Blog - Cryptomathic

Key Management Interoperability Protocol (KMIP): achievements and challenges

Written by Dawn M. Turner (guest) | 23. March 2016

The Key Management Interoperability Protocol standard intends to provide interoperability across various key management environments and hence to reduce costs and increase efficiency of heterogenious cryptographic applications.

However, there are 3 tendencies which challenge the current standard and its interoperability protocol: a) the shift of a big share of internet traffic towards mobile communications, b) the growing Internet of Services with the related service-based communication and c) the advance of cloud computing.

This article first looks at the achievements of KMIP so far, then sheds light on the current challenges to and shortcomings of the protocol and tries to provide answers and solutions to these in the remainder of the article.

The Key Management Interoperability Protocol standard, governed by OASIS, specifies a protocol for the communication between clients and servers to perform "management operations on objects stored and maintained by a key management system". These operations include symmetric and asymmetric cryptographic keys, digital certificates, and templates that simplify the creation of objects and control their usage.

In addition, four aspects of the protocol are specified in a normative way: 1) the expected behavior of the server and client as a result of operations, 2) the message contents and formats, 3) the message encoding and 4) error handling.

What KMIP Has Achieved

The development of the Key Management Interoperability Protocol (KMIP) was intended to resolve two major problems affecting cryptographic key management environments.

The first problem was to address the lack of interoperability across various key management environments. Many of the existing cryptographic applications had their own specific key management environments that could not communicate with other key management systems outside their environments. This led to added costs to business in the way of infrastructure costs, operational costs, and of course, costs to train staff to deal with having to have manage multiple key managers to handle their cryptographic capabilities, including digital certificates.

The second problem KMIP sought to resolve was to reduce operational, infrastructure and implementation costs by enabling various cryptographic SDKs (software development kits) to communicate with multiple key managers.

With the first version of KMIP, many of these critical issues were addressed. By implementing KMIP, SDKs are able to communicate with multiple key managers, provided those key managers provide support for the KMIP protocol. This can be done without having to go through the time and expense of retrofitting existing applications to communicate to different key managers. Training time and costs are reduced, as developers only need to learn one set of tools, regardless of what key manager is being used.

Wrapping up the achievement: in the past, each application needed to support each proprietary vendor protocol. Today, KMIP has made it possible that each application only needs to provide one single protocol.

New Challenges to KMIP

While KMIP has created an effective protocol for key management over the past years, new challenges now need to be met because of the constantly changing nature of information technology. Many of these challenges are related to:

  • Mobile devices. Because of new ways users interact with applications and the need for virtualization, IT infrastructure has experienced many changes in how it is deployed and managed.
  • Service-approaches. Developers have shifted their attention to new methods of application development and service-based architectures.
  • Increased use of cloud technology. Businesses seeking new models for allocating resources and reducing costs have turned to the cloud.

All of these new developments have created new opportunities for innovation, communication and collaboration, but these opportunities do not come without a price.

New vulnerabilities are also being created along with this new growth in the IT industry. Cyber criminals, hacktivist groups and enemy states are becoming more sophisticated and exploiting more targets.

First Steps towards an Answer

With the substantial growth in usage of commercial cryptography, there is a need for enhanced key management for securing channels and authenticating systems. While there has been interest in using applications within the cloud to encrypt data, many users want to maintain control over their key management from within their own enterprise.

These new complex enterprise security requirements for a high security environment require new protocols that KMIP will address in the coming version updates. They will necessarily lead to extensive revisions to the existing protocol.

Ongoing discussions include protocol optimisations for improved throughput, server-to-server interaction and information propagation, alternative message formats, access control lists or the concept of key escrow (where keys needed to decrypt data are held in a trusted location).

What Cryptomathic does do to support key management interoperability

Cryptomathic’s solutions are developed to ensure flexible security and to be interoperable across security environments. Cryptomathic supports the concept of KMIP, but goes some steps further, adding a unit of central control across all operative key management systems, to cater for the new challenging scenarios described above.

KMIP is a great step forward to a standard approach to key management, but it is not necessarily the best approach for all businesses. In many cases, the concept of central control of not just the keys for online applications, but also the usage of the keys and maintenance of cryptographic resources is becoming a strong business driver. Central control of key management and key usage will allow businesses to effectively manage a fundamental layer of data security and rapidly respond to needed changes or vulnerabilities. 

The Crypto Service Gateway (CSG) is Cryptomathic's approach to support the interoperability of various standards and abstract away the complexity of using cryptography to secure the various online services channels, whether they are mobile or cloud oriented. CSG is a management platform that enables central control and overview of all crypto operations and key management throughout business security networks.

By sharing a pool of cryptographic hardware through simple API's, CSG acts as a plug-and-play interface for any application that requires cryptography and key management, enabling easy development and deployment of projects.

With central policy enforcement acting as a crypto firewall, any changes to algorithm and key length or even how the applications can use the keys, e.g. for encryption, data signing, tokenization, etc., can be made with minimal code changes within the application. Using such a central crypto platform with efficient and interoperable key management will enable business agility to support secure and sustainable digital growth.