News Column

Patent Issued for Extending Credential Type to Group Key Management Interoperability Protocol (KMIP) Clients

August 19, 2014

By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent by the inventors Rich, Bruce Arland (Cedar Park, TX); Peck, John Thomas (Liberty Hill, TX); Arnold, Gordon Kent (Cary, NC), filed on August 19, 2011, was published online on August 5, 2014, according to news reporting originating from Alexandria, Virginia, by VerticalNews correspondents.

Patent number 8798273 is assigned to International Business Machines Corporation (Armonk, NY).

The following quote was obtained by the news editors from the background information supplied by the inventors: "This disclosure relates generally to cryptographic key lifecycle management.

"Business data is growing at exponential rates, and along with that growth is a demand for securing that data. Enterprises have responded by implementing encryption at various layers, such as in hardware, on the network, and in various applications. This response has resulted in a series of encryption silos, some of which hold confidential customer data, with fragmented approaches to security, keys and coverage. Further, different applications across the enterprise often employ different encryption methods. Thus, for example, some departments in the organization may use public-key cryptography while others use secret-key or hashes. Still others do not encrypt data while it is at rest (such as when it is stored on a device or in a database) but only when the data is in motion, using virtual private networks (VPNs) to secure the data pipeline. Key management for these encryption approaches is often similarly fragmented. Sometimes key management is carried out by department teams using manual processes or embedded encryption tools. Other times, the key management function is centrally managed and executed. In some cases, no formal key management process is in place. This fragmented approach to key management can leave the door open for loss or breach of sensitive data.

"Key Management Interoperability Protocol (KMIP) is a new standard for key management sponsored by the Organization for the Advancement of Structured Information Standards (OASIS). It is designed as a comprehensive protocol for communication between enterprise key management servers and cryptographic clients (e.g., from a simple automated device to a sophisticated data storage system). By consolidating key management in a single key management system that is KMIP-compliant, an enterprise can reduce its operational and infrastructure costs while ensuring appropriate operational controls and governance of security policy.

"There is a challenge, however, in implementing KMIP with existing key management server architecture that is based on a centralized model, namely, one wherein clients are largely pre-provisioned with all of the cryptographic materials that they might need. This centralized model of this type accommodates a device-oriented support paradigm wherein the devices are sophisticated (e.g., storage devices) and have administrators responsible for their administration and management. KMIP, on the other hand, treats cryptographic clients uniformly and, more importantly, as entities that are intelligent and themselves capable of specifying cryptographic information, such as correct key sizes, encryption algorithms, and the like. The KMIP view of cryptographic clients is inconsistent with typical storage device types that today interact with enterprise key management servers. Indeed, such storage devices typically are better served with pre-provisioning support. As a consequence, there is an incompatibility between, on the one hand, the ability of existing key management servers to set up cryptographic attributes ahead of time, and, on the other hand, KMIP's theoretical support of otherwise highly-capable cryptographic clients that need no such pre-provisioning.

"Although KMIP was designed to allow multiple-client authentication and authorization schemes, the only mechanisms defined in the first version of the protocol are UID (user identifier) and password, and client-side certificates. A key management server, however, needs to know more about the identity of its clients to be able to group them into device types and device groups and thus match them with pre-provisioned materials that befit their needs.

"The subject matter of this disclosure addresses this need."

In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "According to this disclosure, a key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

"According to an embodiment, when a particular client device makes a request to a key management server, a request header includes a credential value that is a concatenated string of data that includes a device identifier (e.g., a serial number), and a device group. The body of the request includes at least one operation that is intended to be carried out at the server under the authorization of the credential provided. Based on the credential value (and the information encoded therein), the key management server computes a relationship between the device serial number and a device group. The key management server may also store the device serial number and associates it with a device group. This enables the key management server to connect the request to appropriate pre-provisioned cryptographic materials for particular devices or device groups.

"According to another embodiment, a key management server-side method of processing device type information in a client-side certificate authentication process begins upon receiving a client request for key material. The key material typically identifies a device type. Preferably, a plurality of devices having a same device type typically share a pool of the key material. The client request includes a client-side certificate and a custom credential distinct from the certificate. The client-side certificate is used to authenticate the client, and the custom credential is used to identify the client and to determine whether key material for the client has been provisioned. If, and based on the determination, the client has been identified and the key material for the client has been provisioned, the key material is then served according to a key management protocol. If, however, the custom credential fails to identify the client, or if the key material has not been provisioned, a given action is taken. The given action may be refusing the client request, placing the client request in a queue for administrator review, or the like.

"The foregoing has outlined some of the more pertinent features of the invention. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed invention in a different manner or by modifying the invention as will be described."

URL and more information on this patent, see: Rich, Bruce Arland; Peck, John Thomas; Arnold, Gordon Kent. Extending Credential Type to Group Key Management Interoperability Protocol (KMIP) Clients. U.S. Patent Number 8798273, filed August 19, 2011, and published online on August 5, 2014. Patent URL:

Keywords for this news article include: Information Technology, Information and Cryptography, International Business Machines Corporation, Information and Data Encoding and Encryption.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Information Technology Newsweekly

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters