding q Accept that adding more specifica7on text does not fix this issue q Accept that adding more examples of encoding are the same as adding more specifica7on text they are simply either not read or not read carefully q Accept that test cases seem to be ignored more ofen than they are used 27
28 ImplementaGon Errors - SoluGon Simple invalid encoding errors Test interoperability between implementa7ons q More plug-fests q More interop-events q More tests defined in more approachable manner q Formal conformance tes7ng program i.e. more events and wider scope 28
29 ImplementaGon Errors Special interpreta8on or conceptual confusion Adding seman7cs that don t exist leaping beyond the spec to noninteroperable solu7ons q Using Templates for policy management q Automa7cally crea7ng objects during search q Ignoring Password fields (accept anything) q Requiring Names q Forcing restricted set of characters in Names 29
30 ImplementaGon Errors - SoluGon Special interpreta8on or conceptual confusion q Deprecated Templates as of KMIP 1.2 q Require explicit indica7on for create-when-searching if really necessary q Adding Alternate Name and vendor educa7on q Expanding tes7ng of Names which exceed arbitrary restric7ons (spaces, punctua7on, etc) q More test cases and profiles q Flexible interpreta7on in servers 30
31 ImplementaGon Errors Assumed message sequences and content PaPern matching rather than understanding q Ignoring most of the message content q Assuming fixed list of fields in fixed order for non-ordered lists q Assuming fixed sequence of request / response items q Pre-canned responses with minimal subs7tu7on q Ignoring protocol version informa7on 31
32 ImplementaGon Errors - SoluGon Assumed message sequences and content q Detect this sort of implementa7on q Determine limita7ons of the approach q Expand on tes7ng to require more seman7c processing rather than simple syntax q More test cases and profiles 32
33 SNIA KMIP Conformance TesGng
34 KMIP Conformance TesGng - Intent q The SNIA SSIF launched the program to enable organiza7ons to shortlist vendor KMIP solu7ons based on support for specific usage scenarios q Enables organiza7ons to verify vendor claims q Value provided by a truly independent test team 34
35 KMIP Conformance TesGng - Profiles The KMIP TC defines Profiles q Norma7ve documents specifying the minimum set of func7onality to be supported q Contain expected requests and responses q Cover a range of deployment scenarios Profiles Advanced Cryptographic 1.2 Advanced Symmetric Key Foundry Asymmetric Key Lifecycle Baseline Client & Server Basic Baseline Client & Server TLSv1_2 Basic Cryptographic 1.2 Basic Symmetric Key Foundry HTTPS, JSON, XML Intermediate Symmetric Key Foundry Opaque Managed Object Store RNG Cryptographic 1.2 Storage Array With SED Suite-B MinLOS_128 Suite-B MinLOS_192 Symmetric Key Lifecycle Tape Library Complete Server 35
36 KMIP Conformance TesGng Method q Implementa7ons are made available to the test team q Test team operates under the SSIF s direc7on but tes7ng informa7on is kept completely confiden7al q Results are published (with tes7ng organiza7on's consent) on comple7on of tes7ng. 36
37 KMIP Conformance TesGng Client Process Customer Client SSIF Test Infrastructure 37
38 KMIP Conformance TesGng Server Process Customer Server SSIF Test Infrastructure 38
39 KMIP Conformance TesGng Results Snapshot taken from : 39
40 KMIP Conformance TesGng Results q Test results are published (with customer s permission q Results remain confiden7al to customer and test team un7l results are published q Only supported profiles appear on the results page (failures and/or non-supported profiles are not stated). 40
41 KMIP Product & Technical Details
42 KMIP usage across product types Disk Arrays, Flash Storage Arrays, NAS Appliances, Storage OperaGng Systems Vaul7ng master authen7ca7on key Cluster-wide sharing of configura7on selngs Specific Usage Limits checking (policy) FIPS140-2 external key genera7on (create, retrieve) Mul7-version key support during Rekey Backup and recovery of device specific key sets Tape Libraries, Virtual Tape Libraries External key genera7on (create, retrieve) FIPS140-2 external key genera7on (create, retrieve) Mul7-version key support during Rekey EncrypGng Switches, Storage Controllers Vaul7ng device or port specific encryp7on keys Cluster-wide sharing of configura7on selngs Specific Usage Limits checking (policy)
