CUSTOMERS - Cryptsoft

R

Cryptso� products are used in a wide range of solu�ons.

Storage Infrastructure & Security Cloud

• Disk Arrays, Flash Storage Arrays

• NAS Appliances

• Tape Libraries, Virtual TapeLibraries

• Hyper-Converged Storage

• Encryp�ng Switches

• Storage Key Managers

• Storage Controllers

• Storage Opera�ng Systems

• Key Managers

• Hardware Security Modules

• Encryp�on Gateways

• Virtualiza�on Managers

• Virtual Storage Controllers

• Network Compu�ng Appliances

• Secure Applica�on Development

• Defense and IC Applica�ons

• Key Managers

• Compliance Pla�orms

• Informa�on Managers

• Enterprise Gateways and Security

• Enterprise Authen�ca�on

• Endpoint Security

• Financial Services Applica�ons

• Banking Applica�ons

THE TRUSTED SECURITY PROVIDER TO YOURTRUSTED SECURITY PROVIDERCryptso� is a privately held Australian company that operates worldwide in the enterprise key management securitymarket. Cryptso�’s Key Management Interoperability Protocol (KMIP) and Public Key Cryptography Standard 11 (PKCS#11)so�ware development kits (SDKs) are the market’s preferred OEM solu�ons.

Cryptso�’s solu�ons have been selected by prominent global companies for interoperable enterprise key managementand encryp�on technology in their storage, infrastructure & security and cloud products.

Cryptso� is commi�ed to the development of standards based security so�ware and is an OASIS Founda�onal Sponsorand FIDO Member.

KMIP STANDARD

STANDARDS AND ASSOCIATIONS

Cryptso� is an OASIS Founda�onalSponsor and an ac�ve member andcontributor to the KMIP and PKCS#11technical committees

PKCS#11 STANDARD

The Cryptso� Quality ManagementSystem is cer�fied to ISO 9001:2015

R

CUSTOMERSCryptso�’s valued customers include:

PARTNERSCryptso�’s valued partners include:

R

Applica�on Level

LEGEND:

Filesystem LevelNetwork Level

Device Level

KEY MANAGEMENT SDKsComplete Vendor-Independent KeyManagement Solu�onsCryptso�’s Key Management SDKs enable rapid addi�on of interoperable keymanagement func�onality to your exis�ng products.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs have beenintegrated into the majority of all KMIP products on the market today,elimina�ng the need for rework to interact with another vendor’s endpoint.

Cryptso�’s PKCS#11 Consumer and Provider SDKs provide access to a widerange of hardware security devices allowing applica�on portability, migra�onand management control in complex secure environments.

As the security market’s preferred key management vendor, Cryptso� has thetechnology and the rela�onships to ensure your product delivers its maximumpoten�al.

Using the Cryptso� SDKs in C, C++, C#, Java and Python, you can support keymanagement protocols with a single, consistent interface and provide yourcustomers with a complete vendor independent key management solu�on tomanage all of the points of encryp�on within your enterprise.

Where Key Management is requiredKey management is necessary for every point of encryp�on in the businessenvironment. At every point where data is encrypted whether it be in use, intransit or at rest there will be a key to encrypt and decrypt that data. If datahas been encrypted to protect it then managing the encryp�on key is asimportant as the data itself.

Cryptso� KMIP Server and Client SDKs provide a ready made set of testedtoolkits able to provide standards compliant key management for yoursolu�on at any point where encryp�on is required.

• Full OASIS KMIP complianceversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*

• KMIP SDKs interoperable with allreleased KMIP server/client products

• PKCS#11 SDKs compliant with OASISPKCS#11 versions: 2.40, 3.0*

• Available as a binary SDK- Source license op�on

• Comprehensive example code- Custom examples available for rapidintegra�on

• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX support available

KEY FEATURES

NAS

Storage Array

Tape Library

ApplianceFile Server

PC

Server

Mobile PC Server

Appliance

Appliance

Network

R

• nCipher - nShield Connect (RNG/HSM) [PKCS#11]• nCipher - nShield Edge (RNG/HSM) [PKCS#11]• nCipher - nShield Solo (RNG/HSM) [PKCS#11]• SafeNet - Luna SA4/SA5 (RNG/HSM) [PKCS#11]• SafeNet - Luna PCI (RNG/HSM) [PKCS#11]• SafeNet - Protect Server (RNG/HSM) [PKCS#11]• U�maco - CryptoServerCSe10/100 (RNG/HSM) [PKCS#11]

• AWS - CloudHSM V1/V2 (RNG/HSM) [PKCS#11]• Cavium - LiquidSecurity (RNG/HSM) [PKCS#11]• Cryptso�® - CloudHSMTM (RNG/HSM) [PKCS#11]• Engage Black - BlackVault (HSM) [PKCS#11]• ID Quan�que - Quan�s USB (RNG) [Vendor]• ID Quan�que - Quan�s PCI (RNG) [Vendor]• ID Quan�que - Quan�s PCIe (RNG) [Vendor]

• FIDO Devices [U2F]• RSA Security SecurID [SecurID]• Yubico [OATH-HOTP/TOTP/YubiKey]

