This document is the main documentation of the Cosmian Key Management System.
The Cosmian Key Management System (KMS) is a high performance server application written in Rust which provides an API to store and manage keys and secrets used with Cosmian cryptographic stacks.
The server is usually queried by using the Cloudproof Java Library.
KMIP 2.1 Support¶
The API follows the JSON profile of the OASIS normalized KMIP 2.1 specifications. Only a limited set of operations of the KMIP 2.1 specification, described below, is supported but which is sufficient to exercise Cosmian cryptographic stacks.
This KMS completes classic offering of KMS servers on the market which are usually unable to natively support advanced cryptography. Do not hesitate to contact the Cosmian team if you wish to see additional cryptographic objects supported inside the Cosmian KMS.
The Cosmian KMS server’s primary goal is to provide support for storing, managing and performing cryptographic operations on the advanced cryptographic objects used by Cosmian, such as Attribute Based Encryption keys. Some of these cryptographic stacks, such as Searchable Encryption are built on top of classic symmetric primitives such as AES which are also available through the API of this KMS.
The supported cryptographic schemes are listed below.
AES 256 GCM¶
Used as a building block for other cryptographic primitives below, AES 256 GCM is fully supported in the KMS. Keys are set to 256 bits to provide ~128 bits quantum resistance and the scheme uses Galois Counter Mode to offer a fast authenticated encryption algorithm.
This implementation uses a 96 bits Nonce, a 128 bits MAC and is based on the AES native interface when available in the CPU or uses the Rust AES software package otherwise. See the aes-gcm Rust crate for details and Cosmian wrapper in cosmian_crypto_base
As an alternative symmetric cryptographic building block to AES GCM, the xChacha20 Poly1305 construction found in libsodium is also available in the KMS.
Base elliptic curve cryptography is provided using curve 25519 on the prime order Ristretto group.
The curve implementation is from the curve25519-dalek repository while the cosmian_crypto_base open source library provides an implementation of ECIES on the curve (Elliptic Curve Integrated Encryption Scheme).
Multi-user Encryption: CoverCrypt¶
The KMS encryption implementation is based on CoverCrypt which is a multi‑user encryption solution which provides access rights to users with respect to an access policy where the policy over attributes can be expressed as a union of users’ rights. CoverCrypt has been proposed as a more efficient alternative to Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data by vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters.
Please refer to the Cosmian CoverCrypt documentation for more details.
Format Preserving Encryption (FPE)¶
Format Preserving Encryption (FPE) is, as the name implies, used to keep the format of the encrypted data identical to that of the clear text data. Consider a credit card number of 16 digits; after encryption, the cipher text will still look like a 16 digit credit card number. FPE is particularly useful to add encryption in forms or databases where the data format cannot be changed.
Cosmian KMS exposes the NIST recommended FF1 algorithm. A recent cryptanalysis paper has exposed new attacks, and the Cosmian implementation of FF1 includes the increased umber of rounds of the Feistel recommended in the paper. Cosmian has open-sourced its implementation in cosmian_crypto_base; check the
ff1.rs files for details.