Presentation is loading. Please wait.

Presentation is loading. Please wait.

12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.

Published byBeverley Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers."— Presentation transcript:

1 12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers

2 12/12/2008 2Summers - SAiSCSI Outline of Presentation Goals of the Project Goals of the Project Overview of SCSI, iSCSI and IPsec Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Motivation for Enhancements Proposed Enhancements Proposed Enhancements Results Results Disaster Recovery Disaster Recovery Additional Research Additional Research Lessons Learnt, Future Work, Conclusions Lessons Learnt, Future Work, Conclusions

3 12/12/2008 3Summers - SAiSCSI Goals 1.Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage devices for mirroring and backup. Allow files to be transferred to two target storage devices for mirroring and backup. 2.Develop and implement a user interface to simplify usage of the scheme 3.Consider the use of the scheme for disaster recovery

4 Overview of SCSI, iSCSI and IPsec 12/12/2008 4Summers - SAiSCSI

5 SCSI Application Layer Storage Protocol Standard device interface bus enabling block data I/O Standard device interface bus enabling block data I/O Logically addresses blocks Logically addresses blocks Utilizes a client/server (initiator/target) architecture Utilizes a client/server (initiator/target) architecture Data transferred in Command Descriptor Blocks Data transferred in Command Descriptor Blocks Limitations Limitations Length of SCSI bus limits distance over which SCSI can operate Length of SCSI bus limits distance over which SCSI can operate Limited number of devices can be connected to it Limited number of devices can be connected to it 12/12/2008 5Summers - SAiSCSI

6 iSCSI End-to-end protocol to enable transportation of storage I/O block data over IP networks Maps SCSI functionality to the TCP/IP protocol Maps SCSI functionality to the TCP/IP protocol SCSI CDBs encapsulated in iSCSI Protocol Data Units SCSI CDBs encapsulated in iSCSI Protocol Data Units Can be implemented in software and hardware Can be implemented in software and hardware Limitations Limitations No built in security, relies on IPsec No built in security, relies on IPsec 12/12/2008 6Summers - SAiSCSI

7 IPsec Extension of the IP protocol that provides security to IP and upper layers of the OSI model Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication Performs 3 basic steps Performs 3 basic steps Header calculation and placement Header calculation and placement Trailer calculation and placement Trailer calculation and placement ESP authentication field calculation and placement ESP authentication field calculation and placement Internet Key Exchange (IKE) Internet Key Exchange (IKE) Transport Mode Transport Mode 12/12/2008 7Summers - SAiSCSI

8 sg3_utils sg3_utils package containing low level utilities for devices using the SCSI command set sg3_utils package containing low level utilities for devices using the SCSI command set Utilizes the sg interface Utilizes the sg interface sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd if=test.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0 12/12/2008 8Summers - SAiSCSI

9 Review of Efficient Asymmetric Secure iSCSI 12/12/2008 9Summers - SAiSCSI

10 Efficient Asymmetric Secure iSCSI Utilizes the sg_dd command to achieve the transfer of files between initiator and target Utilizes the sg_dd command to achieve the transfer of files between initiator and target Dual key cryptographic enhancement to IPsec Dual key cryptographic enhancement to IPsec Custom key to encrypt data Custom key to encrypt data IKE generated keys to encrypt headers IKE generated keys to encrypt headers 12/12/2008 10Summers - SAiSCSI

11 EASI Packet Modification 12/12/2008 11Summers - SAiSCSI

12 Testing of Efficient Asymmetric Secure iSCSI 12/12/2008 12Summers - SAiSCSI

13 VMware Virtual Machine Test Bed 12/12/2008 13Summers - SAiSCSI

14 Limitations of the Existing Scheme User data must be an integer multiple of block size (1024 bytes) User data must be an integer multiple of block size (1024 bytes) Target Storage File Limitations Target Storage File Limitations Only one file can be stored at a time Only one file can be stored at a time Pre-set size of target storage file limits the size of the user data that can be stored Pre-set size of target storage file limits the size of the user data that can be stored sg_dd Utility Limitation sg_dd Utility Limitation Count and block size values must be specified when issuing the sg_dd command Count and block size values must be specified when issuing the sg_dd command Reading data from the target using the cp utility results in the entire target file being retrieved Reading data from the target using the cp utility results in the entire target file being retrieved Mounting of a target storage disk is not possible with the existing implementation Mounting of a target storage disk is not possible with the existing implementation 12/12/2008 14Summers - SAiSCSI

15 12/12/2008 15Summers - SAiSCSI Motivations for Enhancements Bring existing implementation closer to a complete and usable secure data transfer/storage system Bring existing implementation closer to a complete and usable secure data transfer/storage system Allow transfer of files of arbitrary size Allow transfer of files of arbitrary size Allow duplicate transfer of files to second target storage device Allow duplicate transfer of files to second target storage device Relative complexity of existing scheme in terms of user interaction Relative complexity of existing scheme in terms of user interaction

