12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Operating-System Structures
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.
Internet Protocol Security (IPSec)
Gursharan Singh Tatla Transport Layer 16-May
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 File and Disk Sharing Protocols April 2, 2008 Richard Sharpe Senior Software Engineer | Data.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Module 10 Configuring and Managing Storage Technologies.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Introduction to SAN – 1: iSCSI & FCIPBITS Pilani Alumni Association ( 19, 2006 Introduction to Storage Area Networks – I iSCSI.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Protocols and the TCP/IP Suite
4/13/2007 Master's Project Proposal 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Project Proposal Master of Science in Computer Science.
Design and Implementation of a Linux SCSI Target for Storage Area Networks Ashish A. PalekarAnshul Chaddha, Trebia Networks Narendran Ganapathy, 33 Nagog.
Slide 1 DESIGN, IMPLEMENTATION, AND PERFORMANCE ANALYSIS OF THE ISCSI PROTOCOL FOR SCSI OVER TCP/IP By Anshul Chadda (Trebia Networks)-Speaker Ashish Palekar.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Virtual Private Networking Irfan Khan Myo Thein Nick Merante.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Internet Protocol Storage Area Networks (IP SAN)
July 14, KIMICS 2006 Kulveer Singh Graduate School of Design & IT Dongseo University Busan, South Korea Data Concurrency Issues in iSCSI Based-Data.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
Network Models. The OSI Model Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO). Model for understanding.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
The Network Layer Role Services Main Functions Standard Functions
Chapter 5 Network Security Protocols in Practice Part I
CSE 4905 IPsec.
Module 4 Remote Login.
Understand the OSI Model Part 2
Chapter 3: Open Systems Interconnection (OSI) Model
Secure Asymmetric iSCSI For Online Storage
Secure Asymmetric iSCSI For Online Storage
Virtual Private Network
Presentation transcript:

12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers

12/12/2008 2Summers - SAiSCSI Outline of Presentation Goals of the Project Goals of the Project Overview of SCSI, iSCSI and IPsec Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Motivation for Enhancements Proposed Enhancements Proposed Enhancements Results Results Disaster Recovery Disaster Recovery Additional Research Additional Research Lessons Learnt, Future Work, Conclusions Lessons Learnt, Future Work, Conclusions

12/12/2008 3Summers - SAiSCSI Goals 1.Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage devices for mirroring and backup. Allow files to be transferred to two target storage devices for mirroring and backup. 2.Develop and implement a user interface to simplify usage of the scheme 3.Consider the use of the scheme for disaster recovery

Overview of SCSI, iSCSI and IPsec 12/12/2008 4Summers - SAiSCSI

SCSI Application Layer Storage Protocol Standard device interface bus enabling block data I/O Standard device interface bus enabling block data I/O Logically addresses blocks Logically addresses blocks Utilizes a client/server (initiator/target) architecture Utilizes a client/server (initiator/target) architecture Data transferred in Command Descriptor Blocks Data transferred in Command Descriptor Blocks Limitations Limitations Length of SCSI bus limits distance over which SCSI can operate Length of SCSI bus limits distance over which SCSI can operate Limited number of devices can be connected to it Limited number of devices can be connected to it 12/12/2008 5Summers - SAiSCSI

iSCSI End-to-end protocol to enable transportation of storage I/O block data over IP networks Maps SCSI functionality to the TCP/IP protocol Maps SCSI functionality to the TCP/IP protocol SCSI CDBs encapsulated in iSCSI Protocol Data Units SCSI CDBs encapsulated in iSCSI Protocol Data Units Can be implemented in software and hardware Can be implemented in software and hardware Limitations Limitations No built in security, relies on IPsec No built in security, relies on IPsec 12/12/2008 6Summers - SAiSCSI

IPsec Extension of the IP protocol that provides security to IP and upper layers of the OSI model Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication Performs 3 basic steps Performs 3 basic steps Header calculation and placement Header calculation and placement Trailer calculation and placement Trailer calculation and placement ESP authentication field calculation and placement ESP authentication field calculation and placement Internet Key Exchange (IKE) Internet Key Exchange (IKE) Transport Mode Transport Mode 12/12/2008 7Summers - SAiSCSI

sg3_utils sg3_utils package containing low level utilities for devices using the SCSI command set sg3_utils package containing low level utilities for devices using the SCSI command set Utilizes the sg interface Utilizes the sg interface sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd if=test.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0 12/12/2008 8Summers - SAiSCSI

Review of Efficient Asymmetric Secure iSCSI 12/12/2008 9Summers - SAiSCSI

Efficient Asymmetric Secure iSCSI Utilizes the sg_dd command to achieve the transfer of files between initiator and target Utilizes the sg_dd command to achieve the transfer of files between initiator and target Dual key cryptographic enhancement to IPsec Dual key cryptographic enhancement to IPsec Custom key to encrypt data Custom key to encrypt data IKE generated keys to encrypt headers IKE generated keys to encrypt headers 12/12/ Summers - SAiSCSI