KMIP Client SDK Products

PKCS#11 Consumer SDK Products PKCS#11 Provider SDK Products

KMIP Server SDK Products• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module SDK• KMIP C Client PKCS#11 Adapter• KMIP RKM/DPM C Client SDK• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite (C/Java)• KMIP Client Online Test Service

• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX Module SDK• KMIP Server Administra�on Interface (C/Java)• KMIP Server VM Annual Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary Protocols• KMIP C Server (PKCS#11/HSM/RNG) Module• KMIP C Server (PKCS#11/HSM/RNG) SGX Module• KMIP C Server (Audit/Analy�cs) Module• KMIP C Server OTP Module• KMIP Server Online Test Service

KEY MANAGEMENT SDKsComplete Vendor-Independent Key Management Solu�ons

Supported Hardware Devices/Solu�ons

• Android So� Token [OATH-TOTP]• Cryptso�® [OATH-TOTP/U2F]• Fei�an [OATH-HOTP/TOTP]• Google Authen�cator So� Token [OATH-TOTP]

• PKCS#11 C Consumer SDK• PKCS#11 C Consumer SGX Module SDK• PKCS#11 C++ Consumer SDK• PKCS#11 C++ Consumer SGX Module SDK• PKCS#11 C# Consumer SDK• PKCS#11 C# Consumer SGX Module SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX Module SDK• PKCS#11 Python Consumer SDK• PKCS#11 Python Consumer SGX Module SDK• PKCS#11 Consumer Online Test Service

• PKCS#11 C Provider SDK• PKCS#11 C Provider SGX Module SDK• PKCS#11 C++ Provider SDK• PKCS#11 C++ Provider SGX Module SDK• PKCS#11 C# Provider SDK• PKCS#11 C# Provider SGX Module SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module SDK• PKCS#11 Python Provider SDK• PKCS#11 Python Provider SGX Module SDK• PKCS#11 Provider Online Test Service

Supported Hardware Security Modules and Random Number Generators

Supported One Time Password Devices

R


• Guaranteed interoperability with allreleased KMIP server products



• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX support available

KEY FEATURESKMIP CLIENT SDKC, C++, C#, JAVA, PYTHONA complete range of vendor-independent key management solu�ons.

Cryptso�’s Key Management Interoperability Protocol (KMIP) SDKs let yourapidly add interoperable, standards-based, enterprise key managementcapability to your exis�ng applica�ons. This allows applica�ons to useencryp�on func�onality available from a wide range of key managers makingit easier to deploy and preven�ng vendor lock-in to proprietary solu�ons.

Cryptso�’s C, C++ and Java SDKs are all pure na�ve code not wrappedversions, ensuring the most portable code for your applica�on.

Reduce �me to market, KMIP-enableyour client solu�ons within days, notmonths, using our comprehensive collec�on of example code provided by themarket leader in key management SDKs.

From specialised embedded systems through to scalable, whole of enterpriseand government solu�ons, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.

KMIP Server SDK

KMIP Client SDK

KEY MANAGEMENTINTEROPERABILITYPROTOCOL

KMIP

C C++ C# JAVA PYTHON

C JAVA

HSMKMS-SGX KMIP

R

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 3.0.x (dev)• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0 (op�on)• Oracle JCE JAVA

KMIP CLIENT SDK - SPECIFICATIONSC, C++, C#, JAVA, PYTHON

• Cer�ficate• Cer�ficate

Request2.0

• Opaque Object

• IBM JCE JAVA

• RSA BSAFE MES 3.x, 4.x (op�on)• RSA BSAFE Share-C (op�on)• RSA BSAFE Crypto-J JAVA

• Bouncy Castle JCE JAVA

• wolfSSL (op�on)

• PGP Key• Private Key• Public Key• Secret Key

• Split Key• Symmetric Key• Template

• Ac�vate• Add A�ribute• Adjust A�ribute2.0

• Alloca�on• Archive• Cancel• Cer�fy• Check• Create• Create Key Pair

• Create Split Key1.2

• Decrypt1.2

• Delegated Login2.0

• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1

• Encrypt1.2

• Export1.4

• Get

• Get A�ribute List• Get A�ributes• Get Usage

Alloca�on• Hash1.2

• Import1.4

• Interop2.0

• Join Split Key1.2

• Locate• Log2.0

• Login2.0

• Logout2.0

• MAC1.2

• MAC Verify1.2

• Modify A�ribute• No�fy• Obtain Lease• PKCS112.0

• Poll• Put

• Query• Re-Cer�fy• Recover• Register• Re-Key• Re-Key Key Pair• Re-Provision2.0

• Revoke• RNG Retrieve1.2

• RNG Seed1.2

• Set A�ribute2.0

• Set Endpoint Role2.0

• Sign1.2

• Signature Verify1.2

• Validate

• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML

• Simple ServersQuery, No�fy, Put

• Simple ClientsLocate Objects, Create and Return Objects

• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML

• KMIP Standard Opera�onsCreate, Register, Destroy, Get, GetA�ribute List, GetA�ributes, Create KeyPair, Re-Key, Re-KeyKeyPair, Archive,Recover, Ac�vate, Derive Key

