Search code examples
protocolskmip

What is the difference between a Template and Template-Attribute Structure in KMIP?

I'm currently learning and developing KMIP (Spec 1.0) using the open source library KMIP4J. I was looking through the use cases offered as examples in the spec sheet, and I am stuck trying to differentiate the use of a Template and a Template-Attribute Structure.

What is the difference between these two Use Cases? Both have the Cryptographic Algorithm and Cryptographic Length Attribute, but I don't understand the difference between them.

Solution

  • Within the KMIP Specification, there are two different types of objects: Managed Objects and Base Objects.

    • A Managed Object refers to:

      Objects stored and maintained by a key management system [KMIP Spec, Section 1]

      Examples of Managed Objects: Certificate, Symmetric Key, Public Key, Private Key, Template

    • A Base Object refers to:

      Objects used within the messages of the protocol but not managed by the key management system. Base Objects are components of Managed Objects. [KMIP Spec, Section 2.1]

      Examples of Base Objects: Attribute, Credential, Key Value, Template-Attribute Structure

    • A Template is a type of Managed Object.

      A Template is the named Managed Object containing the client-settable attributes of a Managed Cryptographic Object (i.e., a stored, named list of attributes). Attributes specified in a Template apply to any object created that references the Template by name. [KMIP Spec, Section 2.2.6]

    • A Template-Attribute Structure is a type of Base Object.

      Template-Attribute Structures are used in various operations to provide the desired attribute values and/or template names in the request and to return the actual attribute values in the response. [KMIP Spec, Section 2.1.8]

    So, let's look at the use cases you've pointed to:

    In Use Case 3.1.1:

    1. The client sends a Create request, which contains the Object Type (Symmetric Key) and a Template-Attribute Structure containing the list of desired attribute values for that key:
      • Cryptographic Algorithm
      • Cryptographic Length
      • Cryptographic Usage Mask.

    In Use Case 3.1.4:

    1. The client uses the Register operation to register a Template, containing a specific set of Attributes:
      • Cryptographic Algorithm
      • Cryptographic Length
      • Name, referring to the name of the Template to create: Template1
    2. The client sends a Create request, which, like before, contains the Object Type (Symmetric Key) and a Template-Attribute Structure. However, this time the Template-Attribute Structure contains:
      • A reference to a Template named Template1, indicating that the operation should use the attributes specified by Template1 (which we know from step 1 are Cryptographic Algorithm and Cryptographic Length)
      • Name, referring the name of the Key: key1
      • Cryptographic Usage Mask

    So the two operations essentially create the same Symmetric Key with the same attribute values, but the second case uses a pre-defined Template (and, trivially, adds a key name), while the first does not.

    A side note:

    The KMIP 1.0 Specification is fairly out of date at this point. KMIP 1.3 was released in December 2015. I mention this specifically because the Template Structure is deprecated as of 1.3.