43 KMIP usage across product types Key Managers Key and other Object Vault (store) Key and other Object Creator (generate) Secure Cryptographic Opera7ons (use) Policy Enforcement for Access Policy Enforcement for Opera7on Usage Audit and Compliance Management Cross-device and cross-applica7on coordina7on User and device authen7ca7on enforcement Mul7-tenancy and mul7-jurisdic7onal enforcement EncrypGon Gateways, VirtualisaGon Managers Vaul7ng device, port or user specific encryp7on keys External key genera7on (create, retrieve) Cluster-wide sharing of configura7on selngs Specific Usage Limits checking (policy)
44 KMIP usage across product types Compliance Plaborms, InformaGon Managers, Enterprise Security Policy Enforcement for Access Policy Enforcement for Opera7on Usage Audit and Compliance Management Cross-device and cross-applica7on coordina7on User and device authen7ca7on enforcement Mul7-tenancy and mul7-jurisdic7onal enforcement Endpoint Security Vaul7ng device, port or user specific encryp7on keys External key genera7on (create, retrieve) Cluster-wide sharing of configura7on selngs Specific Usage Limits checking (policy)
45 KMIP usage across product types Hardware Security Modules (HSM) Key and other Object Vault (store) Policy Enforcement for Access Policy Enforcement for Opera7on Usage Audit and Compliance Management Mul7-tenancy and mul7-jurisdic7onal enforcement Key management / HSM gateways AuthenGcaGon and IdenGty Management Vaul7ng user specific informa7on External authen7ca7on storage and genera7on Valida7on of authen7ca7on for mul7-protocol support over KMIP
46 Key Management Servers and Hardware Security Modules (KMS and HSM)
47 Key Management Servers and Hardware Security Modules Hardware Security Modules (HSM) Standard APIs PKCS#11, Java JCE, Microsof CryptoAPI (CSP, CNG) Vendor proprietary extensions Typically required for many contexts Vendor proprietary network protocols Limited plaaorm support Generally a small subset of applica7on plaaorms Typically no web based server administra7on Usually FIPS140-2 level 2 or level 3 validated Generally rather limited on-device storage Key Management Servers (KMS) Standard network protocols Broad plaaorm support network protocol and SDKs from mul7ple vendors Generally web based server administra7on Ofen FIPS140-2 level 2 or level 3 validated Typically mul7-tenant Generally almost unlimited on-device storage
48 Key Management Servers and Hardware Security Modules Deployment Models for HSM only client PKCS#11 API Standalone HSM HSM with on-board KMS HSM with linked KMS Client PKCS#11 Client PKCS#11 Client PKCS#11 KMIP
49 Key Management Servers and Hardware Security Modules Deployment Models for KMS only client KMIP Protocol Standalone KMS KMS with on-board HSM KMS with linked HSM Client KMIP Client KMIP Client KMIP PKCS#11
50 Key Management Servers and Hardware Security Modules Deployment Models for KMS+HSM client PKCS#11 API and KMIP Protocol Standalone HSM HSM with on-board KMS HSM with linked KMS Standalone KMS KMS with on-board HSM KMS with linked HSM HSM with non-linked KMS KMS with non-linked HSM Client KMIP Client KMIP KMIP PKCS#11
51 MulG-Vendor Key Management with KMIP Tim Hudson CTO Cryptso2 GS13A 19-May :35pm
52 Extra Bonus Slides
53 FIPS140-2 Module Certificates by Lab 53 53
54 FIPS140-2 Module Certificates by Lab 54 54
55 FIPS140-2 Module Certificates by Year & Level 55 55
56 FIPS140-2 Module Certificates by Year & Level 56 56
Multi-Vendor Key Management with KMIP
Multi-Vendor Key Management with KMIP Tim Hudson CTO & Technical Director tjh@cryptsoft.com 1 Abstract Practical experience from implementing KMIP and from deploying and interoperability testing multiple
More informationInteroperable Key Management for Storage. PRESENTATION TITLE GOES HERE Subhash Sankuratripa8, NetApp (Co- Chair KMIP) Tim Hudson, CryptsoD
Interoperable Key Management for Storage PRESENTATION TITLE GOES HERE Subhash Sankuratripa8, NetApp (Co- Chair KMIP) Tim Hudson, CryptsoD Abstract! A standard for interoperable key management exists but
More informationKey Management Interoperability Protocol (KMIP)