16 Proposed Enhancements 12/12/2008 16Summers - SAiSCSI

17 Secure Asymmetric iSCSI For Online Storage Enhancements Enhancements to the sg_dd utility to: Enhancements to the sg_dd utility to: Transfer of files of arbitrary size Transfer of files of arbitrary size Transfer to two targets Transfer to two targets Graphical User Interface Graphical User Interface Initiator interface Initiator interface Target interface Target interface 12/12/2008 17Summers - SAiSCSI

18 Implementation Logic for Arbitrary File Transfer  Set block_size = 1024 If input_file != target_storage_device Determine size of file in bytes Determine size of file in bytes If ((size % 1024) != 0) If ((size % 1024) != 0) {while((size_file_in_bytes % 1024) != 0) {while((size_file_in_bytes % 1024) != 0) {size++; } } }  count = size/1024  create CDB using count value 12/12/2008 18Summers - SAiSCSI

19 Implementation Logic for File Transfer to Two Targets  Set block_size = 1024 If (second output file == TRUE) { Determine device type Determine number of blocks in second target create command descriptor block for second target }else set second output file to be /dev/null 12/12/2008 19Summers - SAiSCSI

20 File Transfer Performance Results 12/12/2008 20Summers - SAiSCSI

21 Comparison Data for Transfer of Arbitrary Sized Files 12/12/2008 21Summers - SAiSCSI

22 Comparison Data for Transfer to Two Targets 12/12/2008 22Summers - SAiSCSI

23 User Interface 12/12/2008 23Summers - SAiSCSI

24 User Interface 12/12/2008 24Summers - SAiSCSI Developed and implemented using Python and Tkinter Developed and implemented using Python and Tkinter Comprised of two components Comprised of two components Initiator Interface Initiator Interface Target Interface Target Interface

25 User Interface Screenshots 12/12/2008 25Summers - SAiSCSI

26 Initiator Interface Functionality Generate IPsec keys Generate IPsec keys Generate SAD and SPD entries Generate SAD and SPD entries Start initiator software Start initiator software Login/Logout to/from the target(s) Login/Logout to/from the target(s) Transfer user data to target storage Transfer user data to target storage Retrieve user data from target storage Retrieve user data from target storage 12/12/2008 26Summers - SAiSCSI

27 Target Interface Functionality Create additional target storage file(s) Create additional target storage file(s) Configure ietd.conf file for additional target(s) Configure ietd.conf file for additional target(s) Generate SAD and SPD entries Generate SAD and SPD entries Start/stop iscsitarget software Start/stop iscsitarget software 12/12/2008 27Summers - SAiSCSI

28 Secure Asymmetric iSCSI for Disaster Recovery HIPPA and SOX require security, privacy and accountability of data HIPPA and SOX require security, privacy and accountability of data Standard online storage techniques may not be sufficient Standard online storage techniques may not be sufficient Secure Asymmetric iSCSI for online storage may be the solution Secure Asymmetric iSCSI for online storage may be the solution Secure storage of Custom key Secure storage of Custom key Initiator and custom key can be duplicated Initiator and custom key can be duplicated Store key with trusted third party Store key with trusted third party 12/12/2008 28Summers - SAiSCSI

29 Additional Research 12/12/2008 29Summers - SAiSCSI

30 Mounting a Target Storage Device Network P rotocol Analyzer (Wireshark) Results Network P rotocol Analyzer (Wireshark) Results Discovery – only iSCSI/SCSI commands issued Discovery – only iSCSI/SCSI commands issued Login – iSCSI/SCSI Read and PDU but PUSH flag not set Login – iSCSI/SCSI Read and PDU but PUSH flag not set Mounting results in the issuing of iSCSI/SCSI Writes and Reads Mounting results in the issuing of iSCSI/SCSI Writes and Reads iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers strace of mount command strace of mount command kernel reads file system information which results in invocation of iSCSI/SCSI commands kernel reads file system information which results in invocation of iSCSI/SCSI commands 12/12/2008 30Summers - SAiSCSI

31 Using cp to transfer to a Mounted Storage Device Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of storage device written In addition to user payload, file and directory structure of storage device written Reading from Target Various iSCSI/SCSI Reads and Writes Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Unidentified data in some Data-out PDUs Unidentified data in some Data-out PDUs 12/12/2008 31Summers - SAiSCSI

