Extending TLS with KMIP protocol
for Cloud Computing
Mounira MSAHLI1 , Ahmed SERHROUCHNI1 , Mohamed BADRA2
1 Institut Mines Telecoms, Paris 75013
2 Zayed University, Abu Dhabi, United Arab Emirates
1 (mounira.msahli, ahmed.serhrouchni)@telecom-paristech.fr,
2
[email protected]
Abstract—Any information system using encryption tends
to have its own key management infrastructure. In practice,
we find a separate key management systems dedicated
to application encryption, or database encryption, or file
encryption etc. This emergent needs to several key management
systems and multiple cryptographic algorithms are resolved
by the new Key Management Interoperability Protocol
(KMIP). This work specifies how the Key Management
Interoperability Protocol (KMIP) can be included in Transport
Layer Security (TLS) protocol in order to provide additional
security features, flexibility, interoperability and authentication
specially in distributed systems like Cloud Computing. Till
now, authentication in TLS is limited to digital certificate
and Kerberos. In this paper, we use the Key Management
Interoperability Protocol to make an additional authentication
option for TLS and we reduce handshake latency to 0-RTT
for repeated handshakes and 1-RTT for full handshakes. We
specify also the KMIP-TLS extension and its formal validation
with AVISPA tool.
Index Terms—Key Management Interoperability Protocol,
Cloud, TLS, Security, AVISPA, Authentication.
I. I NTRODUCTION
Key management process plays an important role on
enforcing access control, authentication and security on
multi-actors communications. It allows the settlement and
the maintenance of key relationships between valid parties
according to a defined security policy. Basically, it includes
all mechanisms and procedures that perform verification
of entities using cryptographic keys and performing
cryptographic operations. So it allows an entity to verify
whether another entity is really what it claims to be. It ensures
generation, distribution and installation of key materials. It
is responsible for maintenance of keys generated, for their
change frequently to preserve their secrecy. Entreprises use
always a key management infrastructure to ensure the role of
key management entity. The choice of this entity depends on:
the cryptographic algorithms employed on the company, the
purposes for which cryptography is employed and the number
and the complexity of cryptographic relationships required
by an organization and the operational and communications
relationships among the organizational elements being served.
Traditional internet key exchange and key distribution
978-1-5090-2914-3/16/$31.00 ©2016 IEEE
protocols based on infrastructures become impracticals
for large scale information system like Cloud Computing.
In traditional key management infrastructure, there is
no centralisation of key management operations. Key
Management Interoperability Protocol KMIP [1] tried to
resolve this problem by designing an efficient protocol for
key management used for communication and to define
messages formats to manipulate cryptographic keys on a key
management server. The related KMIP Profiles [2] are now
official OASIS [3] Standards, a status that means its highest
level of maturity and its ratification.
Generally, all security services can be provided by TLS[4].
For instance, it is quite common for systems to provide a
secure web page using https. When a client wants to connect
to a server via TLS, he can use his certificate or Kerberos [5]
to make authentication. Our proposal in this paper consists on
using KMIP protocol to enssure client-server authentication.
We propose a new method for authentication in TLS, based
on KMIP protocol. The basic idea is to find a flexible and
practical authentication method via TLS mainly in Cloud
computing and web-based applications. In fact, the use of
KMIP to manage authentication provides a simple and flexible
and strong client-server authentication. This strengthening
is in total compliance with other TLS standard extensions.
Our goal for this solution is to stay as close as possible to
the TLS standard treatments and calculations of different
security settings. The addition of KMIP to TLS preserves the
maximum operation of TLS protocol.
When data is placed in or transferred to a Cloud computing
environment, the responsibility for its protection and its
security typically remains with the customer (the data
controller). This work is a continuity of other works already
done on security in the cloud [6, 7, 8]. We have already
proposed a secure architecture for archiving Cloud service [9],
which aims at archiving sensitive documents during a defined
period in a secure environment. We suggested an architectural
model that intends to satisfy Cloud user requirements and
Cloud security challenges. In previous work, we defined a
new access control paradigm called profile centric model
[10]. Which defines the access control in the context Cloud as
a graph of profiles consisted of (authorization, condition and
obligation) with users assignment. The proposed model was
implemented and validated in the archiving Cloud service.
In this work, we focus specially on authentication service in
Cloud computing.

The map of this paper is as follow: in the second section

we present an overview of TLS and KMIP protocols. We
cover their important technical details. In the third section,
we focus on the proposed TLS-KMIP extension to add a new
authentication mechanism to TLS and its technical details.
In the fourth section, we present the formal validation and
security specifications of the proposal using AVISPA [11]. The
fifth section sums up this paper.

