-
Notifications
You must be signed in to change notification settings - Fork 139
- What algorithms are available for creating symmetric encryption keys? For asymmetric encryption keys (i.e., key pairs)?
- How does the PyKMIP server handle client identity and authentication?
- How does the PyKMIP server manage access control for the keys and objects it stores?
- What built-in operation policies does the PyKMIP server support?
What algorithms are available for creating symmetric encryption keys? For asymmetric encryption keys (i.e., key pairs)?
The KMIP specification supports a wide variety of symmetric and asymmetric key algorithms. Support for these algorithms, including corresponding key lengths, will vary across different KMIP-compliant devices, so check with your KMIP vendor or with your appliance documentation to determine which ones are available.
- DES
- TRIPLE_DES (*)
- AES (*)
- BLOWFISH (*)
- CAMELLIA (*)
- CAST5 (*)
- IDEA (*)
- MARS
- RC2
- RC4 (*)
- RC5
- SKIPJACK
- TWOFISH
(*) - supported by the PyKMIP server
Client authentication for the PyKMIP server is currently enforced by the validation of the client certificate used to establish the client/server TLS connection. If the client connects to the server with a certificate that has been signed by a certificate authority recognized by the server, the connection is allowed. If the server cannot validate the client's certificate, the connection is blocked and the client cannot access any objects stored on the server.
If client authentication succeeds, the identity of the client is obtained from the client's certificate. The client's certificate must have the extended key usage extension (see RFC 5280) marked for client authentication. This indicates that the certificate can be used to derive client identity. If the extension is present and marked correctly, the server will extract the common name from the certificate's subject distinguished name and use the common name as the identity of the client. If the extension is not present or is marked incorrectly, the server will not be able to derive the client's identity and will close the connection.
Once the client's identity is obtained, the client's request is processed as normal. The owner of any objects created by the client will be set to the client's identity (i.e., the common name). This common name is used in conjunction with KMIP operation policies to enforce object access control (see the next question for more information).
Access control for server objects is managed through KMIP operation policies. An operation policy is a set of permissions, indexed by object type and operation. For any KMIP object type and operation pair, the policy defines who is allowed to conduct the operation on the object type.
There are three basic permissions currently supported by KMIP: Allow All, Allow Owner, and Disallow All. An object type/operation pair mapped to the Allow All permission indicates that any client authenticated with the server can conduct the corresponding operation on any object of the corresponding type. The Allow Owner permission restricts the operation to any client authenticated and identified as the owner of the object. The Disallow All permission blocks any client from conducting the operation on the object and is usually reserved for static public objects or tasks that only the server itself is allowed to perform.
For example, let's examine a simple use case where a client wants to retrieve a symmetric key from the server. The client submits a Get request to the server, including the UUID of the symmetric key it wants to retrieve. The server will derive the client's identity and then lookup the object with the corresponding UUID. If the object is located, the server will check the object's operation policy attribute for the name of the operation policy associated with the object. The server will then use the operation policy, the client's identity, the object's type, the object's owner, and the operation to determine if the client can retrieve the symmetric key. If the operation policy has symmetric keys and the Get operation mapped to Allow All, the operation is allowed for the client regardless of the client's identity and the symmetric key is returned to the client. If the permission is set to Allow Owner, the server will return the symmetric key only if the client's identity matches the object's owner. If the permission is set to Disallow All, the server will refuse to return the symmetric key, regardless of the client's identity.
While an operation policy can cover every possible combination of object type and operation, it does not have to. If a policy does not cover a specific object type or operation, the server defaults to the safest option and acts as if the permission was set to Disallow All.
Each KMIP object is assigned an operation policy and owner upon creation. If no operation policy is included in the creation request, the server automatically assigns it the default
operation policy. The default
operation policy is defined in the KMIP specification and is built-in to the PyKMIP server; it cannot be redefined or overridden by the user or server administrator (see the next question for details on built-in operation policies).
In addition to the built-in operation policies, the PyKMIP server does allow users to define their own operation policies. An example policy file, policy.json
, is included in the examples
directory of the PyKMIP repository. Let's take a look at the first few lines from the policy:
{
"example": {
"CERTIFICATE": {
"LOCATE": "ALLOW_ALL",
"CHECK": "ALLOW_ALL",
...
