Protecting data in buffer with an SA

Ralph Weber roweber at IEEE.org
Wed Mar 4 18:25:04 PST 2009


Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r090304a_f.htm">HTML-formatted message</a>

Kevin,
You are correct about needing a variable length CDB.
The ESP-SCSI descriptor is always bigger than 16 bytes.
Therefore, none of the small CDBs have room for the
operation code and the ESP-SCSI descriptor.
I do not understand the claim about prohibiting the
use of Extended CDBs. The known plaintext attack is
thwarted by having any portion (not necessarily all)
of the CDB data protected by an ESP-SCSI descriptor.
The ability to decrypt the ESP-SCSI descriptor and
validate the contents thus decrypted proves that the
application client has knowledge of the SA, and this
is true regardless of the number of encrypted bytes
transferred.
All the best,
.Ralph
Kevin D Butt wrote:
>
> Ralph,
>
> If I understand this correctly, then if I desire to protect the data 
> returned by a Security Protocol In command with an SA, then I would 
> need to protect the Security Protocol In command with the SA during 
> the request (this is required to thwart known plain-text attacks). 
>  This in turn would require that the standard be updated to specify 
> how to protect the Security Protocol In command.  I think this would 
> require use of a variable length CDB (in order to fit in the SA 
> protected SPIN command) and would preclude use of an extended CDB 
> (because the SPIN CDB would not be protected by an SA and there would 
> be nothing to create a new extension with).
>
> Am I understanding this correctly?
>
> Thanks,
>
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: kdbutt at us.ibm.com
> http://www-03.ibm.com/servers/storage/
>
>
> From: 	Kevin D Butt/Tucson/IBM at IBMUS
> To:	Ralph Weber <roweber at ieee.org>
> Cc:	t10 at t10.org
> Date: 	03/04/2009 11:13 AM
> Subject:	Re: Protecting data in buffer with an SA
>
>
> ------------------------------------------------------------------------
>
>
>
>
> Ralph,
>
> Thanks.  I need to dig through this and assimilate the information. 
>  Thanks for your responses.
>
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: kdbutt at us.ibm.com_
> __http://www-03.ibm.com/servers/storage/_
>
> From: 	Ralph Weber <roweber at ieee.org>
> To:	t10 at t10.org
> Date: 	03/03/2009 06:32 PM
> Subject:	Re: Protecting data in buffer with an SA
>
>
>
> ------------------------------------------------------------------------
>
>
>
> * From the T10 Reflector (t10 at t10.org), posted by:
> * Ralph Weber <roweber at ieee.org>
> *
> Kevin,
>
> I believe the RECEIVE CREDENTIAL command (see 6.19) provides
> a worked example of how to SA-protect a data-in buffer.
> N.B. The use of an SA to protect data in the CDB is a
> security-motivated "feature", as described in the last
> paragraph in 5.14.7.5.1.
>
> All the best,
>
> .Ralph
>
> Kevin D Butt wrote:
> >
> > Ralph,
> >
> > Thanks for the response.  Does it help to restate my question as this:
> > How can the device server know which SA the application client wants
> > the device server to use to protect the data-in buffer using ESP-SCSI?
> >
> > 5.14.7.5.1 Overview
> > A device server shall transfer ESP-SCSI parameter data descriptors in
> > a data-in buffer only in response to a
> > request that specifies an SA using the AC_SAI SA parameter and DS_SAI
> > SA parameter values (see 5.14.2.2). If
> > the specified combination of AC_SAI and DS_SAI values in a command
> > that requests the transfer of ESP-SCSI
> > parameter data descriptors is not known to the device server, the
> > command shall be terminated with CHECK
> > CONDITION status, with the sense key set to ILLEGAL REQUEST, the
> > additional sense code set to INVALID
> > FIELD IN PARAMETER LIST or to INVALID FIELD IN CDB, the SKSV bit set
> > to one, and SENSE KEY SPECIFIC field
> > set as defined in 4.5.2.4.2.
> >
> > How is this line in the above fulfilled "only in response to a request
> > that specifies an SA using the AC_SAI SA parameter and DS_SAI SA
> > parameter values".	How can the request (i.e., a CDB) specify an SA?
> >
> > Thanks,
> >
> > Kevin D. Butt
> > SCSI & Fibre Channel Architect, Tape Firmware
> > MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> > Tel: 520-799-5280
> > Fax: 520-799-2723 (T/L:321)
> > Email address: kdbutt at us.ibm.com
> > _http://www-03.ibm.com/servers/storage/_
> >
> >
> > From:		   Ralph Weber <roweber at IEEE.org>
> > To: 		 t10 at t10.org
> > Date:		   03/03/2009 05:06 PM
> > Subject:		      Re: Protecting data in buffer with an SA
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > * From the T10 Reflector (t10 at t10.org), posted by:
> > * Ralph Weber <roweber at ieee.org>
> > *
> > Kevin,
> >
> > I am having difficulty parsing everything that follows, "There
> > is an ESP-SCSI defined for parameter in data but no method for
> > selecting which SA to use to protect it" in the original message.
> >
> > Every ESP-SCSI format that I have checked contains an SAI
> > (Security Association Index) -- either DS_SAI or AC_SAI --
> > that identifies the SA to be applied when protecting the data.
> >
> > Perhaps my confusion over the other questions will be clarified
> > when the inability of SAIs to identify SAs is explained.
> >
> > All the best,
> >
> > .Ralph
> >
> > Kevin D Butt wrote:
> > >
> > > IBM is looking at what would be required to protect a data in buffer
> > > with an SA.  There is an ESP-SCSI defined for parameter in data but no
> > > method for selecting which SA to use to protect it.  How does the
> > > application client tell the device server which SA to use?  Since
> > > there are no SAI fields in the CDB's for the commands that request the
> > > data we are looking to protect, we don't see how to do this.
> > >
> > > Has anybody thought about this yet?
> > >
> > > Thanks,
> > >
> > > Kevin D. Butt
> > > SCSI & Fibre Channel Architect, Tape Firmware
> > > MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> > > Tel: 520-799-5280
> > > Fax: 520-799-2723 (T/L:321)
> > > Email address: kdbutt at us.ibm.com
> > > _http://www-03.ibm.com/servers/storage/_
> >
> > *
> > * For T10 Reflector information, send a message with
> > * 'info t10' (no quotes) in the message body to majordomo at t10.org
> >
> >
>
> *
> * For T10 Reflector information, send a message with
> * 'info t10' (no quotes) in the message body to majordomo at t10.org
>
>
>



More information about the T10 mailing list