Detailed differences between KMIP 1.4 and 2.0

This document focuses on the technical content that has changed from KMIP protocol version 1.4 to 2.0. While there are significant changes in how the two documents are organized and the material presented this article will not address those differences. This article uses the published KMIP 1.4 standard document
KMIP 1.4, 22 November 2017 and a draft version of the KMIP 2.0 standard. Please note that since this comparison is based on a draft KMIP 2.0 standard the details presented here can still change in the future.

We started this task of comparing the two protocol versions as part of the process of adding KMIP 2.0 support to our suite of KMIP products: P6R’s KMIP Client Product Suite, Secure KMIP Client (SKC), and P6R’s KMIP Server Library (KSL). We have done a similar comparsion between KMIP 1.0 and 1.1.

At a high level what has changed?

The first significant thing to notice is that all the depreciated features have been removed from previous protocol versions. The main example of this are Templates. Templates are no longer a managed object and are nowhere to be found in the specification. Another big change has occurred to attributes both in how they are represented and encoded in the protocol. The text string name of each attribute, which was also passed in the binary TTLV protocol version, has finally been removed. Lastly, I would categorize the remaining changes to be mostly improvements of existing attributes. The motivations behind these changes have been to increase interoperability and efficiency of the protocol.

1. Managed Objects

• a. PGP Certificates have been removed and are not part of KMIP 2.0
• b. Template objects have been removed (depreciated in KMIP 1.3) and are not part of KMIP 2.0
• c. A Certificate Request has been added as a new managed object

2. Base Objects

• The following have been remove and are not part of KMIP 2.0: Transparent ECDSA Private Key, Transparent ECDSA Public Key, Transparent ECDH Private Key, Transparent ECDH Public Key, Transparent ECMQV Private Key, and Transparent ECMQV Public Key.

It was deemed that the remaining Transparent EC Private Key and Transparent EC Public Key attributes where sufficient, and all have identical structures anyway. For the second item, all have been replaced and simplified which will be mentioned below.

In the Key Value structure, the Attribute array has been replaced with the Attributes structure.

3. Attributes

• a. The following attributes have been removed and are not part of KMIP 2.0: Certificate Identifier, Certificate Issuer, Certificate Subject, Custom Attribute, and Operation Policy Name.
• b. The following attributes have been added to KMIP 2.0: NIST Key Type, Short Unique Identifier, and Vendor Attribute (replaces the Custom Attribute).

There has also been a major change in the way that attributes are encoded. Pre-KMIP 2.0 the string name of an attribute (e.g., “Cryptographic Usage Mask”) would be sent over the network. That practice is now limited to only vendor defined attributes. In doing this a more economical encoding of each standard defined attribute has been adopted. This is significant improvement over the previous versions of the protocol.

4. Attribute Structures

• a. The following attribute structures have been removed and are not part of KMIP 2.0: Template-Attribute, Common Template-Attribute, Private Key Template-Attribute, and Public Key Template-Attribute.
• b. The following attribute structures have been added to KMIP 2.0: Attributes, Common Attributes, Private Key Attributes, Public Key Attributes, Attribute Reference, Current Attribute, and New Attribute.

This change was motivated by the removal of Templates from the standard. The new attribute structures are meant as a “simplified” replacement of the previous structures.

5. Modified and New Structures

• a. The Extension Information structure has been extended with the following optional fields: Extension Enumeration, Extension Attribute, Extension Parent Structure Tag, and Extension Description.
• b. The Profile Information structure has been extended with the “Profile Version” field.
• c. The Key Wrapping Specification structure has its “Attribute Name” field replaced with an Attribute Reference field.

d. The Server Information structure was an undefined structure in KMIP 1.4 and has been changed to a well defined, multi-field structure. This is a much overdue change and finally makes this base object useful.

• e. The Log Message base object has been added new to KMIP 2.0

6. Operations

• a. There has been a positive change in all operations that sent attributes to a KMIP server. In KMIP 1.4 and earlier, the responses to such operations would return a copy of all the attributes that where included in the request. This has changed in KMIP 2.0 in that responses no longer return a copy of the attributes that appeared in the request

  b. Operations where this change has been made include: Create, Create Key Pair, Add Attribute, Delete Attribute, Derive Key, Create Split Key, Join Split Key, Register, Certify, Re-Certify, Re-Key, and Re-Key Key Pair.

• c. Add Attribute, Attribute replaced by Current Attribute structure
• d. Certify, Template-Attribute replaced by Attributes structure
• e. Create, Template-Attribute replaced by Attributes
• f. Create Key Pair, Common Template-Attribute replaced by Common Attributes, Private Key Template-Attribute replaced by Private Key Attributes, Public Key Template-Attribute replaced by Public Key Attributes
• g. Create Split Key, Template-Attribute replaced by Attributes
• h. Delete Attribute, Attribute Name and Attribute Index replaced by Current Attribute. Note, that to delete an attribute the value of that attribute must be provided in the Current Attribute structure. This is different from KMIP 1.4
• i. Derive Key, Template-Attribute replaced by Attributes
• j. Export, in the response one or more Attribute structures are replaced by Attributes, Template is removed
• k. Get, in the response Template is removed
• l. Get Attributes, Attribute Name replaced by Attribute Reference, in response zero or more Attribute structures replaced by Attributes
• m. Get Atribute List, in response Attribute Name replaced byAttribute Reference
• n. Import, Object Type added, one or more Attribute structures replaced by Attributes, Template removed
• o. Join Split Key, Template-Attribute replaced by Attributes
• q. Locate, zero or more Attribute structures replaced by Attributes.
  The paragraph starting with “Wild-cards or regular expressions” has been removed since it has not been implemented and it is unclear how to implement it.
  The description of how the “Storage Status Mask field” is used has been expanded.
• r. Log, a new operation
• s. Modify Attribute, Attribute replaced by Current Attribute and New Attribute structures
• t. Register, Template-Attribute replace by Attributes, Template removed
• u. Re-Certify, Certificate Request Unique Identifier added, Template-Attribute replaced by Attributes
• v. Re-Key, Template-Attribute replaced by Attributes
• w. Re-Key Key Pair Common Template-Attribute replaced by Common Attributes, Key Private Template-Attribute replaced by Private Key Attributes, Public Key Template-Attributes replaced by Public Key Attributes
• x. Notify, the list of Attribute structures has been replaced by the new Attributes structure for indicating attributes that have changed and a list of Attribute Reference structures indicating attributes that have been deleted.
• y. Put, Template object has been removed from the list of objects that can be pushed to the client and the list of Attribute structures has been replaced by the new Attributes structure.

7. Enumerations and Masks

• a. Certificate Request Type Enumeration: PGP has been removed
• b. Certificate Type Enumeration: PGP has been removed
• c. Item Type Enumeration: Data Time Extended is new
• d. Link Type Enumeration: Wrapping Key Link is new
• e. Object Type Enumeration: Certificate Request is new
• f. NIST Key Type Enumeration has been added to KMIP 2.0
• g. Profile Name Enumeration: all profiles before KMIP 2.0 have been removed
• h. Storage Status Mask: Destroyed Storage is new
• i. Tags have been moved into the enumerations section. Several old tag values have been removed by being marked as “reserved”. New tag values have been from 420125 (i.e., Attributes) to 42013D (i.e., New Attribute).

8. Miscellaneous

• a. Under message encoding a new TTLV type has been added: Data Time Extended which is a 64 bit POSIX Time in micro-seconds.
• b. The default value for Batch Order Option has been changed to True (i.e., batched operations shall be executed in the order in which they appear in a request).