• Crea�ng KeysSimple, Advanced, Extensions

• Managing A�ributesAdd, Modify, Delete A�ribute

• LinearTape Open (LTO)LTO-4 Key Management, LTO-5/6 KeyManagement, KAD, AKAD, UKAD naming,Generic LTO-4

• Random Number Generator (RNG)Retrieve Server RNG, Seed Server RNG

• Server Cryptographic Opera�onsEncrypt, Decrypt, Sign, Signature VerifyMAC, MAC Verify, Hash

• Determine Capabili�esServer SDKVersion, Discover ProtocolVersions, Query Server Basic, Query ServerExtensions, Query Advanced Capabili�es

• Split Key (Mul�-Party Controls)Create Split Key, Join Split Key

• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Generic Mul�-Protocol Key HandlingGetKey, PutKey, DelKey

• Request/Response HandlingRecording, Replaying, Batching, Bulk DataLoading

• Client Creden�al HandlingPassword-protected TLS Creden�als, DeviceCreden�als, IBM TKLM/SKLM

• Advanced Cryptographic Client1.2

• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• PKCS#11 Client2.0

• Quantum Safe Client2.0

• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B Min LOS_128 Client1.x

• Suite-B Min LOS_192 Client1.x

• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

• KeyNexus• Kryptus• MarkLogic• Oracle• SafeNet• Thales

• Cryptso�• DellEMC• Forne�x• Gemalto• HyTrust• IBM

• Townsend Security• Trend Micro• Unbound• U�maco• Vormetric

KMIP Client Examples

Supported KMIP Client Profiles

Supported KMIP Opera�ons

Supported KMIP Object Types Supported Cryptographic Providers

Supported KMIP Encodings

Supported KMIP Server Vendors

R

KEY MANAGEMENTINTEROPERABILITYPROTOCOL

KMIP


• Guaranteed interoperability with allreleased KMIP server products



• Supported on 200+ different pla�ormsincluding Linux, Windows, Legacy and arange of embedded platforms- Custom pla�orm ports on request- Intel SGX Support available

KEY FEATURESKMIP SERVER SDKC, JAVAA complete range of vendor-independent key management solu�ons.

Cryptso�’s Key Management Interoperability Protocol (KMIP) SDKs let yourapidly add interoperable, standards-based, enterprise key managementcapability to your exis�ng server solu�ons.

Cryptso�’s C and Java SDKs are all pure na�ve code not wrapped versions,ensuring the most op�mised, portable code for your applica�on.

Reduce �me to market, KMIP-enable your server solu�ons within days, notmonths, using our comprehensive collec�on of example code provided by themarket leader in key management SDKs.

From specialised embedded systems through to scalable, whole of enterpriseand government solu�ons, your KMIP SDK license is backed by a globalsupport network, offering a total key management solu�on.

HSMKMS-SGX KMIP

KMIP Server SDK

KMIP Client SDKC C++ C# JAVA PYTHON

C JAVA

Supported KMIP Client Vendors

R

• Simple Protocol Format ParsingTTLV, HEX, BIN, JSON, XML

• Simple Clients Opera�onsLocate Objects, Create and Return Objects

• Loca�ng Managed ObjectsSimple, Extended, IBM TKLM/SKLM, XML

• KMIP Standard Opera�onsCreate, Register, Destroy, Get, GetA�ribute List, Get A�ributes, Create KeyPair, Re-Key, Re-Key Key Pair1.1, Archive,Recover, Ac�vate, Derive Key

• Server Cryptographic Opera�ons1.2

Encrypt, Decrypt, Sign, Signature Verify,MAC, MAC Verify, Hash

• Managing A�ributesAdd, Modify, Delete A�ribute

KMIP SERVER SDK - SPECIFICATIONSC, JAVA

• HSQLDB java

• SQLite3• MySQL 5,6,7,8

• Oracle 11.x, 12.x• SQL Server 2003+• IBM DB2 9 & 10

• PostgreSQL 8 & 9

• TTLV• HTTPS/TTLV

• HTTPS/JSON• HTTPS/XML

• Random Number Generator (RNG)1.2

Retrieve Server RNG, Seed Server RNG

• Split Key (Mul�-Party Controls)1.2

Create Split Key, Join Split Key

• Crea�ng KeysSimple, Advanced, Extensions

• Determine Capabili�esServer SDK Version, Discover ProtocolVersions1.1 , Query Server Basic, QueryServer Extensions1.1 , Query AdvancedCapabili�es1.3

• Cryptso� Vendor ExtensionsSQL Insert, SQL Update, SQL Delete

• Request/Response HandlingRecording, Replaying, Batching, Bulk DataLoading

• Administra�onCreate, Modify, Delete Users, Par��ons,Groups, Manage Group Privileges, Serialize,Deserialize, Managed Objects