www.oasis-open.org Management Interoperability Protocol (KMIP) April 2 nd, 2009 1 Agenda The Need for Interoperable Management KMIP Overview KMIP Specification KMIP Use Cases 2 The Need for Interoperable
More informationKMIP 64-bit Binary Alignment Proposal
KMIP 64-bit Binary Alignment Proposal To: OASIS KMIP Technical Committee From: Matt Ball, Sun Microsystems, Inc. Date: May 6, 2009 Version: 2 Purpose: To propose a change to the binary encoding such that
More informationKey Management Interoperability Protocol Crypto Profile Version 1.0
Key Management Interoperability Protocol Crypto Profile Version 1.0 Working Draft 0708 25 7 NovemberOctober 2012 Technical Committee: OASIS Key Management Interoperability Protocol (KMIP) TC Chairs: Robert
More informationAn Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation
An Introduction to Key Management for Secure Storage Walt Hubis, LSI Corporation SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may
More informationThe trusted security provider to your trusted security provider
1 R ABOUT CRYPTSOFT The trusted security provider to your trusted security provider CRYPTSOFT is a privately held Australian company that operates worldwide in the enterprise key management security market.
More informationWho s Protecting Your Keys? August 2018
Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and
More informationModifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on
Modifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on ICMC16 O?awa, Canada 18-20 May 2016 Presented by Alan Gornall Introduc.on I provide cer.fica.on support to my clients: compliance
More informationAn Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation
An Introduction to Key Management for Secure Storage Walt Hubis, LSI Corporation SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationAn Inside Look at Imminent Key Management Standards. Matt Ball, Oracle Corporation
An Inside Look at Imminent Key Management Standards Matt Ball, Oracle Corporation SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationContents. Notices Terms and conditions for product documentation.. 43 Trademarks Index iii
Overview IBM ii Overview Contents Product overview........... 1 What's new in this release.......... 1 License usage metrics........... 2 Supported languages........... 3 Features overview............
More informationContents. Notices Terms and conditions for product documentation.. 45 Trademarks Index iii
Overview IBM ii Overview Contents Product overview........... 1 What's new in this release.......... 1 Supported languages........... 3 Features overview............ 3 Key serving.............. 4 Encryption-enabled
More informationDyadic Security Enterprise Key Management
Dyadic Security Enterprise Key Management The Secure-as-Hardware Software with a Mathematical Proof Dyadic Enterprise Key Management (EKM) is the first software-only key management and key protection system
More informationVMware, SQL Server and Encrypting Private Data Townsend Security
VMware, SQL Server and Encrypting Private Data Townsend Security 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 Today s Agenda! What s new from Microsoft?! Compliance, standards, and
More informationVMware, SQL Server and Encrypting Private Data Townsend Security
VMware, SQL Server and Encrypting Private Data Townsend Security 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 Today s Agenda! Compliance, standards, and best practices! Encryption and
More informationKey Management Interoperability Protocol Profiles Version 1.4
Key Management Interoperability Protocol Profiles Version 1.4 OASIS Standard 22 November 2017 Specification URIs This version: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.docx
More informationNETCONF WG IETF 96 (Berlin)
Zero Touch Provisioning for NETCONF/RESTCONF Call Home dra>-ie@-netconf-zerotouch-09 NETCONF WG IETF 96 (Berlin) Recap At IETF 95, we reviewed a significantly updated dra> and its 4 open issues. 2 issues
More informationSymantec Data Loss Preven2on 12.5 Demo Presenta2on
Symantec Data Loss Preven2on 12.5 Demo Presenta2on 1 Our Understanding PROJECT DRIVERS & DATA TO PROTECT Regulatory compliance PCI, GLBA Data inventory and cleansing SSNs, CCNs [Replace these bullet points
More informationKey Management Death Match?
