KEY EXCHANGE DATA and confusion in SPC-4 IKEv2-SCSI
Kevin D Butt
kdbutt at us.ibm.com
Tue Oct 13 09:45:23 PDT 2009
Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r0910131_f.htm">HTML-formatted message</a>
T10 Security experts,
I am receiving requests to clarify what is intended for the key exchange
data field in the key exchange payload for the D-H portion of IKEv2-SCSI.
I must admit I cannot figure it out. We always get wrapped around the
wording, " The format of key exchange data is as specified in the
reference cited in that registry for the value used" What is the
reference cited and what is the registry? Then, since the term format is
used, it leads one to believe there is something more than just a public
Here is a note I received that highlights the confusion:
Is the key data field of the .key exchange payload is simply the public
key from the agreed upon D-H group? What makes this confusing is the SPC-4
standard in section 126.96.36.199.3 Key Exchange Payload which states
The KEY EXCHANGE DATA field contains the sender?s Diffie-Hellman public
value for this key exchange. The format of
key exchange data is as specified in the reference cited in that registry
for the value used.
The question of the format is to be used is not clear since it is not
clear what the reference cited is.This still bugs me. If this field is
simply the public key (with prepended zeros to pad to the length of the
prime modulus (if that function was chosen), why not just say that.
Mentioning a format makes it sound like there is more to it. Now in
http://tools.ietf.org/html/rfc4753 there is a mention of using a KE format
for ECP group generated public key in section 7. In the section which
follows there are some examples. In these examples there are 2 DWORDs
preceding the public key. The first is the number of bytes of the payload.
The second is the group number in the upper half of the DWORD. In
http://tools.ietf.org/html/rfc2408, the Internet Security Association and
Key Management Protocol (ISAKMP), section 3.7 defines the key exchange
payload which includes a Key Exchange Data field. Again, it seems this
field depends on the D-H group. although this (ISAKMP) standard is more
So, does the format then depend on which D-H group is being used? Just the
public key if it's a mod P group, and the public key preceded by these two
DWORDs if it's an ECP group?
My questions are:
1) Is the answer, Just the public key if it's a mod P group?
2) What can be done in SPC-4 to clear up the confusion? Can this be more
detailed or can there be an example added?
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com
More information about the T10