• DatabaseSchema Management and Migra�on,Fixture Loading, SQL Replay

• Simple ServersQuery, No�fy, Put

• JCE ExamplesKey Store Provider

• Advanced Cryptographic Server1.2

• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Complete Server Basic

• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• PKCS#11 Server2.0

• Quantum Safe Server2.0

• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B Min LOS_128 Server1.x

• Suite-B Min LOS_192 Server1.x

• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

• CSC• DataStax• Dell• DellEMC• ETI-NET• Forne�x• Fujitsu

• Gemalto• Hewle� Packard

Enterprise• Hitachi Data

Systems• Huawei• HyTrust

• IBM• Integrated

Research• Intersystems• Iskraemeco• MarkLogic• NetApp

• Netskope• Panzura• Pluribus Networks• Quantum• Reduxio• RSD SA• SafeNet

• ADDGrup• BDT• Bracket• Brocade• Cohesity• Cisco• Cryptso�

• Sepaton• Skyhigh Networks• SpectraLogic• Trend Micro• TrustedConcepts• VMWare• Ze�aset

KMIP Server Examples

Supported KMIP Server Profiles

Supported Databases Supported Cryptographic Providers

Supported KMIP Encodings

• OpenSSL 1.0.x• OpenSSL 1.1.x• OpenSSL 3.0.x (dev)• OpenSSL 0.9.8 (op�on)• OpenSSL FIPS 2.0 (op�on)

• Oracle JCE Java

• IBM JCE Java

• RSA BSAFE Crypto-J Java

• Bouncy Castle JCE Java

• Ac�vate• Add A�ribute• Adjust A�ribute2.0

• Alloca�on• Archive• Cancel• Cer�fy• Check• Create• Create Key Pair

• Create Split Key1.2

• Decrypt1.2

• Delegated Login2.0

• Delete A�ribute• Derive Key• Destroy• Discover Versions1.1

• Encrypt1.2

• Export1.4

• Get

• Get A�ribute List• Get A�ributes• Get Usage

Alloca�on• Hash1.2

• Import1.4

• Interop2.0

• Join Split Key1.2

• Locate• Log2.0

• Login2.0

• Logout2.0

• MAC1.2

• MAC Verify1.2

• Modify A�ribute• No�fy• Obtain Lease• PKCS112.0

• Poll• Put

• Query• Re-Cer�fy• Recover• Register• Re-Key• Re-Key Key Pair• Re-Provision2.0

• Revoke• RNG Retrieve1.2

• RNG Seed1.2

• Set A�ribute2.0

• Set Endpoint Role2.0

• Sign1.2

• Signature Verify1.2

• Validate

Supported KMIP Opera�ons

RELATEDPRODUCTS

KEY BENEFITS

R


• Available as a binary SDK or as aservice- Source license op�on

• Comprehensive test cases- KMIP Test Cases- KMIP Profile Test Cases

Cryptso�’s Key Management Interoperability Protocol (KMIP)Test Suites letyou rapidly confirm the interoperability status of your product. Designed tosupport the different test cases and profiles in the KMIP standard you canensure that your applica�on’s design can be thoroughly tested to deliverinteroperability with a range of other KMIP clients and servers.

The Cryptso� KMIP Test Suites provide full coverage for each version of KMIP(1.0, 1.1, 1.2, 1.3, 1.4 and 2.0*) that can be configured to support the level ofKMIP required for your applica�on. In addi�on if your applica�on is based onone of the KMIP profiles then you can apply only the relevant profiles to fullysupport your requirements.

Reduce �me to market and release with the confidence provided by datadriven tes�ng.

KEY FEATURES

KMIP INTEROPERABILITY TESTSUITECOMPLETE VERIFICATION SOLUTION

Suppor�ng Cryptso�'s full OASIS KMIP SDK the test suites support Cryptso� Cand Java based SDKs as well as offering Web and Cloud based services.

Cryptso� Test Suites are available for all published and working dra� versionsof the OASIS KMIP Standard.

• Reduce risk• Easy to use• Public Interoperability test results• Accelerate your �me to market

KMIP TEST CASESKMIP PROFILES • KMIP C Test Suite SDK

• KMIP Java Test Suite SDK• KMIP Web Test Suite SDK• KMIP Cloud Test Suite SDK

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

100

200

300

400

500

600

700

KMIP v1.2

KMIP v1.1

KMIP v1.0

KMIP v1.3

KMIP v1.4

KMIP v2.0

R

Cryptso� KMIP Test Suites provide full coverage of all versions of the OASISKMIP standard as well as all of the currently defined profiles as defined in eachof the available versions of the KMIP Standard. These test suites are used to testagainst all vendors and are used in the annual OASIS KMIP Interoperabilitytes�ng.

Ensure that your applica�on has full coverage and interoperability by using theCryptso� KMIP Test Suite today.