II. TLS AND KMIP OVERVIEW

Fig. 1: KMIP Network Architecture
In this section we are concerned with the presentation of
used protocols in our proposal:

A. TLS protocol
TLS is actually, the most used standard for authentication in
wired and wireless communications. It is a security standard
that provides end to end secure connections between two hosts.
Basically, it makes authentication based on digital certificates
[12] or pre-shared keys[13] to ensure secure transactions. As
mentioned in figure 1, TLS protocol is composed of three
sub protocols: (1) the Handshake protocol, (2) the Records
protocol and (3) the Application data protocol. The purpose
of the (1) TLS-handshake [14] could be summarized under
three headings. Firstly, the client and the server need to
agree on algorithms which will be used to encrypt exchanged
data. Secondly, they establish a set of cryptographic keys
that will be used by those algorithms. Third, the handshake
may optionally authenticate the client. In TLS protocol, users
generally to make authentication, they use a digital certificate.
Basically, the handshake protocol is used to establish security
parameters for TLS session. (2) The TLS Record Protocol
is used for encapsulation of application layer messages. It
fragments message into packets to treat it independently. Each
fragment is compressed, encrypted and sent to the destination
of the message. This treatment allows having a data structures
named: TLS-Plaintext, TLS-Compressed and TLS-Ciphertext.
The TLS Record Header is added to the TLS-Ciphertext to
make the TLS-Record. All of already cited structures include 4
fields (type, version, length and fragment). (3) The Application
Data Protocol enables two hosts to exchange data. In fact
it takes the data from the application layer to put it in the
TLS Record protocol for fragmentation, compression, and
encryption in the sender side. After that, the set data is
received, decrypted, verified, decompressed, and reassembled
in the receiver side.
that enterprises can use to deploy effective and unified key
management infrastructure for all their encryption materiels
and components such as: certificates, digital signatures, etc...
In practice, there are a number of standards applicable to
key management in the Cloud, the OASIS Key Management
Interoperability Protocol is a recent one. It is used to
provide basic encryption key paradigm to ensure Cloud based
application and services security or it can be used directly by
Cloud customers to make encryption, signature ect...
By definition, there are three primary elements in the KMIP
specifications:
1) Objects: are symmetric keys, asymmetric keys, digital
certificates ect.., on which we apply operations.
2) Operations: are all actions taken with respect to the ob-
jects, such as getting an object from a key management
system, modifying attributes of an object and so on.
3) Attributes: are the properties and characteristics such
as the name of the object and its unique identifier.
When a KMIP user sends a request to the key management
server, it indicates the target object, its attributes and
properties and operation that must be executed by the key
management server on that object.
By definition, KMIP specifies the format in which a mes-
sage is constructed and the elements that are included in the
message. This allows KMIP to be used by any cryptographic
client, from any device needing a security objects. KMIP re-
quests and responses messages are constructed by assembling
the message in a Tag/Type/Length/Value format, as shown in
Figure 1.

B. KMIP protocol III. TLS-KMIP A RCHITECTURE AND M ODEL

There are several key management concerns and challenges Figure 2 provides a detailed description of TLS client to
within Cloud Computing. KMIP meets a pressing requirement server connection using KMIP authentication. In fact in this
to define a global and complete key management protocol, architecture, we have three actors: the client, the server and