EASI Packet Modification 12/12/ Summers - SAiSCSI

Testing of Efficient Asymmetric Secure iSCSI 12/12/ Summers - SAiSCSI

VMware Virtual Machine Test Bed 12/12/ Summers - SAiSCSI

Limitations of the Existing Scheme User data must be an integer multiple of block size (1024 bytes) User data must be an integer multiple of block size (1024 bytes) Target Storage File Limitations Target Storage File Limitations Only one file can be stored at a time Only one file can be stored at a time Pre-set size of target storage file limits the size of the user data that can be stored Pre-set size of target storage file limits the size of the user data that can be stored sg_dd Utility Limitation sg_dd Utility Limitation Count and block size values must be specified when issuing the sg_dd command Count and block size values must be specified when issuing the sg_dd command Reading data from the target using the cp utility results in the entire target file being retrieved Reading data from the target using the cp utility results in the entire target file being retrieved Mounting of a target storage disk is not possible with the existing implementation Mounting of a target storage disk is not possible with the existing implementation 12/12/ Summers - SAiSCSI

12/12/ Summers - SAiSCSI Motivations for Enhancements Bring existing implementation closer to a complete and usable secure data transfer/storage system Bring existing implementation closer to a complete and usable secure data transfer/storage system Allow transfer of files of arbitrary size Allow transfer of files of arbitrary size Allow duplicate transfer of files to second target storage device Allow duplicate transfer of files to second target storage device Relative complexity of existing scheme in terms of user interaction Relative complexity of existing scheme in terms of user interaction

Proposed Enhancements 12/12/ Summers - SAiSCSI

Secure Asymmetric iSCSI For Online Storage Enhancements Enhancements to the sg_dd utility to: Enhancements to the sg_dd utility to: Transfer of files of arbitrary size Transfer of files of arbitrary size Transfer to two targets Transfer to two targets Graphical User Interface Graphical User Interface Initiator interface Initiator interface Target interface Target interface 12/12/ Summers - SAiSCSI

Implementation Logic for Arbitrary File Transfer  Set block_size = 1024 If input_file != target_storage_device Determine size of file in bytes Determine size of file in bytes If ((size % 1024) != 0) If ((size % 1024) != 0) {while((size_file_in_bytes % 1024) != 0) {while((size_file_in_bytes % 1024) != 0) {size++; } } }  count = size/1024  create CDB using count value 12/12/ Summers - SAiSCSI

Implementation Logic for File Transfer to Two Targets  Set block_size = 1024 If (second output file == TRUE) { Determine device type Determine number of blocks in second target create command descriptor block for second target }else set second output file to be /dev/null 12/12/ Summers - SAiSCSI

File Transfer Performance Results 12/12/ Summers - SAiSCSI

Comparison Data for Transfer of Arbitrary Sized Files 12/12/ Summers - SAiSCSI

Comparison Data for Transfer to Two Targets 12/12/ Summers - SAiSCSI

User Interface 12/12/ Summers - SAiSCSI

User Interface 12/12/ Summers - SAiSCSI Developed and implemented using Python and Tkinter Developed and implemented using Python and Tkinter Comprised of two components Comprised of two components Initiator Interface Initiator Interface Target Interface Target Interface

User Interface Screenshots 12/12/ Summers - SAiSCSI

Initiator Interface Functionality Generate IPsec keys Generate IPsec keys Generate SAD and SPD entries Generate SAD and SPD entries Start initiator software Start initiator software Login/Logout to/from the target(s) Login/Logout to/from the target(s) Transfer user data to target storage Transfer user data to target storage Retrieve user data from target storage Retrieve user data from target storage 12/12/ Summers - SAiSCSI

Target Interface Functionality Create additional target storage file(s) Create additional target storage file(s) Configure ietd.conf file for additional target(s) Configure ietd.conf file for additional target(s) Generate SAD and SPD entries Generate SAD and SPD entries Start/stop iscsitarget software Start/stop iscsitarget software 12/12/ Summers - SAiSCSI

Secure Asymmetric iSCSI for Disaster Recovery HIPPA and SOX require security, privacy and accountability of data HIPPA and SOX require security, privacy and accountability of data Standard online storage techniques may not be sufficient Standard online storage techniques may not be sufficient Secure Asymmetric iSCSI for online storage may be the solution Secure Asymmetric iSCSI for online storage may be the solution Secure storage of Custom key Secure storage of Custom key Initiator and custom key can be duplicated Initiator and custom key can be duplicated Store key with trusted third party Store key with trusted third party 12/12/ Summers - SAiSCSI

Additional Research 12/12/ Summers - SAiSCSI

Mounting a Target Storage Device Network P rotocol Analyzer (Wireshark) Results Network P rotocol Analyzer (Wireshark) Results Discovery – only iSCSI/SCSI commands issued Discovery – only iSCSI/SCSI commands issued Login – iSCSI/SCSI Read and PDU but PUSH flag not set Login – iSCSI/SCSI Read and PDU but PUSH flag not set Mounting results in the issuing of iSCSI/SCSI Writes and Reads Mounting results in the issuing of iSCSI/SCSI Writes and Reads iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers strace of mount command strace of mount command kernel reads file system information which results in invocation of iSCSI/SCSI commands kernel reads file system information which results in invocation of iSCSI/SCSI commands 12/12/ Summers - SAiSCSI