COMPREHENSIVE TEST COVERAGE

• Advanced Cryptographic Server1.2

• AES XTS Server• Asymmetric Key Lifecycle Server• Baseline Server Basic• Baseline Server TLS v1.2• Basic Cryptographic Server1.2

• Complete Server Basic

• Complete Server TLS v1.2• HTTPS Server• JSON Server• Opaque Managed Object Store Server• PKCS#11 Server2.0

• Quantum Safe Server2.0

• RNG Cryptographic Server1.2

• Storage Array With SED Server• Suite-B Min LOS_128 Server1.x

• Suite-B Min LOS_192 Server1.x

• Symmetric Key Foundry Server• Symmetric Key Lifecycle Server• Tape Library Server• XML Server

• Advanced Cryptographic Client1.2

• Advanced Symmetric Key Foundry Client• AES XTS Client• Asymmetric Key Lifecycle Client• Baseline Client Basic• Baseline Client TLS v1.2• Basic Cryptographic Client1.2

• Basic Symmetric Key Foundry Client• HTTPS Client• Intermediate Symmetric Key Foundry Client• JSON Client• Opaque Managed Object Store Client• PKCS#11 Client2.0

• Quantum Safe Client2.0

• RNG Cryptographic Client1.2

• Storage Array With SED Client• Suite-B Min LOS_128 Client1.x

• Suite-B Min LOS_192 Client1.x

• Symmetric Key Lifecycle Client• Tape Library Client• XML Client

KMIP INTEROPERABILITY TEST SUITECOMPLETE VERIFICATION SOLUTION

COMPLETE KMIP PROFILE COVERAGE

Supported KMIP Server Profiles

Supported KMIP Client Profiles

Global Test Infrastructure

KMIP v1.2KMIP v1.1KMIP v1.0 KMIP v1.3 KMIP v1.4 KMIP v2.0

TESTING ALL VERSIONS OF KMIP

R

Figure 1 - Mul�ple Key Stores

PC

Server Tape Library

Network

Flash Array Key Store 1

Key Store 2

Key Store 3

Storage Array

KEY BENEFITS

KEY FEATURES

Modern enterprises can have a wide array of storage technologies distributedthroughout the organiza�on. This may be because of adop�on of newtechnology or the many acquisi�ons and mergers of business units that havetaken place over �me. The one common requirement that most modernenterprises all have is storage.

The obvious solu�on to managing a secure storage solu�on is to ensure thatall data is encrypted at rest or in transmission. For many organiza�ons thismay be a regulatory requirement or based on sound business and riskmanagement reasons. With increasing volumes of data that an organiza�onstores, the need to encrypt that data with a similarly increasing volume ofencryp�on keys introduces a new problem. For these data assets to be used,those keys need to be available.

In many large enterprises, this means millions of keys under management withmany thousands of keys in use at any given �me.

Without a common standard for key management a large enterprise can havea range of disparate key stores with varying levels of support for differenttypes of equipment leading to incompa�bili�es and differing managementand audit requirements.

OASIS KMIP provides an industry supported standards compliantinteroperability protocol for key management. This allows operators ofstorage solu�ons to integrate products from mul�ple vendors which can makeuse of an interoperable way to generate, store, manage and retrieveencryp�on keys across all the elements of their storage solu�on. In addi�onthis allows for products from different vendors to be integrated into acohesive system and s�ll interoperate.

These advanced features mean that organiza�ons are no longer locked intostorage solu�ons from a single vendor or may also provide a reduc�on in riskin their storage solu�on as they can grow, reduce, or update theirimplementa�on in a more flexible manner tailored to their current needs.


• Guaranteed interoperability with allreleased KMIP products

• Cross-Language Support- Clients in C, C++, C#, Java andPython

- Servers in C and Java• Supports wide range of security

objects:- Symmetric keys- Asymmetric keys- Cer�ficates- Authen�ca�on- Authoriza�on- Tokens




• Low risk• Easy to use• Extensively deployed• Proven technology for security

object management• Public Interoperability test results• Reduce your �me to market• Gain access to an extensive KMIP

ecosystem

STORAGE

R

RELATEDPRODUCTSCryptso�’s range of KMIP SDKs have been used to enable a wide range of

storage and storage infrastructure solu�ons with encryp�on and enterprisekey management capability. From tape libraries through tradi�onal disk basedstorage to hyper-converged flash arrays, deployment of KMIP technologyensures a deployment of data at rest security solu�ons within a mul�-vendorenterprise.

Cryptso�’s range of SDKs ensure this can be realized in your products suchthat your customers can deploy them straight into their enterprises withoutthe need to conduct mul�ple rounds of point to point tes�ng – we’ve donethe hard part for you.

From deployment into brand new product lines, to integra�on into wellrespected products for feature parity or compliance, our customers benefitfrom millions of mul�-vendor test runs and a deep understanding of relevantstandards. With decades of experience of implemen�ng encryp�on and keymanagement systems from embedded hardware through to so�ware andvirtualized systems, we enable our customers’ products to achieve marketparity for data security within weeks.

Some of Cryptso�’s storage clients include:

Servers:• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX

Module SDK• KMIP Server Administra�on

Interface (C/Java)• KMIP Server VM Annual

Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary

Protocols• KMIP C Server (PKCS#11/HSM/RNG)

Module• KMIP C Server (PKCS#11/HSM/RNG)

SGX Module• KMIP C Server (Audit/Analy�cs)

Module• KMIP C Server OTP Module• KMIP Interoperability Test Suite

(C/Java)• KMIP Server Online Test ServiceClients:• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module

SDK• KMIP C Client PKCS#11 Adapter• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite

(C/Java)• KMIP Client Online Test Service

PC

Server Tape Library

KMIPNetwork

Flash Array

Storage Array

Figure 2 - OASIS KMIP Key Store

STORAGE (Con�nued)

R

Ensuring protec�on and privacy of data is a responsibility of all modernorganiza�ons.