t Death Match? Marc Massar, CISSP, NSA-IAM DEEPSEC IDSC2009 Competing KM Standards Technical Deep Dive Introduction 2 The Problem Why So Many t Products? More Problems Interoperability The Contenders Details
More informationManaged Objects Authenticated Encryption Additional Data Authenticated Encryption Tag Certificate
Object Encoding REQUIRED Capability Information Streaming Capability Asynchronous Capability Attestation Capability Unwrap Mode Destroy Action Shredding Algorithm RNG Mode Table 4242: Capability Information
More informationUnderstanding Cryptography and Audi?ng Public Key Infrastructures
Understanding Cryptography and Audi?ng Public Key Infrastructures Rami Elkinawy, Senior Audit Manager, ebay Professional Strategies S31 CRISC CGEIT CISM CISA THE HISTORY OF CRYPTOGRAPHY CRISC CGEIT CISM
More informationCon$nuous Integra$on Development Environment. Kovács Gábor
Con$nuous Integra$on Development Environment Kovács Gábor kovacsg@tmit.bme.hu Before we start anything Select a language Set up conven$ons Select development tools Set up development environment Set up
More informationCon$nuous Audi$ng and Risk Management in Cloud Compu$ng
Con$nuous Audi$ng and Risk Management in Cloud Compu$ng Marcus Spies Chair of Knowledge Management LMU University of Munich Scien$fic / Technical Director of EU Integrated Research Project MUSING Cloud
More informationEKM: The Real Story Q&A with EKM Server Vendors Tony Cox Chair - SNIA Storage Security Industry Forum (Cryptsoft)
EKM: The Real Story Q&A with EKM Server Vendors Tony Cox Chair - SNIA Storage Security Industry Forum (Cryptsoft) Overview Purpose: To deliver candid answers to questions from the audience on various aspects
More informationUnbound and Oasis KMIP Interoperability
Unbound and Oasis KMIP Interoperability Thad Roemer, Solutions Architect April 2018 What does KMIP do? Security Applications or Appliances Key Material & Metadata Transport KMIP Key Management Server Create,
More informationFIPS Non-Proprietary Security Policy
Quantum Corporation Scalar Key Manager Software Version 2.0.1 FIPS 140-2 Non-Proprietary Security Policy Document Version 1.4 Last Update: 2010-11-03 8:43:00 AM 2010 Quantum Corporation. May be freely
More informationDyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof
Dyadic Enterprise Unbound Key Control For Azure Marketplace The Secure-As-Hardware Software With a Mathematical Proof Unbound Key Control (UKC) is the first software-only key management and key protection
More informationPayment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.0 May 2012 Document Changes Date Version Author Description April 2009
More informationInteroperable Cloud Storage with the CDMI Standard. Mark Carlson, SNIA TC and Oracle Co-Chair, SNIA Cloud Storage TWG
Interoperable Cloud Storage with the CDMI Standard Mark Carlson, SNIA TC and Oracle Co-Chair, SNIA Cloud Storage TWG SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA.
