[T10] Tape Stream Mirroring - Encryption Security
Kevin D Butt
kdbutt at us.ibm.com
Wed Feb 17 13:22:12 PST 2016
<<comments inline below>>
Kevin D. Butt
SCSI Architect, Tape Firmware, CAMSS
T10 Standards
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com
http://www-03.ibm.com/servers/storage/
From: Dennis Appleyard <dennis.appleyard at oracle.com>
To: t10 at t10.org
Date: 02/16/2016 11:54
Subject: [T10] Tape Stream Mirroring - Encryption Security
Sent by: t10-bounces at t10.org
All,
I have posted 16-019r1 (SSC-5, ADC-4 : Tape Stream Mirroring ladder
diagrams) with three additional sequence diagrams showing how an
application client can ensure the security of logical block encryption
parameters in the tape stream mirroring destination device when encryption
parameters are under the exclusive control of the sequential-access device
server.
Encryption may also be controlled by an automation/drive interface (see
ADC) or a vendor specific management interface.
These new functions use the encryption mode locking and key instance
counters described in SSC-5.
I am proposing the following additional functions:
SSC - set TSM lock encryption
SSC - set TSM reference key instance counter
SSC - check TSM lock encryption
SSC - check TSM reference key instance counter
The state of lock encryption and the reference key instance counter are
not allowed to be changed while a tape volume is mounted.
<<kdbutt: I assume you mean TSM lock encryption and TSM reference key
instance counter? >>
Setting lock encryption instructs the copy manager to set the LOCK bit in
the SPOUT command Set Data Encryption page when setting the the scope to
PUBLIC in the copy destination.
The application client sets up the encryption parameters in the copy
source and copy destination. The application client reads the key instance
counter from the copy destination. This becomes the reference key instance
counter. <<kdbutt: Is there are potential for the copy destination to be
changed unnoticed here, between the set and the read of the instance
counter?>>The application client passes the reference key instance counter
and lock encryption to the copy source (copy manager). The tape is
mounted. After the tape is mounted the reference key instance counter and
state of lock encryption can not be changed. The application client then
checks that the reference key instance counter and lock encryption were
not changed just before the tape was mounted. The copy manager then reads
the key instance counter from the copy destination and checks that it
equals the reference key instance counter. The copy manger then uses a
SPOUT command to set a SCOPE of PUBLIC and LOCK bit set to one. If an
unauthorized application client changes the public encryption parameters
being used by the copy destination then write commands will fail because
the key instance counter has changed. <<kdbutt: By unauthorized, I think
you mean any ac other than the copy manager. There is no intent to bring
in "Authorization" as defined in the security world?>>
The diagrams show how a change of the encryption parameters in the TSM
copy destination by an unauthorized application client is detected by the
application client, detected by the copy manager or causes write errors on
the destination device.
The new diagrams are;
Application Control of Tape Stream Mirroring (TSM) with Encryption - Rogue
SPOUT Before TSM
Application Control of Tape Stream Mirroring (TSM) with Encryption - Rogue
SPOUT Start TSM
Application Control of Tape Stream Mirroring (TSM) with Encryption - Rogue
SPOUT During TSM
I plan to discuss these diagrams on the Telecon Thursday February 18
9:00a - 11:00a PST.
Thanks,
Dennis Appleyard
Oracle
_______________________________________________
T10 mailing list
T10 at t10.org
http://www.t10.org/mailman/listinfo/t10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.t10.org/pipermail/t10/attachments/20160217/2e3aefa7/attachment.html>
More information about the T10
mailing list