For organiza�ons which operate in an environment driven by statutes andregula�ons, or organiza�ons with managed business and risk managementguidelines, the ability to demonstrate an audit-able, reliable, best-prac�ceapproach to protec�on and privacy of data (assets) is essen�al.

In a highly distributed environment comprising of mul�ple physical loca�onswith varying hardware and so�ware solu�ons, the need to have a commonstandard approach for management of the security informa�on that protectsdata is cri�cal.

Data has a life-cycle involving crea�on, use and destruc�on with storage andmovement between systems.

Data-in-use, data-in-mo�on, and data-at-rest all require protec�on. Protec�ngdata using encryp�on necessitates management of the encryp�on keys usedto protect the data. With organiza�ons storing increasing volumes of data,there is a correspondingly increasing volume of encryp�on keys that need tobe managed.

In many large organiza�ons, this can mean many millions of keys undermanagement with many thousands of keys in use at any given �me. In orderto provide a guarantee of access to the data, a tested and proven keymanagement solu�on is necessary.

A common standard for encryp�on key management within a largeorganiza�on eliminates opera�onal incompa�bili�es, improves bothmanagement and audit capabili�es and substan�ally reduces costs.

Cryptso�’s KMIP SDKs and associated technologies are already in use withglobal vendors securing data in use, in mo�on and at rest; securing data onpremises, in private and public clouds; securing data on-device and data off-device.

Storage Array

Tape Library

Mobile Device

Workstation

Key Manager

Flash Array

ApplicationServers

Firewall

Medical Device

Applications

Switch andLink Encryptor

Data in Use Data in Motion Data at Rest

KMIP

HSM

Data Center - Private/Public CloudWorkplace

APP

FW

APP

APP

KEY BENEFITS

KEY FEATURES

• Low risk• Easy to use• Extensively deployed• Proven technology for security

object management• Public Interoperability test results• Reduce your �me to market• Gain access to an extensive KMIP

ecosystem


• KMIP SDKs interoperable with allreleased KMIP server/clientproducts

• PKCS#11 SDKs compliant with OASISPKCS#11 versions: 2.40, 3.0*

• Cross-Language Support- Clients in C, C++, C#, Java andPython

- Servers in C and Java• Supports wide range of security

objects:- Symmetric keys- Asymmetric keys- Cer�ficates- Authen�ca�on- Authoriza�on- Tokens




SECURING DATA

R

Your data and systems are now under a�ack more than ever before. Thesolu�on to this problem has always been to make use of encryp�on toensure that data if exposed is not able to be accessed by an unauthorizeduser. However with the growth of informa�on systems being used toimprove service and produc�vity this means that the tradi�onal use of ahardware key manager to generate and manage encryp�on keys is now thebo�leneck in widely distributed or cloud managed services.

The solu�on is to move the data encryp�on services closer to the point of use.

Cryptso� Client and Server KMIP SDKs are designed to u�lize the Intel(R)So�ware Guard Extensions to be able to run all or some of the KMIPfunc�onality within the trusted execu�on environment providing theapplica�on with a hardware protected enclave to ensure that encryp�on keysor other security informa�on now has the same level of hardware protec�onthat was previously available only to specialist security devices.

This means that applica�ons and data are protected using the same easymanagement processes that can control applica�ons.

Cryptso� SDKs support the full range of op�ons for Intel SGX allowing securityto be improved for every worksta�on and server in the organiza�on,simplifying management and security of keys and providing hardware basedsecurity that was previously unaffordable.

Cryptso� Client/Server components available for hardware protec�on with Intel® SGX

SECURING DATA WITH SGX RELATEDPRODUCTSServers:• KMIP C Server SDK• KMIP C Server SGX Module SDK• KMIP Java Server SDK• KMIP Java Server SGX Module SDK• KMIP Alert Server SDK• KMIP Alert Server SGX Module SDK• KMIP Authen�ca�on Server SDK• KMIP Authen�ca�on Server SGX

Module SDK• KMIP Server Administra�on

Interface (C/Java)• KMIP Server VM Annual

Subscrip�on (C/Java)• KMIP C Proxy Servers for Proprietary

Protocols• KMIP C Server (PKCS#11/HSM/RNG)

Module• KMIP C Server (PKCS#11/HSM/RNG)

SGX Module• KMIP C Server (Audit/Analy�cs)

Module• KMIP C Server OTP Module• KMIP Interoperability Test Suite

(C/Java)• KMIP Server Online Test ServiceClients:• KMIP C Client SDK• KMIP C Client SGX Module SDK• KMIP C++ Client SDK• KMIP C++ Client SGX Module SDK• KMIP C# Client SDK• KMIP C# Client SGX Module SDK• KMIP Java Client SDK• KMIP Java Client SGX Module SDK• KMIP Python Client SDK• KMIP Python Client SGX Module

SDK• KMIP C Client PKCS#11 Adapter• KMIP C Client Layered Protocol SDK• KMIP Interoperability Test Suite

(C/Java)• KMIP Client Online Test Service

Other Components

Integration Interfaces

Client/Server Code

TLS Handling

Cryptographic Provider

Protocol Handling

Other Components

Integration Interfaces

Client/Server Code

TLS Handling

Cryptographic Provider

Protocol Handling

Integration Modules Integration Modules

Security Object Store Security Object Store

#### #### #### #### ******************** #### #### #### #### ********************

SGX

Protected

R

OASIS KMIP is a widely accepted open standard for the management of arange of security objects including symmetric and asymmetric keys,cer�ficates, and user or vendor defined objects. Based on acommunica�ons protocol which defines message formats for the fulllifecycle of keys stored on a key management server.