More informationSecure Server Project. Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek
Secure Server Project Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek 1 Outline I. Mo9va9on, Objec9ves II. Threat Landscape III. Design IV. Status V. Roadmap 2 Mo9va9on In a nutshell: Secure
More informationSecuring Hadoop. Keys Botzum, MapR Technologies Jan MapR Technologies - Confiden6al
Securing Hadoop Keys Botzum, MapR Technologies kbotzum@maprtech.com Jan 2014 MapR Technologies - Confiden6al 1 Why Secure Hadoop Historically security wasn t a high priority Reflec6on of the type of data
More informationCrea:ng a pla>orm of trust Meter data transmission the secure way
Crea:ng a pla>orm of trust Meter data transmission the secure way Chris&an Giroux EUW 2014 Landis+Gyr November 4, 2014 Focus of this presenta&on n The informa:on flow between smart meters and head end
More informationAlliance Key Manager A Solution Brief for Technical Implementers
KEY MANAGEMENT Alliance Key Manager A Solution Brief for Technical Implementers Abstract This paper is designed to help technical managers, product managers, and developers understand how Alliance Key
More informationAccess Control in KMIPv1.1
Robert Haas, Marko Vukolic (IBM) 7 April 2010 Access Control in KMIPv1.1 Summary of Changes Changes wrt. the last set of slides in red 2 additional role permissions related to creation/registration using
More informationBlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module
BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material
More informationOracle VM Workshop Applica>on Driven Virtualiza>on
Oracle VM Workshop Applica>on Driven Virtualiza>on Simon COTER Principal Product Manager Oracle VM & VirtualBox simon.coter@oracle.com hnps://blogs.oracle.com/scoter November 25th, 2015 Copyright 2014
More informationTHE TRUSTED SECURITY PROVIDER TO YOUR TRUSTED SECURITY PROVIDER
R THE TRUSTED SECURITY PROVIDER TO YOUR TRUSTED SECURITY PROVIDER CRYPTSOFT is a privately held Australian company that operates worldwide in the enterprise key management security market. Cryptsoft s
More informationKey Management in a System z Enterprise
IBM Systems IBM z Systems Security Conference Business Security for today and tomorrow > 27-30 September Montpellier Key Management in a System z Enterprise Leo Moesgaard (lemo@dk.ibm.com) Manager of IBM
More informationGroup as a new managed object in KMIP
Krishna ellepeddy 29 September 2010 Group as a new managed object in KMIP Use cases for group as a new managed object in KMIP 1. Allow creation of groups of heterogeneous or homogeneous managed objects.
More informationRethinking Path Valida/on. Russ White
Rethinking Path Valida/on Russ White Reality Check Right now there is no US Government mandate to do anything A mandate in the origin authen9ca9on area is probably immanent A mandate in the path valida9on
More informationDatabase Machine Administration v/s Database Administration: Similarities and Differences
Database Machine Administration v/s Database Administration: Similarities and Differences IOUG Exadata Virtual Conference Vivek Puri Manager Database Administration & Engineered Systems The Sherwin-Williams
More informationScaling the Wholesale Interconnect Market. Gastón Cu0gnola Senior Sales Engineer Telco Systems
Host Sponsor Co- Sponsor Scaling the Wholesale Interconnect Market Gastón Cu0gnola Senior Sales Engineer Telco Systems 1 Presenta0on Agenda Status of Wholesale/Interconnect Environments Moving up the curve
More informationSafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION
SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION Encrypt application data and keep it secure across its entire lifecycle no matter where it is transferred, backed up, or copied Rich application encryption
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationChannel FAQ: Smartcrypt Appliances
Channel FAQ: Smartcrypt Appliances Q: When were Smartcrypt appliances announced? A: announced the release of our Smartcrypt virtual and physical appliances on September 19, 2017. Smartcrypt Enterprise