Fig. 2: KMIP-TLS Network architecture
Fig. 3: KMIP request message
the KMS (Key Management System) using KMIP as key
management protocol. The KMS is the third party responsible
for the key management between all actors. In our model, the
KMIP server plays the role of authenticator and central server
to provide all required cryptographic materiels to make client-
server connection. The steps (1, 2, 3, 4) indicated in figure 2
are repeated in each new connection.
A. Client-KMS Connection
When the client wants to make connection with server. It
must send a client request to KMS server as modeled by Step
1 in figure 2.
The message sent by the client in step one is a KMIP
request for session key. The KMIP request message contains:
the protocol Version, this field contains the version number of
the protocol, in order to ensure that the protocol is undrestood
by two communicating parties. The operation field indicates
the operation being requested.
In our case, we use the operation ”Get”, that requests
the server to return the managed object ”the symetric key”
specified by its Unique Identifier and its attribute name.
On the server side, the client requests the key management
server to use the locate operation in order to find the client-
server secret key and the certificate of the server based on its
Fig. 4: KMIP response message
name attribute. Once the key is located, it then uses its unique
identifier attribute id placeholder attribute, to retrieve the key,
assemble a response message and return the response to the
client (see KMIP response message).
The retrived Data: server certificate will be used in next step
to make TLS connection between the client and the server. In
the same way, the symetric session key to be used for TLS
connection is generated in KMS server and sent to TLS client
and TLS server. More details will be given in the next section.
B. TLS Client-Server Connection
In this section, we focus on TLS handshake exchanges.
Full details of exchanged messages are provided here. The
main advantages of TLS-KMIP extension are: reducing the
latency and the handshake time. In fact using our extension,
the handshake protocol takes only one RTT(see figure 5) or 1.5
RTT(see figure 6) this is all coming from the low computation
needs. Here, we explain steps of TLS protocol with KMIP
extension in two cases below (figure 5 and 6).
1) As presented in figure 5 and 6, the TLS Client (Cloud
user in our case) sends a ”Client Hello” message that
lists cryptographic information such as the TLS version
and in the client’s order of preference: the CipherSuites
supported by the client, a random byte string that is
used in subsequent computations. In order to negotiate
the support of KMIP authentication option, clients must
include an extension in the extended client hello. The
”extension data” field of this extension contains a list
of supported authentication methods proposed by the
client, where:
Struct {
ExtensionType extension type,
opaque extension data<0..2 ˆ16-1>, }
Extension;
In a Cloud computing area and to make data pro-
cessing, privacy is an important parameter. To preserve
anonymity, TLS Client makes authentication only with
KMIP server. No need to contact directly the TLS server.
 Fig. 5: KMIP-TLS Extension with 1 RTT
2) The server responds with its ”Server Hello” message that
contains the CipherSuite chosen by the server from the
list provided by the client, the session ID and another
random byte string. In case of figure 6, the server
response is sent just after the Client Hello as classical
TLS and since we don’t need the certificate verification
process and the session secret is already taken from the
KMS server the client does’nt wait for server response
and goes directly to step 3) as mentioned in figure 5.
Servers aware of the extension described here but not
wishing to use it, should gracefully revert to a classical
TLS handshake or decide not to proceed with the
negotiation.
3) The TLS Client sends the cipher spec to be used for
encrypting subsequent message data.
4) The TLS client sends to the server a ”finished” message,
which is encrypted with the secret key, indicating that
the client part of the handshake is complete.
5) The TLS server sends to the client a ”finished” message,
which is encrypted with the secret key, indicating that
the server part of the handshake is complete.
Finally, the finished messages are used to complete the
handshake and to establish the TLS session normally. For
the rest of TLS session, the server and the client can
now exchange messages that are symmetrically encrypted
with the shared secret key already taken from the KMIP server.
In order to achieve the addition of KMIP specifications
to TLS protocol, we focus now on client to server TLS
connection. The client uses retrievd data to make client-server
connection. Throught this extension, we refer to the basic TLS
protocol version 1.2[4]. The TLS security session parameters
are negotiated and fixed via Hello messages. Always in TLS,
we define CipherSuit like: T LS − RSA − W IT H − RC4 −
M D5 which means that the initial authentication will be done
using the RSA public key algorithm, RC4 will be used for the
Fig. 6: KMIP-TLS Extension with 1.5 RTT
session key, and MAC will be based on the MD5 algorithm.
Thus, to facilitate the KMIP authentication option, we must
start by defining new cipher suites. Table 1 presents KMIP-
TLS extension CipherSuits (see table 1).
In order to establish a TLS session using KMIP security
parameters, one of the cited cipher suites in table 1 has to be
specified in the client hello message. If TLS sever supports
the KMIP authentication option, the server hello message
must be sent to the client to state and confirm the KMIP
authentication option. The hello server message sent to the
client, will confirm the KMIP cipher suite selected by the
server. The Certificate request message will be eliminated
since authentication is already done using the Client-KMS
Connection detailed in previous subsection. The client
certificate will be eliminated for the same reason. The KMIP
option must be added to the ClientKeyExchange message and
ServerKeyExchange.
As presented in figures 5 and 6, the message certifi-
cate is ommited. The KMIP option must be added to the
ServerKeyExchange message as below:
struct
{ select (KeyExchangeAlgorithm)
{ case KMIP: KMIPWrapper;
/*new addition*/ };
} ServerKeyExchange;
struct
{ opaque KMIP Key ; /* KMIP key */ }
KMIPWrapper;
The KMIP option must be added to the ClientKeyExchange
message as below:
struct
{ select (KeyExchangeAlgorithm)
{ case KMIP: KMIPWrapper;
/* new addition Exchange keys */ }
 Ciphersuite Key Exchange Cipher Hash
TLS–KMIP–WITH –RC4 –128 –SHA KMIP RC4 –128 SHA
TLS–KMIP–WITH–AES–128–CBC–SHA KMIP AES–128–CBC SHA
TLS–KMIP–WITH–AES–256–CBC–SHA KMIP AES–256–CBC SHA
TLS–DHE–KMIP–WITH–RC4–128–SHA DHE–KMIP RC4–128 SHA
TLS–DHE–KMIP–WITH–3DES–EDE–CBC–SHA DHE–KMIP 3DES–EDE–CBC SHA
TLS–DHE–KMIP–WITH–AES–128–CBC–SHA DHE–KMIP AES–128–CBC SHA
TLS–DHE–KMIP–WITH–AES–256–CBC–SHA DHE–KMIP AES–256–CBC SHA
TLS–RSA–KMIP–WITH–RC4–128–SHA DHE–KMIP RC4–128 SHA
TLS–RSA–KMIP–WITH–3DES–EDE–CBC–SHA — DHE–KMIP 3DES–EDE–CBC SHA
TLS–RSA–KMIP–WITH–AES–128–CBC–SHA DHE–KMIP AES–128–CBC SHA
TLS–RSA–KMIP–WITH–AES–256–CBC–SHA DHE–KMIP AES–256–CBC SHA

