XML Key Management Specification (XKMS)
XML (Extensible Markup Language), the flexible data framework that allows applications to communicate on the internet, has become the preferred infrastructure for e-commerce applications. XML-based standards and specifications have been in development for use in the field of key management systems.
One such specification is the XML Key Management Specification (XKMS) 2.0. This specification defines protocols for distributing and registering public keys, suitable for use in conjunction with XML Digital Signatures and XML Encryption. XKMS 2.0, while very focused on key management, works in conjunction with other specifications that define protocols and services necessary to establish and maintain the trust needed for secure web transactions.
These basic mechanisms can be combined in various ways to accommodate building a wide variety of security models using a variety of cryptographic technologies. A goal of XKMS implementation assumes that simplicity helps developers avoid mistakes and, as such, increases the security of applications. The XKMS protocol consists of pairs of requests and responses. XKMS protocol messages share a common format that may be carried within a variety of protocols.
Key Management Interoperability Protocol (KMIP)
KMIP is an open-source communication protocol from OASIS (Organization for the Advancement of Structured Information Standards) that defines message formats for the manipulation of cryptographic keys on a key management server.
Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also defines messages that can be used to perform cryptographic operation on a server such as encrypt and decrypt.
A KMIP server stores and controls managed objects such as symmetric and asymmetric keys, certificates, and user defined objects. Clients then use the protocol to access these objects subject to a security model that is implemented by the servers. Operations are provided to create, locate, retrieve, and update managed objects.
Trusted Platform Module (TPM)
Cloud-based software applications can use a Trusted Platform Module (TPM) to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it can perform platform (computer system, phone, tablet) authentication. A TPM is a chip placed on the main board of the device such as a laptop. It may also be used to create and store keys as well as perform tasks as a cryptoprocessor.
Hardware Security Module (HSM)
A hardware security module (HSM) is a physical computing device that provides cryptoprocessing and safeguards and manages digital keys for strong authentication. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. They may be provided to the client by the cloud service provider. They are designed to be tamperproof.
HSMs may be issued by the cloud service provider to enable client keys to be used on cloud applications and data. The cloud service provider does not have access to the keys contained in the HSM.
HSMs may be client side based in a client’s data center or cloud based at the cloud service provider’s location. In some cases, an HSM can be located in a secure third-party managed provider location.
Key Escrow
Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to decrypt information. Key escrow should be considered mandatory for most organizations’ use of cryptography as encrypted information belongs to the organization and not the individual; however, often an individual’s key is used to encrypt the information.
There must be explicit trust between the key escrow provider and the parties involved as the escrow provider now holds a copy of the private key and could use it to reveal information. Conditions of key release must be explicitly defined and agreed upon by all parties, usually using segregation of duties.
Both software and hardware solutions may perform key escrow.
Related article – Key Management: Common Approaches