Clients can request a server to perform the full key management lifecyclefor key opera�ons. These opera�ons are grouped together in the tablebelow in func�onal groups allowing for maximum flexibility for keyopera�ons.

The KMIP open standard for key management allows applica�onprogrammers to develop the logic of their applica�ons for their businesspurpose free from the complexi�es of key management and to restassured that their applica�on can be developed once and will interoperatewith key managers from a range of vendors.

Talk to an account manager today to evaluate how Cryptso� canimplement key management lifecycle in your applica�on.

Set A�ribute2.0

Log2.0

Set Endpoint Role2.0

Join Split Key1.2

Register

Validate

ESTABLISH

RETRIEVE

ROTATE

Cer�fyCreateCreate Key Pair

Create Split Key1.2

Derive KeyImport1.4

Decrypt1.2

Encrypt1.2

Hash1.2

MAC1.2

MAC Verify1.2

PKCS112.0

RNG Retrieve1.2

RNG Seed1.2

Sign1.2

Signature Verify1.2

Ac�vateArchiveDestroy

RecoverRevoke

Export1.4

GetGet A�ributeGet A�ribute List

Alloca�onCheck

Get Usage Alloca�onObtain Lease

Add A�ributeAdjust A�ribute2.0

Delete A�ributeModify A�ribute

Re-Cer�fyRe-Key

Re-Key Key Pair

CancelPoll

Query

Discover Versions1.1

Interop2.0

USAGE

INFO

STATEMANAGE

Locate

KMIP FUNDAMENTALS

OTHER

CRYPTOGRAPHIC

CLIENT

SERVER

No�fyPut

AUTHENTICATION Delegated Login2.0

Login2.0

Logout2.0

Re-Provision2.0

The range of KMIP Compliant KeyManagement SDKS from Cryptso�supports:

• Full OASIS KMIP compliance forversions:1.0, 1.1, 1.2, 1.3, 1.4, 2.0*

• KMIP SDKs interoperable with allreleased KMIP server/client products



KEY FEATURES

R

• Storage solu�ons and appliances• Network infrastructure• Security applica�ons• Database management• Embedded solu�ons• Security hardware management• Gateways and endpoints• Financial Services and banking

applica�ons• Defense and IC applica�ons• Audi�ng and compliance

TYPICAL USESCryptso�’s Key Management SDKs have been incorporated into a wide rangeof products that are leading the market in interoperable key management.

Providing both Client and Server SDKs, Cryptso� KMIP SDKs have beenintegrated into the majority of all KMIP products on the market today,elimina�ng the need for rework to interact with another vendor’s endpoint.

As the security market’s preferred KMIP vendor, Cryptso� has the technologyand the rela�onships to ensure your product delivers its maximum poten�aland can interoperate with a wide range of KMIP based products from a rangeof vendors allowing easy adop�on of your product.

KMIP CLIENTS AND SERVERS

CLIENTS

SERVERS

PKCS#11 SDKsProviders:• PKCS#11 C Provider SDK• PKCS#11 C Provider SGX Module

SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module

SDK• PKCS#11 C++ Provider SDK• PKCS#11 C++ Provider SGX Module

SDK• PKCS#11 C# Provider SDK• PKCS#11 C# Provider SGX Module

SDK• PKCS#11 Java Provider SDK• PKCS#11 Java Provider SGX Module

SDK• PKCS#11 Python Provider SDK• PKCS#11 Python Provider SGX

Module SDK• PVCS#11 Provider Online Test

ServiceConsumers:• PKCS#11 C Consumer SDK• PKCS#11 C Consumer SGX Module

SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX

Module SDK• PKCS#11 C++ Consumer SDK• PKCS#11 C++ Consumer SGX

Module SDK• PKCS#11 C# Consumer SDK• PKCS#11 C# Consumer SGX Module

SDK• PKCS#11 Java Consumer SDK• PKCS#11 Java Consumer SGX

Module SDK• PKCS#11 Python Consumer SDK• PKCS#11 Python Consumer SGX

Module SDK• PVCS#11 Consumer Online Test

Service

R

Cryptso� PKCS#11 Key Management SDKs allow you to access a range ofHardware Security Modules (HSM) and other cryptographic devices(smartcards, tokens, etc) which support the PKCS#11 standard using standardAPIs and standard protocols.

These devices support applica�ons which require the use of a hardware-basedcryptographic tokens. Tradi�onally these have been deployed only for high-value special purpose opera�ons and prior to KMIP 2.0 and PKCS#11 3.0these were implemented requiring use of a vendor specific protocol encodingfor the PKCS#11 API. Each vendor provided separate, incompa�ble clientso�ware, which only accessed specific devices, exacerba�ng implementa�onand management issues.

