11-080r2: Token security

david.black at emc.com david.black at emc.com
Tue Apr 19 11:12:01 PDT 2011

Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r1104192_f.htm">HTML-formatted message</a>

Thanks for taking a look at the document.
There's no requirement that tokens be secure in the sense that cryptography
is required in their implementation, but there is a requirement that token
modifications be detectable (i.e., it must not be possible for an application
client to edit a token and thereby obtain access to data that the token did
not grant when created).  All of the crypto-related requirements language is
introduced by the following words:
If the copy manager determination of whether a ROD token is valid cannot
detect all modifications to an issued ROD token
In addition, the previous sentence provides an example of how to avoid that
"If" (compare the entire token to a copy saved when it was created).  If
you'd like to weaken that quoted "If" text, or the related requirement that
the entire contents of the token be checked, I welcome suggested alternative
text and rationale.
The two comments in the FDF are fine with me, and I'll reflect them in the
r3.  FWIW, SHA2-256 and SHA2-512 are examples of functions that may be used
to reduce a token to a smaller quantity of data on which validity is checked.
From: Kevin D Butt [mailto:kdbutt at us.ibm.com]
Sent: Tuesday, April 19, 2011 1:39 PM
To: Black, David
Cc: T10 Reflector
Subject: 11-080r2: Token security
Here is a little feedback.
Also, requiring that tokens are secure is something that earlier was said
wouldn't happen.  This is something we argued against.
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
Data Protection & Retention
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com

More information about the T10 mailing list