Blogger: Ramon Krikken
OK, so maybe 'exciting' isn't the first word that comes to mind when thinking of cryptographic key management, but with the current state of the product market any time I hear 'standardization' I see a glimmer of hope. As I discussed in the "Enterprise Key Management Systems" report (available to our customers) the absence of standardization is a major pain point for customers. Anyone with a variety of encryption products probably has a plethora of associated key management systems - less than ideal, to say the least.
And it's not that vendors aren't working on this; it's just that standards don't develop overnight. There is IEEE P1619.3 targeting storage, OASIS EKMI targeting the application layer, and IETF KeyProv for provisioning keys to mobile devices. The Trusted Computing Group (TCG) just last week announced its finalized specifications dealing with so-called "trusted storage devices" which should clear the way for mass-adoption of self-encrypting storage. All great efforts – and with the TCG specification hopefully about to bring more of the sorely needed storage encryption to endpoints – but still no standardized enterprise key management.
So today a group of seven companies announced the submission of the Key Management Interoperability Protocol (KMIP) to OASIS. The standard was under development by IBM, RSA, HP, and Thales (who acquired nCipher) for the last year, and according to the vendors has passed interoperability testing with their individual reference implementations. Although focusing mainly on the use cases for client-server based distribution of cryptographic materials and associated policies (thus leaving some future room for improvement on key server to key server operations, and avoiding overlap with some existing standards such as PKIX for PKI) the specification is very detailed and complete, and targets a wide spectrum of encryption technologies; it utilizes a compact message format with support for encryption keys, signing keys, symmetric keys, asymmetric keys, X.509/PGP certificates, and so forth. Not necessarily covering all aspects of “people-interactive crypto” such as email encryption and enterprise digital rights management, but certainly targeting long-term keys and certificates for all of the data center. Representing the client side, Seagate, LSI, and Brocade have joined the effort, and I expect broadening interest and support.
So does that mean we can start consolidating key management servers soon? Well, first the specification needs to become a standard, which according to the companies could take another twelve to eighteen months. And even then it's not clear that massive migrations of keys are easily accomplished – remember that server to server operations are a future consideration. But still, this is another step in the right direction for removing some of the hurdles that many organizations face when trying to roll out more and more encryption technologies.