Feeds

Sun wades into key management kerfuffle

Encryption standards soup thickens

Using blade systems to cut costs and sharpen efficiencies

Sun has thrown its open source key management ideas into the key management standards giant brandy glass, offering license-free management that it hopes will become an industry standard.

The generic idea everyone is agreed upon is that encrypting devices using keys should be able to interoperate with any key management system using a standard protocol. Suppliers can then compete with their own encrypting devices and key management products, either proprietary or, as in Sun's case, open source.

There appear to be two main efforts devoted to producing standard protocol to link encrypting devices and key managers: The IEEE 1619.3 committee, said to be focussed on storage-related encryption, and the OASIS Enterprise Key Management Infrastructure (EKMI) technical committee.

There is a third initiative from the Trusted Computing Group devoted to self-encrypting devices and their key management. The TCG says its work is unique and complementary to the OASIS and IEEE efforts.

On February 12 several vendors said they were forming an OASIS Key Management Interface Protocol (KMIP) technical committee, saying that their supported KMIP is ready for adoption and supports a broader set of use cases than both the EMKI set and IEEE 1619.3.

Now Sun has released its own open source KMIP, downloadable from here, and packaged as part of its Open Storage initiative. It says its protocol "is available to customers using the Sun StorageTek KMS 2.0 Key Manager and StorageTek T9840D, T10000A, T10000B tape drives, as well as Sun's HP LTO4 drives shipped in Sun libraries.

"A number of additional partners are developing products based on this protocol, including EMC, whose RSA security division has talked about releasing it as an option on their RKM Key Manager."

IBM's tape drive division is working on supporting this protocol for its LTO4 drive shipped in Sun Libraries. Sun has also shared this protocol with numerous other industry partners including computer OEMs, back up application providers, disk array and switch manufacturers. That doesn't mean anything more than that they've agreed to look at it, though.

This is where the OASIS/Sun intersection gets fun. The OASIS KMIP group constitute EMC, IBM, HP and Thales with Brocade, LSI, NetApp and Seagate joining in too. No Sun though. Sun says it will work with the IEEE 1619.3 group and OASIS "to further develop and formalize the interface as an industry standard".

Sun's statement doesn't say it will actually support the OASIS KMIP effort so we might assume that, nothwithstanding EMC and IBM support of Sun to the extent described above, any OASIS KMIP-compliant key managers and encrypting devices will not necessarily work with Sun KMIP-compliant encrypting devices and key managers. It's enough to make you weep AES-256-encrypted tears. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.