The first piece of information in the policy file is the name of the policy, in this case example
. The name maps to a set of object types, which in turn are mapped to a set of operations with associated permissions. In the snippet above, the first object type supported is CERTIFICATE
followed by two supported operations, LOCATE
and CHECK
. Both operations are mapped to the ALLOW_ALL
permission. Putting this all together, for the "example" policy certificate objects used with the Locate or Check operations are allowed for all clients, regardless of who owns the certificate being accessed. If you examine the full example file, you will see more operations listed, along with additional object types.
In general, a policy file is a basic JSON file that links a name for the policy to a table of object type/operation pairs that each map to one of the permissions defined above. Users can copy this policy file and edit it to create their own policies. Once the policy is ready, the server administrator can place it in the server's policy directory and restart the server to load in the new policy. The server administrator can configure which directory should act as the server's policy directory by setting the policy_path
configuration option in the server's server.conf
file. Note that it is up to the server administrator to ensure that user-defined policies do not overwrite each other by using identical policy names.
The PyKMIP server defines two built-in operation policies: default
and public
. Both of these policies are defined in the KMIP specification and each is a reserved policy; neither can be renamed or overridden by user-defined policies. The default
policy is used for newly created objects that are not assigned a policy by their creators, though it can be used by creators intentionally. The public
policy is intended for use with Template objects that are public to the entire user-base of the server.
The following tables define the permissions for each of the built-in policies.
Object Type | Operation | Permission |
---|---|---|
Certificate | Locate | Allow All |
Certificate | Check | Allow All |
Certificate | Get | Allow All |
Certificate | Get Attributes | Allow All |
Certificate | Get Attribute List | Allow All |
Certificate | Add Attribute | Allow Owner |
Certificate | Modify Attribute | Allow Owner |
Certificate | Delete Attribute | Allow Owner |
Certificate | Obtain Lease | Allow All |
Certificate | Activate | Allow Owner |
Certificate | Revoke | Allow Owner |
Certificate | Destroy | Allow Owner |
Certificate | Archive | Allow Owner |
Certificate | Recover | Allow Owner |
Symmetric Key | Rekey | Allow Owner |
Symmetric Key | Rekey Key Pair | Allow Owner |
Symmetric Key | Derive Key | Allow Owner |
Symmetric Key | Locate | Allow Owner |
Symmetric Key | Check | Allow Owner |
Symmetric Key | Get | Allow Owner |
Symmetric Key | Get Attributes | Allow Owner |
Symmetric Key | Get Attribute List | Allow Owner |
Symmetric Key | Add Attribute | Allow Owner |
Symmetric Key | Modify Attribute | Allow Owner |
Symmetric Key | Delete Attribute | Allow Owner |
Symmetric Key | Obtain Lease | Allow Owner |
Symmetric Key | Get Usage Allocation | Allow Owner |
Symmetric Key | Activate | Allow Owner |
Symmetric Key | Revoke | Allow Owner |
Symmetric Key | Destroy | Allow Owner |
Symmetric Key | Archive | Allow Owner |
Symmetric Key | Recover | Allow Owner |
Public Key | Locate | Allow All |
Public Key | Check | Allow All |
Public Key | Get | Allow All |
Public Key | Get Attributes | Allow All |
Public Key | Get Attribute List | Allow All |
Public Key | Add Attribute | Allow Owner |
Public Key | Modify Attribute | Allow Owner |
Public Key | Delete Attribute | Allow Owner |
Public Key | Obtain Lease | Allow All |
Public Key | Activate | Allow Owner |
Public Key | Revoke | Allow Owner |
Public Key | Destroy | Allow Owner |
Public Key | Archive | Allow Owner |
Public Key | Recover | Allow Owner |
Private Key | Rekey | Allow Owner |
Private Key | Rekey Key Pair | Allow Owner |
Private Key | Derive Key | Allow Owner |
Private Key | Locate | Allow Owner |