Fig. 7: KMIP-TLS Ciphertext

ClientKeyExchange;

struct
{ opaque KMIP Key ;
/* KMIP key */ Alice (A, a), Bob (B,b): roles
opaque EncryptedPremasterSecret; H, PRF, KeyGen: hashfunc
/*encrypted with the key provided by KMIP */ Kmipa Kmipb: respectives public keys of Alice and Bob
}KMIPWrapper; send, receive: channels
N, Sid, PreMS: nonce, session id, pre-master secret
Using the KMIP option in TLS , we achieved the following start: starting function
advantages: the mutual authentication between TLS client Finished: the finished function of handshake protocol
and TLS server that has been delegated to a trusted third State 0: A —>B
party, which is the KMIP server. We note that the KMIP-TLS receive(start)
extension is seamlesly without adding new messages on TLS State 1: B —>A
protocol. Using this approach, we can ommit several messages {receive(Na, Sid, Pa)
on handshake subprotocol. This allows us to reduce latency send(Nb, Sid, Pa, Kmipb–(inv(Kmip))) }
and to make lightweight session renewal in TLS connection State 2: A —>B
which can be an important issue if there are many connections {receive(Nb, Sid, Pa, Kmipb–(inv(Kmip)))
requests such as the case of Cloud computing. send((PreMS–Kmipb. A.Kmipa
–(inv(Kmip)). H(Nb.B.PreMS)–(inv(Kmipa)).
C. Error messages H(PRF(PreMS.Na.Nb).A.B.Na.Pa.Sid) –
The table below introduces a new TLS error related to the KeyGen(A.Na.Nb.PRF(PreMS.Na. Nb))))}
KMIP-TLS extension: State 3: B —>A
{receive(Nb, Sid, Pa, Kmipb–(inv(Kmip))
Error message Description send((PreMS–Kmipb. A.Kmipa–(inv(Kmip)).
”bad-authen” This error MUST be sent by the server H(Nb.B.PreMS)–(inv(Kmipa)).
when it does’nt support the KMIP H(PRF(PreMS.Na.Nb).A.B.Na.Pa.Sid) textendash
authentication method. This error indicates KeyGen(A.Na.Nb.PRF(PreMS.Na.
the failure of client authentication Nb))))}
and it is always fatal. State 4: A —>B
{ receive(Finished–ServerK) }
IV. F ORMAL VALIDATION State 5: B —>A
In the rest of this paper, we focus on the formal validation { send(H(PRF(PreMS.Na.Nb). A.B.Na.Pa.Sid) –
of KMIP-TLS extension using Automated Validation of Trust KeyGen(B.Na.Nb.PRF(PreMS.Na.Nb)
and Security of Service-oriented Architectures (AVISPA tool). ))}
We specify the extended protocol with HLPSL langage. We
illustrate the session establishement between two actors (TLS Fig. 8: The security specifications of our extension in AVISPA
client: Alice and TLS server: Bob) that present the source host
(TLS client) and the destination host (TLS server) respectively.
Our proposal is represented with five steps as mentioned in the
 Fig. 9: AVISPA Validation
figure 8. The completeness and validity of our proposal was
verified by an AVISPA simulation (see figure 9).
Our proposal is represented with six steps as mentioned
in figure 8. TLS protocol proceeds between the client A and
the server B with respective public keys Kmipa and Kmipb.
These two actors generate nonces Na and Nb, respectively.
In addition, we assume the existence of a trusted third party:
the certificate of KMIP server whose public key is Ks. Each
session is identified by a unique Sid. The protocol also makes
use of a pseudo-random number generator PRF which we
model as a hash function. In state 1 and 2 the Pa is a
cryptosuite offer and Pb is server’s counteroffer. In state 2
and 3 we have the hello messages. In order to minimize the
number of transitions specified, we have combined the sending
of messages 1. and 2. as well as the sending of messages 3.
4. 5. and 6. into single transitions (see figure 9).
The major advantage of our extension KMIP-TLS is its
ease of deployment since we don’t need changes to be
made to the application layer protocols. This extension is
fully compatible with existing TLS specifications without
