Home » Articles » Server Design » Detailed differences between KMIP 2.1 and 3.0

Detailed differences between KMIP 2.1 and 3.0

By Mark Joseph - June 16, 2024 @ 3:35 pm

This document was updated on 26 August 2024.

This document focuses on the technical content that has changed from KMIP protocol version 2.1 to 3.0. This article uses the published KMIP 2.1 standard document KMIP 2.1, 14 December 2020 and a draft version of the KMIP 3.0 standard (Working Draft 16, 24 August 2024). Please note that since this comparison is based on a draft KMIP 3.0 standard the details presented here can still change in the future.

As in the past, we started this task of comparing the two protocol versions as part of the process of adding KMIP 3.0 support to our suite of KMIP products: P6R’s KMIP Client Product Suite, Secure KMIP Client (SKC), and P6R’s KMIP Server Library (KSL). We have done similar comparisons between KMIP 1.0 and 1.1, and between KMIP 1.4 and 2.0.

At a high level what has changed?

The main change to KMIP 3.0 would be how Unique Identifiers are represented. In previous protocol version Unique Identifiers had the type of “Text String”, but now in KMIP 3.0 they can have one of the following types: “Identifier”, “Name Reference”, “Reference”, “Integer”, and “Enumeration” (the last two types are used to refer to different batch items in a multi-batch KMIP response message). Notice that Unique Identifiers can no longer be marked as “Text Strings” and the new types have different functional meanings (refer to the standard for their explanation).

1. Managed Objects

In KMIP 3.0, managed objects are now categorized into either System or User objects. User objects include the existing cryptographic managed objects like Certificate, Symmetric Key, and Secret Data. System objects can now be one of the following:

  • a. User represents a user account on a key management system
  • b. Group previously groups could only be created on a server via proprietary means
  • c. Credential to support user account authentication

2. Attributes

  • a. The following attributes have been removed and are not part of KMIP 3.0: Object Group, and Link.
  • b. The following attributes have been added to KMIP 3.0: Certify Counter, Decrypt Counter, Encrypt Counter, Sign Counter, Signature Verify Counter, Credential Type, Certificate Subject DN, Certificate Issuer DN, Deactivation Reason, Key Part Identifier, Object Class, OTP Counter, Split Key Polynomial, Split Key Method, Split Key Parts, Split Key Threshold, and NIST Security Category.
  • c. The following attributes are now encoded differently than in KMIP 2.1: Name is no longer a structure but now is just a Text String, Rotate Name is no longer a structure but now is just a Text String, the Link attribute has been broken up into separate attributes such as Certificate Link, Certificate Request Link (new), Child Link, Credential Link (new), Derivation Base Object Link, Derived Object Link, Group Link (new), Joined Split Key Parts Link (new), Next Link, Parent Link, Password Link (new), PKCS#12 Certificate Link, PKCS#12 Password Link, Previous Link, Private Key Link, Public Key Link, Replaced Object Link, Split Base Link (new), and Wrapped Key Link.

    These new link attributes can be encoded as either: Identifier, Enumeration, Integer, Reference, or Name Reference while the KMIP 2.1 Link attribute could only be encoded as Text String, Enumeration, or Integer.

  • d. Unique Identifier has been expanded to allow the following encoding types: Identifier, Enumeration, Integer, Reference, or Name Reference. It can no longer be encoded as a Text String. (See the KMIP 3.0 Specification for the meanings of “Reference” and “Name Reference”. The “Identifier” type replaces the “Text String” usage in KMIP 2.1).
  • e. The default Key Format Type attribute value for Certificate objects in KMIP 2.1 was “X.509″ and has been changed in KMIP 3.0 to “Raw”.
  • f. The following clarification about attributes was added to the specification:
    “All characters within an Attribute Name are significant. A server SHALL NOT trim leading or trailing whitespace from Attribute Names if the client uses attributes of this format.”

