Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement.
-
Upload
stephen-bradley -
Category
Documents
-
view
219 -
download
2
Transcript of Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement.
Completion of a Light-weight Security Scheme for iSCSI
Prepared by They Yu ShuLee Ern Yu
Outline Motivation Previous Work Remaining Issues Improvement
Motivation Current security schemes for iSCSI:
IPsec File System Based Encryption (NTFS, EXT3 and etc.) CHAP, Kerberos, SRP
Current security schemes doesn’t worked well on mobile devices. Limited processing power and resources Frequently changes of IP address May not support IPsec or file system that provide
data protection mechanism
Previous Work Embedded a light-weight encryption
scheme using Dragon Encryption algorithm and HMAC-SHA256 into iSCSI layer
Data transfer between initiator and target are secured.
Performance
00.10.20.30.40.5
512 1024 2048 4096 8192
Block Size (Byte)
iSCSI
iSCSI + IPsec
Our ProposedSolution
Remaining Issues Phase 1 Authentication and Key
Exchange? Dragon is a symmetric key encryption
algorithm The default authentication scheme (CHAP)
does not secure enough
1. After the Link Establishment phase is complete, the authenticator sends a “challenge” message to the peer.
2. The peer responds with a value calculated using a “one-way hash” function.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.
4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3.
Authenticator
Peer
Challenge
Respond
Accept or Reject
Code Identifier Length
Data …
Figure 1: A captured CHAP Challenge packet Figure 2: A captured CHAP response packet
Information we gathered so far Username Server name Client and server IP The ID used to compute response Challenge and associated response
Try dictionary Attack
Requirement in RFC 1994:- The client MUST answer any challenge it receives
ServerUser Attacker
Challenge
Response
Accept
Challenge
Challenge
Response
Response
Accept
Improvement Propose to use EC-SRP (Elliptic Curve
Cryptography - Secure Remote Password) in the In-Band Initiator-Target Authentication phase.
SRP to EC-SRP A password authentication and key exchange
protocol. SRP (Secure Remote Password) is already used
for iSCSI Authentication EC-SRP is SRP implementation using ECC (Elliptic
Curve Cryptography) EC-SRP need lesser amount of processing power.
Further enhance the research paper “A Lightweight Virtual Storage Security Scheme for Mobile Devices” Propose to use EC-SRP (Elliptic Curve Cryptography -
Secure Remote Password) in the In-Band Initiator-Target Authentication phase.
Comparison between various type of Secure Remote Password (SRP) with EC-SRP
Bruce Schneier and Mudge. Cryptoanalysis of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) .
An implementation of the attack described in this paper. http://stealth.7350.org/7350pppd.tgz .
J. Satran, K. Meth, C. Sapuntzakis, M. Chadalapaka, E. Zeidner.: Internet Small Computer Systems Interface (iSCSI), Request For Comments 3720, April 2004.
A. Menezes and S.A. Vanstone. Elliptic curve cryptosystems and their implementations. Journal of Cryptology, 6(4):209{224, 1993.
D. Jablon. Extended password methods immune to dictionary attack. In WETICE '97 Enterprise Security Workshop, Cambridge, MA, June 1997.
End