requirement to make any major changes to the TLS. It does’nt
impact communications of TLS entities that support this
extension with another TLS entities that do not.
V. C ONCLUSION
Currently, with the rapid growth of Cloud computing and
the diversity of distributed applications and the multiplicity of
its actors, security has become a complex and urgent need
to protect all possible exchanges between applications and
entities. Many traditional and existing security protocols are
not suitable for this context. Current solutions cannot offer
required flexiblity and extendibility. In this paper, we tackle
authentication in Cloud computing. We propose the KMIP-
TLS extension. In fact, we extend TLS to support KMIP
authentication. The proposed extension was formally validated
with AVISPA tool. This extension inherits all security advan-
tages already provided by TLS such as: authentication and
confidentiality. The deployed architecture introduces a third-
party auditing capability for TLS transactions without making
any changes to concerned applications. At the same time,
proposed extension allows to improve TLS latency so we
reduce handshake latency to 0-RTT for repeated handshakes
and 1-RTT for full handshake and we have always a mutual
authentication between TLS client and server. Future works
will focus on providing more experimental results about the
imlpementations of presented extension using GNUTLS API.
This proposal will be the subject of IETF RFC and the same
extension will be discussed for TLS version 1.3.
VI. ACKNOWLEDGMENT
This work has been supported by the IGDI-KMIP FUI17
IGDCI (Infrastructure de Gestion et Distribution de Cles
Interoprable) project sponsored by Systematic Paris-Region.
R EFERENCES
[1] Kiran Thota, Kelley Burgin: Key Management Interoperability Protocol
Specification Version 1.2, 19 May 2015
[2] Tim Hudson , Robert Lockhart: Key Management Interoperability Proto-
col Profiles Version 1.2, OASIS Standard, 19 May 2015
[3] Advancing open standards for the information society, https://www.oasis-
open.org/
[4] T. Dierks, E. Rescorla: The Transport Layer Security (TLS) Protocol
Version 1.2, IETF (August 2008)
[5] B Medvinsky, A. and M. Hur: Addition of Kerberos Cipher Suites to
Transport Layer Security (TLS): RFC 2712: Network Working Group
Request for Comments, October 1999
[6] Bhaskar Prasad Rimal, Eunmi Choi, Ian Lumb: A Taxonomy and Survey
of Cloud Computing Systems In: NCM ’09, pp. 44 - 51. IEEE , Seoul
(2009)
[7] Wayne Jansen, Timothy Grance: Guidelines on Security and Privacy in
Public Cloud Computing. Technical report, NIST Special Publication 800-
144 (2012)
[8] NIST group, Cloud Architecture Reference Models. Technical report: A
Survey, NIST CCRATWG 004 v2 (January 25, 2011 )
[9] MSAHLI, Mounira et SERHROUCHNI, Ahmed. SBaaS: Safe Box as
a service. In: 9th International Conference Conference on Collaborative
Computing: Networking, Applications and Worksharing (Collaborate-
com), p. 143-147, IEEE, Austin (2013)
[10] Mounira Msahli; Ahmed Serhrouchni: Profile centric modelling In:
International Journal of Internet Technology and Secured Transactions
(IJITST), Vol. 5, No. 4, p. 344-357, (2014)
[11] Automated Validation of Internet Security Protocols and Applications
(AVISPA), http://www.avispa-project.org/
[12] Housley, R., Internet X.509 Public Key Infrastructure, RFC 2459:
Network Working Group Request for Comments, (January 1999)
[13] Eronen, P. and H. Tschofenig, Pre-Shared Key Ciphersuites for Transport
Layer Security (TLS), RFC 4279: Network Working Group Request for
Comments, (December 2005)
[14] Stephen A. Thomas, SSL and TLS Essentials Securing the Web, Wiley
Computer Publishing, Canada (2000)