3. Modified and New Structures

  • a. The Object Groups structure has been modified with the “Object Group” field being replaced by “Group Link”. The Object Groups structure is used in the following larger structures: Constraint, Object Defaults, and Right.
  • b. The Request Header structure no longer has the “Batch Count” field.
  • c. The Request Batch Item structure no longer has the “Unique Batch Item ID” field. The “Ephemeral” field is now encoded as an enumeration rather than as a Boolean in KMIP 2.1.
  • d. The Response Header structure no longer has the “Batch Count” field.
  • e. The Response Batch Item structure no longer has the “Unique Batch Item ID” field.

4. Operations

  • a. The following new operations have been added: Create Credential, Create Group, Create User, Deactivate, and Obliterate.

    b. Previously the Unique Identifier parameter defined for an operation was optional (that being the value could be taken from the ID Placeholder). Now in KMIP 3.0, the Unique Identifier is required in all operations that have it defined (except for Certify, Create Split Key, and Validate).

    c. Locate: replace the “Object Group Member” field in the request payload with “Object Class Mask”.

    d. Query: remove the “Object Groups” field in the request payload, and add Credential Information, which is a new structure definition, to the response payload.

    e. Revoke: the “Revocation Reason” field in the request payload is changed to an optional field.

    f. Re-key Key Pair: change the “Private Key Unique Identifier” field in the request payload to just “Unique Identifier”.

    g. Interop: the following functionality has been added -
    “An Interop Identifier of “*” is reserved for use during interoperability testing to indicate that the server should perform a cleanup for the currently authenticated user so that testing may be repeated. This allows for repeated testing without manual intervention.”

  • 5. Enumerations and Masks

    • a. Credential Type Enumeration: Password and Certificate are new
    • b. Deactivation Reason Code Enumeration: has been added to KMIP 3.0
    • c. Ephemeral Enumeration: has been added to KMIP 3.0
    • d. Item Type Enumeration: Identifier, Reference, and Name Reference are new
    • e. Link Type Enumeration: has been removed
    • f. Name Type Enumeration: has been removed
    • g. Object Class Enumeration: has been added to KMIP 3.0
    • h. Object Group Member Enumeration: has been removed
    • i. Object Type Enumeration: User, Group, Password Credential, Device Credential, One Time Password Credential, and Hashed Password Credential are new
    • j. Operation Enumeration: Create Group, Obiliterate, Create User, Create Credential, and Deactivate are new
    • k. OTP Algorithm Enumeration: has been added to KMIP 3.0
    • l. Query Function Enumeration: Query Credential Information is new
    • m. Result Reason Enumeration: Circular Link Error is new
    • n. Rotate Name Type Enumeration: has been removed
    • o. Split Key Polynomial Enumeration: has been added to KMIP 3.0
    • p. Tag Enumeration: entries 0×420190 to 0x4201C1 are new
    • q. Unique Identifier Enumeration: Create User, Create Group, and Create Credential are new
    • r. Cryptographic Algorithm Enumeration: has new values to support Post-Quantum Computing:
      ML-KEM-512, ML-KEM-786, ML-KEM-1024, ML-DSA-44, ML-DSA-65, ML-DSA-87,
      SLH-DSA-SHA2-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHA2-192s, SLH-DSA-SHA2-192f,
      SLH-DSA-SHA2-256s, SLH-DSA-SHA2-256f, SLH-DSA-SHAKE-128s, SLH-DSA-SHAKE-128f,
      SLH-DSA-SHAKE-192s, SLH-DSA-SHAKE-192f, SLH-DSA-SHAKE-256s, and SLH-DSA-SHAKE-256f.
    • s. Object Class Mask: has been added to KMIP 3.0

    6. Miscellaneous

    • a. Under the “Objects” section of the KMIP 3.0 specification, the minimum set of attributes that all objects shall have been defined as: Unique Identifier, Short Unique Identifier, Object Class, Object Type, and Initial Date. We have not found such a clear definition in the KMIP 2.1 specification.

"Detailed differences between KMIP 2.1 and 3.0" was published on June 16th, 2024 and is listed in Server Design.