Key Management Interoperability Protocol
The Key Management Interoperability Protocol (KMIP) is a communication protocol between key management systems and encryption systems. The KMIP standard effort is governed by the Organization for the Advancement of Structured Information Standards (OASIS).
A KMIP server stores and controls Managed Objects such as Symmetric and Asymmetric keys, Certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Objects have core Base Object properties such as key length and value, as well as extended Attributes that can include user defined attributes.
Each object is identified by an immutable, unique object identifier, as well as a mutable Name attribute. Key objects can be Created on the server (with the server generating the key value) or Registered with key values provided by the client. The Get operation will then retrieve them based on the unique identifier, and their attributes can be Modified. A Locate operation is also provided to find objects based on their attributes using a simple query language. There are also limited CA functions to sign certificates.
KMIP is a network protocol rather than an application programming interface like PKCS11. It has a binary format consisting of nested Tag, Type, Length and Value (TTLV) structures which is similar to but different from ASN.1 encoding. The TTLV is normally transmitted raw, but it may optionally be wrapped in HTTP. TLS is mandated for link level security in communication between clients and servers.
Open source implementation of KMIP protocol - KMIP Server is available here https://kmip.codeplex.com/. Currently this project is under development.
KMIP was initially submitted to OASIS for standardization on February 12, 2009. The specification was voted on by members of the KMIP technical committee. Version 1.0 was formally ratified on October 1, 2010.
By 2010 some vendors released or announced planned release dates for updates to their key management products to support KMIP. Vendors demonstrated interoperability at the RSA Conferences held in in March 2010, February 2011, 2012, and 2013. Use case examples for KMIP outline how messages are formatted and communicated between a KMIP client and a KMIP server in a variety of formats.
There were about sixty-four participants from about thirty organizations on the committee as at January 2012. Eleven companies demonstrated support for the standard in the 2012 RSA conference. Version 1.1 was drafted in July 2011, and approved in January 2013. The first draft of Version 1.2 was posted in October 2013.
- Mary McRae (October 1, 2010). "Approval of KMIP v1.0 and KMIP Profiles v1.0 as OASIS Standards". tc-announce mailing list. http://lists.oasis-open.org/archives/tc-announce/201010/msg00000.html. Retrieved October 7, 2013.
- IBM (August 24, 2010). "IBM Centralizes Management of Encryption Keys Via KMIP". Archived from the original on January 5, 2011. Retrieved October 7, 2013.
- Cryptsoft. "Key Management Interoperability Protocol". Product web site. Retrieved October 7, 2013.
- "KMIP Interoperability Demonstration". OASIS.
- "KMIP Interoperability Demonstration at RSA 2012". OASIS.
- "OASIS Security Standards Showcase at RSA Conference & Exposition 2013". OASIS.
- Cryptsoft (2012-01-27). "KMIP Use Cases". Retrieved 2013-10-07.
- Eleven Companies Demonstrate Support for KMIP
- "Key Management Interoperability Protocol Specification Version 1.1". Official web site. OASIS. 2013-01-24. Retrieved 2013-10-07.
- "Key Management Interoperability Protocol Specification Version 1.2". Official web site. OASIS. 2013-10-31. Retrieved 2013-12-21.
- "OASIS TC".
- Joseph, Mark (2012-0-30). "SKC Secure KMIP Client SDK". Project 6 Research.
- "KMIP4J Open Source Implementation".