Private Key | Check | Allow Owner |
Private Key | Get | Allow Owner |
Private Key | Get Attributes | Allow Owner |
Private Key | Get Attribute List | Allow Owner |
Private Key | Add Attribute | Allow Owner |
Private Key | Modify Attribute | Allow Owner |
Private Key | Delete Attribute | Allow Owner |
Private Key | Obtain Lease | Allow Owner |
Private Key | Get Usage Allocation | Allow Owner |
Private Key | Activate | Allow Owner |
Private Key | Revoke | Allow Owner |
Private Key | Destroy | Allow Owner |
Private Key | Archive | Allow Owner |
Private Key | Recover | Allow Owner |
Split Key | Rekey | Allow Owner |
Split Key | Rekey Key Pair | Allow Owner |
Split Key | Derive Key | Allow Owner |
Split Key | Locate | Allow Owner |
Split Key | Check | Allow Owner |
Split Key | Get | Allow Owner |
Split Key | Get Attributes | Allow Owner |
Split Key | Get Attribute List | Allow Owner |
Split Key | Add Attribute | Allow Owner |
Split Key | Modify Attribute | Allow Owner |
Split Key | Delete Attribute | Allow Owner |
Split Key | Obtain Lease | Allow Owner |
Split Key | Get Usage Allocation | Allow Owner |
Split Key | Activate | Allow Owner |
Split Key | Revoke | Allow Owner |
Split Key | Destroy | Allow Owner |
Split Key | Archive | Allow Owner |
Split Key | Recover | Allow Owner |
Template | Locate | Allow Owner |
Template | Get | Allow Owner |
Template | Get Attributes | Allow Owner |
Template | Get Attribute List | Allow Owner |
Template | Add Attribute | Allow Owner |
Template | Modify Attribute | Allow Owner |
Template | Delete Attribute | Allow Owner |
Template | Destroy | Allow Owner |
Secret Data | Rekey | Allow Owner |
Secret Data | Rekey Key Pair | Allow Owner |
Secret Data | Derive Key | Allow Owner |
Secret Data | Locate | Allow Owner |
Secret Data | Check | Allow Owner |
Secret Data | Get | Allow Owner |
Secret Data | Get Attributes | Allow Owner |
Secret Data | Get Attribute List | Allow Owner |
Secret Data | Add Attribute | Allow Owner |
Secret Data | Modify | Allow Owner |
Secret Data | Delete Attribute | Allow Owner |
Secret Data | Obtain Lease | Allow Owner |
Secret Data | Get Usage Allocation | Allow Owner |
Secret Data | Activate | Allow Owner |
Secret Data | Revoke | Allow Owner |
Secret Data | Destroy | Allow Owner |
Secret Data | Archive | Allow Owner |
Secret Data | Recover | Allow Owner |
Opaque Data | Rekey | Allow Owner |
Opaque Data | Rekey Key Pair | Allow Owner |
Opaque Data | Derive Key | Allow Owner |
Opaque Data | Locate | Allow Owner |
Opaque Data | Check | Allow Owner |
Opaque Data | Get | Allow Owner |
Opaque Data | Get Attributes | Allow Owner |
Opaque Data | Get Attribute List | Allow Owner |
Opaque Data | Add Attribute | Allow Owner |
Opaque Data | Modify Attribute | Allow Owner |
Opaque Data | Delete Attribute | Allow Owner |
Opaque Data | Obtain Lease | Allow Owner |
Opaque Data | Get Usage Allocation | Allow Owner |
Opaque Data | Activate | Allow Owner |
Opaque Data | Revoke | Allow Owner |
Opaque Data | Destroy | Allow Owner |
Opaque Data | Archive | Allow Owner |
Opaque Data | Recover | Allow Owner |
PGP Key | Rekey | Allow Owner |
PGP Key | Rekey Key Pair | Allow Owner |
PGP Key | Derive Key | Allow Owner |
PGP Key | Locate | Allow Owner |
PGP Key | Check | Allow Owner |
PGP Key | Get | Allow Owner |
PGP Key | Get Attributes | Allow Owner |
PGP Key | Get Attribute List | Allow Owner |
PGP Key | Add Attribute | Allow Owner |
PGP Key | Modify Attribute | Allow Owner |
PGP Key | Delete Attribute | Allow Owner |
PGP Key | Obtain Lease | Allow Owner |
PGP Key | Get Usage Allocation | Allow Owner |
PGP Key | Activate | Allow Owner |
PGP Key | Revoke | Allow Owner |
PGP Key | Destroy | Allow Owner |
PGP Key | Archive | Allow Owner |
PGP Key | Recover | Allow Owner |
Object Type | Operation | Permission |
---|---|---|
Template | Locate | Allow All |
Template | Get | Allow All |
Template | Get Attributes | Allow All |
Template | Get Attribute List | Allow All |
Template | Add Attribute | Disallow All |
Template | Modify Attribute | Disallow All |
Template | Delete Attribute | Disallow All |
Template | Destroy | Disallow All |