Many vendors extended the capability of PKCS#11 with addi�onal func�onsoutside of the defined extension interface within the PKCS#11 standard. Manyvendors implemented incompa�ble interpreta�ons of the standard andprovided a variety of vendor-specific mechanisms and behaviours. Many usersfound vendor specific extensions caused unnecessary complexity andincompa�bility for their applica�ons programmers, testers and deploymentprocesses.

PKCS#11 SDKs

Cryptso� has a wide range of PKCS#11 SDKs in a number of languages (C, C++,C#, Java and Python) which provide standards compliant interfaces forconsuming cryptographic keys and cer�ficates. In addi�on Cryptso� also has arange of so�ware based PKCS#11 provider SDKs to allow for access tocryptographic tokens and opera�ons.

The illustra�on below shows a simplified applica�on deployment environmentwith a number of applica�ons with PKCS#11 consumer APIs accessing a singleCryptso� PKCS#11 Provider for their key opera�ons.

Cryptso�’s PKCS#11 Provider includes provision for a high capacity securityobject data store which is able to support mul�ple applica�ons in addi�on toallowing for par��oning of objects within a tenant (full mul�-tenancysupport). This provides flexibility when building and deploying applica�onswithin your environment.

Cryptso� PKCS#11 Consumer and Provider SDKS are available to helpstreamline your development, test and produc�on environments allowing youto deploy and change secure applica�ons in a simple and manageable way.

Application

Application

VendorAPI

VendorAPI

HSM

HSM

Application PKCS#11API

CryptsoftPKCS#11Provider

Application

Application

PKCS#11API

PKCS#11API

Application PKCS#11API

R

945483

Cryptso� has worked with a number of standards bodies to provide addi�onalsecurity op�ons for developers building key management solu�ons in to theirproducts.

Op�ons are available for Fast IDen�ty Online (FIDO) Universal Second Factor(U2F) and OATH compliant One Time Password (OTP) which allows developersto include this func�onality in their opera�ons as well as increase the securityof the key management solu�on itself.

• Strong two-factor authen�ca�on• Support for OATH compliant �me-

based TOTP devices• Support for mul�ple OTP hardware

tokens• Support for variable length OTP

hardware tokens• Integrated with OASIS KMIP for

client authen�ca�on and seedprovisioning

• Configurable seed management• Capability for Mul�-Device seeds

• OASIS KMIP Compliant• Provides configurable

control of authen�cation

KEY BENEFITS

Cryptso�’s OASIS KMIP products support the Fast IDen�ty Online (FIDO)Universal Second Factor (U2F) types of tokens. Cryptso�’s Server and ClientSDKs provide developers with the tools to provision and manage keys whichcan be used by these commonly available hardware tokens.

Cryptso�’s KMIP SDKs allow the developer to fully integrate OTP and U2Ftokens into their managed security solu�on.

• KMIP C Server SDK• KMIP C Server Administra�on

Interface• KMIP C ServerOTP Server Module• KMIP C Server Integra�on Module

(HSM)• KMIP Java Server SDK• KMIP C SDK• KMIP C++ SDK• KMIP C# SDK• KMIP Java SDK• KMIP Python Client

RELATEDPRODUCTS

AUTHENTICATION SDKs

OTP SUPPORT

U2F SUPPORT

Cryptso�’s OTP solu�on is based on open standards and allows the developerto create enterprise solu�ons to manage the full lifecycle of the seed recordsthat underpin the security in an OTP solu�on. This ensures that only theenterprise has access to the seed records, and the enterprise has full controlover the provisioning, usage, and de-provisioning of tokens.

Time based One Time Password (TOTP) tokens provide users with a secureand reliable hardware device to integrate standards-based hardware two-factor authen�ca�on.

Two-factor authen�ca�on withTOTP combines something you know (yourpassword) with something you have (a unique number sequence generated bya hardware device). Both of these factors are required to authen�cate whichsubstan�ally improves the security proper�es when compared to a singlefactor authen�ca�on solu�on.

The non-predictable variable length digit token output is derived from boththe secret seed record and the on-board real�me clock (RTC). A singlehardware token can be programmed for variable output and variable �meintervals (30 or 60 seconds) ensuring a solu�on is easily tailored to theenterprise security context that the developer is building.

Two (or more) tokens ini�alised withthe same seed value can be used forperson-to-person two-factor authen�ca�on solu�ons, en�rely independent ofany server infrastructure.

The same seed record can also be loaded into so�ware based TOTP solu�onsallowing for a mixed hardware and so�ware deployment context that can bemanaged by the same infrastructure.

KEY FEATURES

Cryptso� is a member of theFIDO (Fast IDen�ty Online) Alliance

R

[email protected] WWW.CRYPTSOFT.COM+61 7 3103 0321 | US +1 650 918 4362

@CRYPTSOFTCRYPTSOFT-SECURITY-SPECIALISTS@CRYPTSOFT

Copyright © 2019 Cryptso� Pty Ltd. All rights reserved. All trademarks, service marks, trade names, product names and logos are property of their respec�ve owners.

2019-03

CUSTOMERS - Cryptsoft

Documents

Transcript of CUSTOMERS - Cryptsoft