SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Security Comments



    
    
    Thanks Josh,
    
    I will fix.
    
    Regards,
    Julo
    
    "Joshua Tseng/Nishan Systems" <joshua.tseng@NishanSystems.com> on
    11/11/2000 02:29:40
    
    Please respond to "Joshua Tseng/Nishan Systems"
          <joshua.tseng@NishanSystems.com>
    
    To:   ips@ece.cmu.edu
    cc:
    Subject:  iSCSI Security Comments
    
    
    
    
    A few comments for the security section:
    
    1)  X509v3 is a format for a public key certificate, and
    is not a public key authentication algorithm.  So it should
    be deleted as an Public Key authentication algorithm from
    the table on page 74.
    
    2)  Another important Public Key authentication algorithm
    you may want to include in the table in pg 74 is RSA
    Signature Algorithm with MD-2, MD-5, or SHA-1 hash
    (defined in RFC 2313).
    
    I think this is where iSNS and iSCSI security dovetail
    pretty nicely.  The iSCSI initiators can retrieve the X509v3
    public key certificates from the iSNS for the iSCSI target
    they wish to talk to. The certificate should identify the
    authentication algorithm (RSA or DSA) for the public key,
    allowing the initiator to sign the authenticate message
    with the target's public key using the specified algorithm.
    
    3)  Similar to 1), PGP is not a public key authentication
    algorithm, and should also be deleted from the table on
    pg 74.
    
    4)  Your reference to [SPKIX] is missing.  I suspect that
    it also is not a signature authentication algorithm.
    
    5)  pg 75: "authenticate:<user-id>,<blob>"
    
    "blob" is the "digital signature of the salt and the iSCSI
    header (48 bytes) carrying the authenticating message", not
    the "public key blob".  The hash and signature should not
    cover the text message and the blob (re-hash & sign the
    blob?).
    
    6)  pg 76-77:  The public key authentication examples should
    have "public_key"(ssh-dss, parameters)", instead of
    "public_key(ssh-dss, blob)".  "blob" should only exist for
    the "authenticate:" message.
    
    7)  pg 76, last paragraph- "blob" is a hash of the iSCSI
    the "salt" and the iSCSI PDU header (not packet).
    
    Josh
    
    
    
    


Home

Last updated: Tue Sep 04 01:06:26 2001
6315 messages in chronological order