32 Lessons Learnt/Observations sg_dd uses defaults of stdin for input file and stdout for output file. sg_dd uses defaults of stdin for input file and stdout for output file. If no output is required use /dev/null If no output is required use /dev/null Linux kernel, open-iscsi and iscsitarget under constant development. Linux kernel, open-iscsi and iscsitarget under constant development. Therefore changes to these codes need to be incorporated in new releases. Therefore changes to these codes need to be incorporated in new releases. Wireshark and Ethereal appear to interpret/display identical log files in a different manner. Wireshark and Ethereal appear to interpret/display identical log files in a different manner. Retrieving data from target using sg_dd requires count value to be specified. Retrieving data from target using sg_dd requires count value to be specified. 12/12/2008 32Summers - SAiSCSI

33 Future Directions Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Improve the simplification of the setup and use of the implementation through the development of an API. Improve the simplification of the setup and use of the implementation through the development of an API. Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target 12/12/2008 33Summers - SAiSCSI

34 Conclusions Enhancements to the sg_dd utility has enabled: Enhancements to the sg_dd utility has enabled: Simulated transfer of files of arbitrary size Simulated transfer of files of arbitrary size Transfer of files to two targets Transfer of files to two targets Graphical user interface simplifies user interaction: Graphical user interface simplifies user interaction: Keys for the encryption of the headers has been simplified Keys for the encryption of the headers has been simplified Interaction with the initiator and target software has been simplified Interaction with the initiator and target software has been simplified Writing and reading user data to /from the target has been simplified Writing and reading user data to /from the target has been simplified Limitations Limitations Arbitrary file transfer still requires user to specify a count value when reading data from target storage Arbitrary file transfer still requires user to specify a count value when reading data from target storage True arbitrary file transfer is not achieved True arbitrary file transfer is not achieved 12/12/2008 34Summers - SAiSCSI

35 ADDITIONAL SLIDES 12/12/2008 35Summers - SAiSCSI

36 SCSI Command Descriptor Block 12/12/2008 36Summers - SAiSCSI

37 Phases of SCSI I/O Operation 3 main phases: Command Command Initiator sends command and parameters to the target in a CDB Initiator sends command and parameters to the target in a CDB Data Data Data is transferred in accordance with command issued in CDB Data is transferred in accordance with command issued in CDB Status Status Provides confirmation that command executed is received Provides confirmation that command executed is received 12/12/2008 37Summers - SAiSCSI

38 SCSI Architecture in Linux Kernel 12/12/2008 38Summers - SAiSCSI

39 General Structure of iSCSI PDU 12/12/2008 39Summers - SAiSCSI

40 iSCSI PDU Basic Header Segment 12/12/2008 40Summers - SAiSCSI

41 12/12/2008 41Summers - SAiSCSI iSCSI Protocol Layering Model

42 Data Encapsulation 12/12/2008 42Summers - SAiSCSI

43 Open-iSCSI Open source software implementation of iSCSI initiator Kernel Portion Kernel Portion iSCSI data path iSCSI data path User Portion User Portion Control path of iSCSI Control path of iSCSI Management facilities Management facilities Release used in EASI:open-iscsi-0.4-423 Release used in EASI:open-iscsi-0.4-423 Current Release:open-iscsi-2.0-869.2 Current Release:open-iscsi-2.0-869.2 12/12/2008 43Summers - SAiSCSI

44 iscsitarget Open source software implementation of iSCSI target Kernel Portion Kernel Portion User Portion User Portion Release used in EASI:iscsitarget-0.4.11 Release used in EASI:iscsitarget-0.4.11 Current Release:iscsitarget-0.4.16 Current Release:iscsitarget-0.4.16 12/12/2008 44Summers - SAiSCSI

45 Packet for IPsec Transport Mode 12/12/2008 45Summers - SAiSCSI

46 Write Processing on the Target 1. Identify iSCSI traffic 2. Identify packets containing user data 3. Decrypt packets not containing user data 4. Process packets containing user data 12/12/2008 46Summers - SAiSCSI

47 Write Processing on the Target 1. Identify iSCSI traffic 2. Identify packets containing user data 3. Decrypt packets not containing user data 4. Process packets containing user data 12/12/2008 47Summers - SAiSCSI

48 Read Processing on the Target 1. Identify iSCSI traffic – source port 3260 2. Determine if iSCSI packet contains user data 3. Encrypt packets not containing user data 4. Encrypt packets containing user data 12/12/2008 48Summers - SAiSCSI

49 Read Processing on the Initiator 1. Identify iSCSI traffic 2. Determine if packet contains user data 3. Decrypt packets containing user data 4. Decrypt packets not containing user data 12/12/2008 49Summers - SAiSCSI

50 Comparison of Standard IPsec and EASI at Packet Level 12/12/2008 50Summers - SAiSCSI

51 Initiator GUI 12/12/2008 51Summers - SAiSCSI

52 Target GUI 12/12/2008 52Summers - SAiSCSI

Download ppt "12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Operating-System Structures

Operating-System Structures
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.

Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.

Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.

Similar presentations

Ads by Google