Using cp to transfer to a Mounted Storage Device Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of storage device written In addition to user payload, file and directory structure of storage device written Reading from Target Various iSCSI/SCSI Reads and Writes Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Unidentified data in some Data-out PDUs Unidentified data in some Data-out PDUs 12/12/ Summers - SAiSCSI

Lessons Learnt/Observations sg_dd uses defaults of stdin for input file and stdout for output file. sg_dd uses defaults of stdin for input file and stdout for output file. If no output is required use /dev/null If no output is required use /dev/null Linux kernel, open-iscsi and iscsitarget under constant development. Linux kernel, open-iscsi and iscsitarget under constant development. Therefore changes to these codes need to be incorporated in new releases. Therefore changes to these codes need to be incorporated in new releases. Wireshark and Ethereal appear to interpret/display identical log files in a different manner. Wireshark and Ethereal appear to interpret/display identical log files in a different manner. Retrieving data from target using sg_dd requires count value to be specified. Retrieving data from target using sg_dd requires count value to be specified. 12/12/ Summers - SAiSCSI

Future Directions Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Improve the simplification of the setup and use of the implementation through the development of an API. Improve the simplification of the setup and use of the implementation through the development of an API. Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target 12/12/ Summers - SAiSCSI

Conclusions Enhancements to the sg_dd utility has enabled: Enhancements to the sg_dd utility has enabled: Simulated transfer of files of arbitrary size Simulated transfer of files of arbitrary size Transfer of files to two targets Transfer of files to two targets Graphical user interface simplifies user interaction: Graphical user interface simplifies user interaction: Keys for the encryption of the headers has been simplified Keys for the encryption of the headers has been simplified Interaction with the initiator and target software has been simplified Interaction with the initiator and target software has been simplified Writing and reading user data to /from the target has been simplified Writing and reading user data to /from the target has been simplified Limitations Limitations Arbitrary file transfer still requires user to specify a count value when reading data from target storage Arbitrary file transfer still requires user to specify a count value when reading data from target storage True arbitrary file transfer is not achieved True arbitrary file transfer is not achieved 12/12/ Summers - SAiSCSI

ADDITIONAL SLIDES 12/12/ Summers - SAiSCSI

SCSI Command Descriptor Block 12/12/ Summers - SAiSCSI

Phases of SCSI I/O Operation 3 main phases: Command Command Initiator sends command and parameters to the target in a CDB Initiator sends command and parameters to the target in a CDB Data Data Data is transferred in accordance with command issued in CDB Data is transferred in accordance with command issued in CDB Status Status Provides confirmation that command executed is received Provides confirmation that command executed is received 12/12/ Summers - SAiSCSI

SCSI Architecture in Linux Kernel 12/12/ Summers - SAiSCSI

General Structure of iSCSI PDU 12/12/ Summers - SAiSCSI

iSCSI PDU Basic Header Segment 12/12/ Summers - SAiSCSI

12/12/ Summers - SAiSCSI iSCSI Protocol Layering Model

Data Encapsulation 12/12/ Summers - SAiSCSI

Open-iSCSI Open source software implementation of iSCSI initiator Kernel Portion Kernel Portion iSCSI data path iSCSI data path User Portion User Portion Control path of iSCSI Control path of iSCSI Management facilities Management facilities Release used in EASI:open-iscsi Release used in EASI:open-iscsi Current Release:open-iscsi Current Release:open-iscsi /12/ Summers - SAiSCSI

iscsitarget Open source software implementation of iSCSI target Kernel Portion Kernel Portion User Portion User Portion Release used in EASI:iscsitarget Release used in EASI:iscsitarget Current Release:iscsitarget Current Release:iscsitarget /12/ Summers - SAiSCSI

Packet for IPsec Transport Mode 12/12/ Summers - SAiSCSI

Write Processing on the Target 1. Identify iSCSI traffic 2. Identify packets containing user data 3. Decrypt packets not containing user data 4. Process packets containing user data 12/12/ Summers - SAiSCSI

Write Processing on the Target 1. Identify iSCSI traffic 2. Identify packets containing user data 3. Decrypt packets not containing user data 4. Process packets containing user data 12/12/ Summers - SAiSCSI

Read Processing on the Target 1. Identify iSCSI traffic – source port Determine if iSCSI packet contains user data 3. Encrypt packets not containing user data 4. Encrypt packets containing user data 12/12/ Summers - SAiSCSI

Read Processing on the Initiator 1. Identify iSCSI traffic 2. Determine if packet contains user data 3. Decrypt packets containing user data 4. Decrypt packets not containing user data 12/12/ Summers - SAiSCSI

Comparison of Standard IPsec and EASI at Packet Level 12/12/ Summers - SAiSCSI

Initiator GUI 12/12/ Summers - SAiSCSI

Target GUI 12/12/ Summers - SAiSCSI

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.