Re: iSCSI Security Comments

[julian_satran@il.ibm.com]

Thanks Josh,

I will fix.

Regards,
Julo

"Joshua Tseng/Nishan Systems" <joshua.tseng@NishanSystems.com> on
11/11/2000 02:29:40

Please respond to "Joshua Tseng/Nishan Systems"
      <joshua.tseng@NishanSystems.com>

To:   ips@ece.cmu.edu
cc:
Subject:  iSCSI Security Comments




A few comments for the security section:

1)  X509v3 is a format for a public key certificate, and
is not a public key authentication algorithm.  So it should
be deleted as an Public Key authentication algorithm from
the table on page 74.

2)  Another important Public Key authentication algorithm
you may want to include in the table in pg 74 is RSA
Signature Algorithm with MD-2, MD-5, or SHA-1 hash
(defined in RFC 2313).

I think this is where iSNS and iSCSI security dovetail
pretty nicely.  The iSCSI initiators can retrieve the X509v3
public key certificates from the iSNS for the iSCSI target
they wish to talk to. The certificate should identify the
authentication algorithm (RSA or DSA) for the public key,
allowing the initiator to sign the authenticate message
with the target's public key using the specified algorithm.

3)  Similar to 1), PGP is not a public key authentication
algorithm, and should also be deleted from the table on
pg 74.

4)  Your reference to [SPKIX] is missing.  I suspect that
it also is not a signature authentication algorithm.

5)  pg 75: "authenticate:<user-id>,<blob>"

"blob" is the "digital signature of the salt and the iSCSI
header (48 bytes) carrying the authenticating message", not
the "public key blob".  The hash and signature should not
cover the text message and the blob (re-hash & sign the
blob?).

6)  pg 76-77:  The public key authentication examples should
have "public_key"(ssh-dss, parameters)", instead of
"public_key(ssh-dss, blob)".  "blob" should only exist for
the "authenticate:" message.

7)  pg 76, last paragraph- "blob" is a hash of the iSCSI
the "salt" and the iSCSI PDU header (not packet).

Josh