More informationSRC Secure Solutions bv. Why SecureZIP was chosen by a Pension Services Company to safeguard sensi<ve data
SRC Secure Solutions bv Why SecureZIP was chosen by a Pension Services Company to safeguard sensi
More informationKaseya Fundamentals Workshop DAY TWO. Developed by Kaseya University. Powered by IT Scholars
Kaseya Fundamentals Workshop DAY TWO Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 Day One Review IT- Scholars Virtual LABS System Management Organiza@on
More informationA Vendor Agnostic Overview. Walt Hubis Hubis Technical Associates
Practical PRESENTATION Secure TITLE GOES Storage: HERE A Vendor Agnostic Overview Walt Hubis Hubis Technical Associates SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA
More informationUsing Frankencerts for Automated Adversarial Tes7ng of Cer7ficate Valida7on in SSL/TLS Implementa7ons
Using Frankencerts for Automated Adversarial Tes7ng of Cer7ficate Valida7on in SSL/TLS Implementa7ons University of Texas at Aus7n University of California at Davis Internet security = SSL/TLS SSL/TLS
More informationWhite Paper. Deploying CKMS Within a Business
White Paper Deploying CKMS Within a Business 1 Introduction The Cryptomathic Crypto Key Management System (CKMS) is a market-leading lifecycle key management product that can manage cryptographic keys
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine Security Policy Abstract: This document specifies Security Policy enforced by the SecureDoc Cryptographic Engine compliant with the requirements of FIPS 140-2
More informationHARDWARE SECURITY MODULES (HSMs)
HARDWARE SECURITY MODULES (HSMs) Cryptography: The basics Protection of data by using keys based on complex, randomly-generated, unique numbers Data is processed by using standard algorithms (mathematical
More informationCard Specifications & 2.1 Frequently Asked Questions December 2004
Card Specifications 2.1.1 & 2.1 Frequently Asked Questions December 2004 The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information
More informationJanuary 2011 Joint ISACA/IIA Mee5ng
January 2011 Joint ISACA/IIA Mee5ng Panel Discussion - Cloud Compu5ng January 13, 2011 Agenda Learning Objec5ves Introduc5ons Defini5ons Discussion Resource Links Note: Electronic copies of this presenta2on
More informationAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key Management WHITE PAPER Executive Overview Establishing effective key and policy management is a critical component to an overall data protection strategy and lowering
More informationSeagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy
Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy Security Level 2 Rev. 0.9 November 12, 2012 Seagate Technology, LLC Page 1 Table of Contents 1 Introduction...
More informationTPP On The Cloud. Joe Slagel
TPP On The Cloud Joe Slagel Lecture topics Introduc5on to Cloud Compu5ng and Amazon Web Services Overview of TPP Cloud components Setup trial AWS and use of the new TPP Web Launcher for Amazon (TWA) Future
More informationMapReduce. Cloud Computing COMP / ECPE 293A
Cloud Computing COMP / ECPE 293A MapReduce Jeffrey Dean and Sanjay Ghemawat, MapReduce: simplified data processing on large clusters, In Proceedings of the 6th conference on Symposium on Opera7ng Systems
More informationVaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016
Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0 September 2016 2016 Vaultive Inc. All rights reserved. Published in the U.S.A. This documentation contains proprietary information belonging to
More informationThe Fedlet: Real World Examples
The Fedlet: Real World Examples Sun Iden(ty Management User Group 12 March 2009 Agenda BIT Systems Overview Federal Agency Architecture Iden>ty Federa>on Fedlet Introduc>on Enhancing Fedlet Capabili>es
More informationAutomated System Analysis using Executable SysML Modeling Pa8erns
Automated System Analysis using Executable SysML Modeling Pa8erns Maged Elaasar* Modelware Solu
More informationAlliance Key Manager A Solution Brief for Partners & Integrators
