KEY EXCHANGE DATA and confusion in SPC-4 IKEv2-SCSI

Kevin D Butt kdbutt at us.ibm.com
Tue Oct 13 09:45:23 PDT 2009


Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r0910131_f.htm">HTML-formatted message</a>

T10 Security experts,
I am receiving requests to clarify what is intended for the key exchange 
data field in the key exchange payload for the D-H portion of IKEv2-SCSI. 
I must admit I cannot figure it out.  We always get wrapped around the 
wording, " The format of key exchange data is as specified in the 
reference cited in that registry for the value used"  What is the 
reference cited and what is the registry?  Then, since the term format is 
used, it leads one to believe there is something more than just a public 
key.
Here is a note I received that highlights the confusion:
Is the key data field of the .key exchange payload is simply the public 
key from the agreed upon D-H group? What makes this confusing is the SPC-4 
standard in section 7.6.3.5.3 Key Exchange Payload which states 
The KEY EXCHANGE DATA field contains the sender?s Diffie-Hellman public 
value for this key exchange. The format of
key exchange data is as specified in the reference cited in that registry 
for the value used.
The question of the format is to be used is not clear since it is not 
clear what the reference cited is.This still bugs me. If this field is 
simply the public key (with prepended zeros to pad to the length of the 
prime modulus (if that function was chosen), why not just say that. 
Mentioning a format makes it sound like there is more to it. Now in 
http://tools.ietf.org/html/rfc4753 there is a mention of using a KE format 
for ECP group generated public key in section 7. In the section which 
follows there are some examples. In these examples there are 2 DWORDs 
preceding the public key. The first is the number of bytes of the payload. 
The second is the group number in the upper half of the DWORD. In 
http://tools.ietf.org/html/rfc2408, the Internet Security Association and 
Key Management Protocol (ISAKMP), section 3.7 defines the key exchange 
payload which includes a Key Exchange Data field. Again, it seems this 
field depends on the D-H group. although this (ISAKMP) standard is more 
general. 
So, does the format then depend on which D-H group is being used? Just the 
public key if it's a mod P group, and the public key preceded by these two 
DWORDs if it's an ECP group?
My questions are:
1) Is the answer, Just the public key if it's a mod P group?
2) What can be done in SPC-4 to clear up the confusion?  Can this be more 
detailed or can there be an example added?
thanks,
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com



More information about the T10 mailing list