[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: More on Clarification of Cryptographic Parameters - Usage Guide
I'm not sure if this was discussed and/or resolved in the KMIP TC call today. Hopefully it was, and is consistent with below. The text below taken from the Usage Guide (see 3.21.1 in v1.0 and v1.1 Usage Guides, and 4.2.1 in v1.2 wd03 Usage Guide) is consistent with, and supports my proposal to enforce use of cryptographic parameters for operations performed by the KMIP server. The text in the Usage Guide documents relates to key wrapping (a cryptographic operation performed on the server). Although non-normative, the text is evidence that my proposal correctly describes the behaviour that I believe should be defined in the specification for the newly introduced cryptographic operations. "The Cryptographic Parameters attribute should be specified by the client if multiple instances of the Cryptographic Parameters exist, and the lowest index does not correspond to the NIST key wrap mode of operation. The server should verify that the AES wrapping key has NISTKeyWrap set as an allowable Block Cipher Mode, and that the "Wrap Key" bit is set in the Cryptographic Usage Mask." "If the correct data was provided to the server, and no conflicts exist, the server AES key wraps the Key Value (both the Key Material and the Cryptographic Usage Mask attribute) for the requested key with the wrapping key specified in the Encryption Key Information. The wrapped key (byte string) is returned in the server's response inside the Key Value of the Key Block." The key phrases are: "the server should verify that the ... key has NISTKeyWrap set as an allowable Block Cipher Mode", and, "if correct data was provided to the server, and no conflicts exist, the server ... wraps the Key Value". My proposal states, "If there are Cryptographic Parameters associated with the Managed Cryptographic Object, and the request contains conflicting Cryptographic Parameters information, then the operation SHALL return with a Result Status of Operation Failed." The Usage Guides and my proposal are saying exactly the same thing (phrased differently). Given that we've had this interpretation of behaviour in the use of Cryptographic Parameters for the key wrapping cryptographic operation since v1.0, it is clearly incorrect to say that my proposal, "conflicts with the stated way things are handled within KMIP for Cryptographic Parameters and attempts to enforce a behaviour which conflicts with the specification text and the usage guide for all existing versions of KMIP." In fact, it is clear from the above, that the behaviour proposed by Tim for handling of Cryptographic Parameters with the new cryptographic operations conflicts with the stated way things are handled within KMIP for Cryptographic Parameters and attempts to enforce a behaviour which conflicts with the specification text and the usage guide for all existing versions of KMIP. John ---------------------------------------------------------------------- John Leiseboer QuintessenceLabs Pty Ltd Chief technology Officer Suite 23, Physics Building #38 Phone: +61 7 5494 9291 (Qld) Science Road Phone: +61 2 6125 9498 (ACT) Australian National University Mobile: +61 409 487 510 Acton ACT 0200 Fax: +61 2 6125 7180 AUSTRALIA Email: JL@quintessencelabs.com www.quintessencelabs.com ----------------------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]