Alliance Key Manager A Solution Brief for Partners & Integrators Key Management Enterprise Encryption Key Management This paper is designed to help technical managers, product managers, and developers
More informationPartner Center: Secure application model
Partner Center: Secure application model The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including
More informationSymantec Corporation
Symantec Corporation Symantec PGP Cryptographic Engine FIPS 140-2 Non-proprietary Security Policy Document Version 1.0.4 Revision Date 05/01/2015 Symantec Corporation, 2015 May be reproduced only in its
More informationNetApp Encryption Power Guide
ONTAP 9 NetApp Encryption Power Guide June 2018 215-11633_L0 doccomments@netapp.com Table of Contents 3 Contents Deciding whether to use the NetApp Encryption Power Guide... 5 Configuring NetApp Volume
More informationIRODS USER GROUP 2014 CAMBRIDGE,MA John Burns. 6/25/14 Archive Analy3cs Solu3ons 1
IRODS USER GROUP 2014 CAMBRIDGE,MA John Burns 6/25/14 Archive Analy3cs Solu3ons 1 Credits Archive Analy3cs Solu3ons is presen3ng an archive system that embodies best prac3ce for long- term, high integrity
More informationThales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen
Thales e-security Security Solutions PosAm, 06th of May 2015 Robert Rüttgen Hardware Security Modules Hardware vs. Software Key Management & Security Deployment Choices For Cryptography Software-based
More informationCORPORATE PRESENTATION
CORPORATE PRESENTATION Background on device detec/on (1/2) Identifying the capabilities of a device accessing web contents has been an extensively explored issue in the past years, in particular in the
More informationJava Card Pla*orm Evolu/on
Java Card Pla*orm Evolu/on Florian Tournier, Director, Product Management, Internet Of Things Cloud Service Saqib Ahmad Consul/ng Member of Technical Staff, Java Card Engineering, Internet Of Things Cloud
More informationProtectV StartGuard. FIPS Level 1 Non-Proprietary Security Policy
ProtectV StartGuard FIPS 140-2 Level 1 Non-Proprietary Security Policy DOCUMENT NUMBER: 002-010841-001 AUTHOR: DEPARTMENT: LOCATION OF ISSUE: SafeNet Certification Team R & D Program Managaement Redwood
More informationCollateral Damage. Impact of Frequent Policy Changes on Vendors and Customers
Collateral Damage Impact of Frequent Policy Changes on Vendors and Customers Joshua Brickman Director, Security Evalua:ons Oracle Global Product Security Glenn BruneFe Dis:nguished Security Architect Oracle
More informationDTLS- based Mul/cast Security for Low- Power and Lossy Networks (LLNs) dra$- keoh- dice- mul/cast- security
DTLS- based Mul/cast Security for Low- Power and Lossy Networks (LLNs) dra$- keoh- dice- mul/cast- security Sandeep S. Kumar, Sye Loong Keoh, Oscar Garcia- Morchon, Esko Dijk IETF88 Nov 4, 2013, Berlin
More informationVirtualization. Introduction. Why we interested? 11/28/15. Virtualiza5on provide an abstract environment to run applica5ons.
Virtualization Yifu Rong Introduction Virtualiza5on provide an abstract environment to run applica5ons. Virtualiza5on technologies have a long trail in the history of computer science. Why we interested?
More informationAn Introduc+on to Applied Cryptography. Chester Rebeiro IIT Madras
CR An Introduc+on to Applied Cryptography Chester Rebeiro IIT Madras CR 2 Connected and Stored Everything is connected! Everything is stored! Increased Security Breaches 81% more in 2015 CR h9p://www.pwc.co.uk/assets/pdf/2015-isbs-execugve-
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationStrategies to remove complexity from everyday infrastructure
Strategies to remove complexity from everyday infrastructure Nils Swart Director, Plexxi Open Network Exchange, Dallas 2013- April- 11 Why are we still here? Simplicity is the ultimate sophistication Leonardo
More informationNetApp Encryption Power Guide
ONTAP 9 NetApp Encryption Power Guide December 2017 215-11633_G0 doccomments@netapp.com Updated for ONTAP 9.3 Table of Contents 3 Contents Deciding whether to use the NetApp Encryption Power Guide...
More informationPublic Key Infrastructures Chapter 06 Private Keys
Public Key Infrastructures Chapter 06 Private Keys Cryptography and Computer Algebra Prof. Dr. Johannes Buchmann Dr. Alexander Wiesmaier Personal security environments Store Private keys Certificates Other
More informationSecurity Specification for Cloud Data Services. Enterprise Cloud Customer Council Technical Working Group
Security Specification for Cloud Data Services Enterprise Cloud Customer Council Technical Working Group October 2017 Preamble Overview The Enterprise Cloud Customer Council (E3C) is a group of enterprise
More informationKerberos Revisited Quantum-Safe Authentication
Kerberos Revisited Quantum-Safe Authentication M. Campagna (mcampagna@gmail.com), T. Hardjono (MIT), L. Pintsov (Pitney Bowes), B. Romansky (Pitney Bowes) and T. Yu (MIT) ETSI Quantum-Safe-Crypto Workshop
More informationDolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC
Dolphin DCI 1.2 FIPS 140-2 Level 3 Validation Non-Proprietary Security Policy Version 1.0 DOL.TD.000921.DRM Page 1 Version 1.0 Table of Contents 1 Introduction... 3 1.1 PURPOSE... 3 1.2 REFERENCES... 3
More informationIMS Standards in Ac:on
IMS Standards in Ac:on Colin Smythe (IMS Chief Architect) csmythe@imsglobal.org 1 From the Specifica:on to Adop:on The aim is improve learning Crea:ng an interoperability specifica:on is only part of the
More informationFIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2
Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and T5 Software Version: 1.0 and 1.1; Hardware Version: SPARC T4 (527-1437-01) and T5 (7043165) FIPS 140-2 Non-Proprietary Security Policy Level
More informationInland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE
Inland Revenue Build Pack Identity and Access Services Date: 04/09/2017 Version: 1.5 IN CONFIDENCE About this Document This document is intended to provide Service Providers with the technical detail required
More informationCrypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH
Crypto-Options on AWS Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH Amazon.com, Inc. and its affiliates. All rights reserved. Agenda
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationTowards Provably Secure and Correct Systems. Avik Chaudhuri
Towards Provably Secure and Correct Systems Avik Chaudhuri Systems we rely on Opera
More informationInves&ga&ng Intent API for Service Chaining. Andy Veitch NetCracker (NEC)
Inves&ga&ng Intent API for Service Chaining Andy Veitch NetCracker (NEC) Goals Define and develop Intent NBI for service chaining Define for mul&ple underlying implementa&ons avoid network details Develop
More informationNetApp Encryption Power Guide
ONTAP 9 NetApp Encryption Power Guide February 2017 215-11633-D0 doccomments@netapp.com Updated for ONTAP 9.1 Table of Contents 3 Contents Deciding whether to use the NetApp Encryption Power Guide...
More informationInteroperable Cloud Storage with the CDMI Standard. Mark Carlson, SNIA TC and Oracle Chair, SNIA Cloud Storage TWG
Interoperable Cloud Storage with the CDMI Standard Mark Carlson, SNIA TC and Oracle Chair, SNIA Cloud Storage TWG SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member
More informationARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1
ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation April 2012 Copyright 2012 Algorithmic Research This document
More informationStateless Microservice Security via JWT, TomEE and MicroProfile
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe Why am I here today? Microservices architecture case Security opeons OAuth2 with JWT HTTP Signatures Demo with
More informationKey Nego(a(on Protocol & Trust Router
Key Nego(a(on Protocol & Trust Router dra6- howle:- radsec- knp ABFAB, IETF 80 31 March, Prague. Introduc(on The ABFAB architecture does not require any par(cular AAA strategy for connec(ng RPs to IdPs.
More informationMeru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009
Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2 Meru Networks Revision Date: June 24, 2009 Copyright Meru Networks 2008. May be reproduced only in its original entirety
More informationNew World BGP. Geoff Huston January2010 APNIC
New World BGP Geoff Huston January2010 APNIC 16- bit AS Number Map 16- bit AS Number Map Unadvertised AS Numbers RIR Pool AS Numbers Advertised AS Numbers IANA Pool 16- bit AS Number Map Unadvertised AS
More informationKMIP Post-Quantum Cryptography Profile Working Draft 02
KMIP Post-Quantum Cryptography Profile Working Draft 02 OASIS Working Draft 9 May 2017 Specification URIs This version: Latest version: Technical Committee: OASIS Key Management Interoperability
More informationHewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0
Hewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0 FIPS 140 2 Non Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.3
More informationIntegral Memory PLC. Crypto Dual (Underlying Steel Chassis) and Crypto Dual Plus (Underlying Steel Chassis) FIPS Security Policy
Integral Memory PLC. Chassis) and Crypto Dual Plus (Underlying FIPS 140-2 Security Policy Table of Contents 1. INTRODUCTION... 1 1.1 Purpose....1 1.2 References... 1 1.3 Document History... 1 2. PRODUCT
More information