ImageVerifierCode 换一换
格式:PDF , 页数:153 ,大小:771.51KB ,
资源ID:435813      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-435813.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ANSI INCITS 501-2016 Information Technology C Security Features for SCSI Commands (SFSC).pdf)为本站会员(吴艺期)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ANSI INCITS 501-2016 Information Technology C Security Features for SCSI Commands (SFSC).pdf

1、American National StandardDeveloped byfor Information Technology Security Features forSCSI Commands (SFSC)INCITS 501-2016INCITS 501-2016INCITS 501-2016American National Standardfor Information Technology Security Features forSCSI Commands (SFSC)SecretariatInformation Technology Industry CouncilAppro

2、ved July 7. 2016American National Standards Institute, Inc.AbstractThis standard defines security features for use by all SCSI devices. This standard defines the securitymode that is basic to every device model and the parameter data that may apply to any device model.Approval of an American Nationa

3、l Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmate

4、rially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely volun

5、tary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwil

6、l in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to

7、the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw

8、 this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2

9、016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printed in the United States of

10、 AmericaCAUTION: The developers of this standard have requested that holders of patents that may be re-quired for the implementation of the standard disclose such patents to the publisher. However, nei-ther the developers nor the publisher have undertaken a patent search in order to identify which,

11、ifany, patents may apply to this standard. As of the date of publication of this standard, followingcalls for the identification of patents that may be required for the implementation of the standard,notice of one or more such claims has been received. By publication of this standard, no positionis

12、taken with respect to the validity of this claim or of any rights in connection therewith. The knownpatent holder(s) has (have), however, filed a statement of willingness to grant a license underthese rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to ob-tain s

13、uch a license. Details may be obtained from the publisher. No further patent search is con-ducted by the developer or publisher in respect to any standard it processes. No representation ismade or implied that this is the only license that may be required to avoid infringement in the use ofthis stan

14、dard.iContentsPageForeword. viiiIntroduction xiiSCSI standards familyxii1 Scope. 12 Normative references. 13 Definitions, symbols, abbreviations, and conventions 43.1 Definitions. 43.2 Abbreviations and symbols. 133.2.1 Abbreviations. 133.2.2 Symbols. 143.2.3 Mathematical operators . 143.3 Keywords

15、143.4 Conventions 163.5 Numeric and character conventions . 163.5.1 Numeric conventions . 163.5.2 Units of measure 173.5.3 Byte encoded character strings conventions. 183.6 Bit and byte ordering. 184 Security features model common to all device types . 204.1 Security features for SCSI devices. 204.1

16、.1 Security associations. 204.1.1.1 Principles of SAs. 204.1.1.2 SA parameters 214.1.1.3 Creating an SA . 244.1.2 Key derivation functions. 244.1.2.1 KDFs overview 244.1.2.2 IKEv2-based iterative KDF . 254.1.2.3 HMAC-based KDFs 254.1.2.4 AES-XCBC-PRF-128 IKEv2-based iterative KDF 274.1.3 Using IKEv2

17、-SCSI to create an SA 284.1.3.1 Overview. 284.1.3.2 IKEv2-SCSI Protocol summary. 314.1.3.3 IKEv2-SCSI Authentication. 344.1.3.3.1 Overview 344.1.3.3.2 Pre-shared key authentication. 354.1.3.3.3 Digital signature authentication 364.1.3.3.3.1 Overview. 364.1.3.3.3.2 Certificates and digital signature

18、authentication . 364.1.3.3.3.3 Example of certificate use for digital signature authentication 374.1.3.3.3.4 Handling of the Certificate Request payload and the Certificate payload. 374.1.3.3.4 Constraints on skipping the Authentication step 374.1.3.4 Summary of IKEv2-SCSI shared keys nomenclature a

19、nd shared key sizes 394.1.3.5 Device Server Capabilities step 404.1.3.6 IKEv2-SCSI Key Exchange step. 424.1.3.6.1 Overview 42ii4.1.3.6.2 Key Exchange step SECURITY PROTOCOL OUT command 424.1.3.6.3 Key Exchange step SECURITY PROTOCOL IN command 434.1.3.6.4 Key Exchange step completion . 444.1.3.6.5 A

20、fter the Key Exchange step . 444.1.3.7 IKEv2-SCSI Authentication step. 444.1.3.7.1 Overview 444.1.3.7.2 Authentication step SECURITY PROTOCOL OUT command 454.1.3.7.3 Authentication step SECURITY PROTOCOL IN command 464.1.3.8 Generating shared keys 474.1.3.8.1 Overview 474.1.3.8.2 Generating shared k

21、eys when the Authentication step is skipped 484.1.3.8.3 Generating shared keys when the Authentication step is processed 484.1.3.8.4 Initializing shared key generation 484.1.3.8.4.1 Initializing for SA creation shared key generation. 484.1.3.8.4.2 Initializing for generation of shared keys used by t

22、he created SA 494.1.3.8.5 Generating shared keys used for SA management. 494.1.3.8.6 Generating shared keys for use by the created SA. 504.1.3.9 IKEv2-SCSI SA generation. 514.1.3.10 Abandoning an IKEv2-SCSI CCS. 534.1.3.11 Deleting an IKEv2-SCSI SA 544.1.4 Security progress indication. 544.1.5 ESP-S

23、CSI encapsulations for parameter data 554.1.5.1 Overview. 554.1.5.2 ESP-SCSI required inputs 554.1.5.3 ESP-SCSI data format before encryption and after decryption 564.1.5.4 ESP-SCSI outbound data descriptors 574.1.5.4.1 Overview 574.1.5.4.2 ESP-SCSI CDBs or Data-Out Buffer parameter lists including

24、a descriptor length. 584.1.5.4.2.1 Initialization vector absent 584.1.5.4.2.2 Initialization vector present . 604.1.5.4.3 ESP-SCSI Data-Out Buffer parameter lists for externally specified descriptor length. 614.1.5.4.3.1 Initialization vector absent 614.1.5.4.3.2 Initialization vector present . 624.

25、1.5.5 ESP-SCSI Data-In Buffer parameter data descriptors 624.1.5.5.1 Overview 624.1.5.5.2 ESP-SCSI Data-In Buffer parameter data including a descriptor length . 634.1.5.5.2.1 Initialization vector absent 634.1.5.5.2.2 Initialization vector present . 654.1.5.5.3 ESP-SCSI Data-In Buffer parameter data

26、 for externally specified descriptor length. 664.1.5.5.3.1 Initialization vector absent 664.1.5.5.3.2 Initialization vector present . 674.1.6 Security algorithm codes . 684.2 Secure random numbers 705 Security protocol parameters for all device types 715.1 Security protocol information description 7

27、15.1.1 Overview 715.1.2 CDB description. 715.1.3 Supported security protocols list description . 725.1.4 Certificate data description 735.1.4.1 Certificate overview 735.1.4.2 Public Key certificate description 735.1.4.3 Attribute certificate description 735.1.5 Security compliance information descri

28、ption . 74iii5.1.5.1 Security compliance information overview 745.1.5.2 Compliance descriptor overview. 755.1.5.3 FIPS 140 compliance descriptor. 765.2 SA creation capabilities 775.2.1 Overview 775.2.2 SA creation capabilities CDB description 775.2.3 SA creation capabilities parameter data formats.

29、785.2.3.1 Supported device server capabilities formats parameter data format 785.2.3.2 IKEv2-SCSI device server capabilities parameter data format. 795.3 IKEv2-SCSI. 795.3.1 Overview 795.3.2 IKEv2-SCSI SECURITY PROTOCOL IN CDB description 805.3.3 IKEv2-SCSI SECURITY PROTOCOL OUT CDB description 815.

30、3.4 IKEv2-SCSI parameter data format. 825.3.5 IKEv2-SCSI payloads 905.3.5.1 IKEv2-SCSI payload format 905.3.5.2 No Next payload . 915.3.5.3 Key Exchange payload. 915.3.5.4 Identification Application Client payload and Identification Device Server payload 925.3.5.5 Certificate payload 945.3.5.6 Certi

31、ficate Request payload 955.3.5.7 Authentication payload . 965.3.5.8 Nonce payload 995.3.5.9 Notify payload. 1005.3.5.10 Delete payload 1015.3.5.11 Encrypted payload 1025.3.5.11.1 Combined mode encryption. 1025.3.5.11.2 Encrypted payload introduction . 1035.3.5.11.3 IKEv2-SCSI AAD . 1065.3.5.11.4 Pro

32、cessing a received Encrypted payload. 1065.3.5.12 IKEv2-SCSI SA Creation Capabilities payload. 1085.3.5.13 IKEv2-SCSI SA Cryptographic Algorithms payload 1095.3.5.14 IKEv2-SCSI SAUT Cryptographic Algorithms payload. 1115.3.5.15 IKEv2-SCSI Timeout Values payload. 1135.3.6 IKEv2-SCSI cryptographic alg

33、orithm descriptors. 1145.3.6.1 Overview. 1145.3.6.2 ENCR IKEv2-SCSI cryptographic algorithm descriptor 1155.3.6.3 PRF IKEv2-SCSI cryptographic algorithm descriptor . 1175.3.6.4 INTEG IKEv2-SCSI cryptographic algorithm descriptor . 1195.3.6.5 D-H IKEv2-SCSI cryptographic algorithm descriptor 1205.3.6

34、.6 IKEv2-SCSI authentication algorithm IKEv2-SCSI cryptographic algorithm descriptor 1225.3.7 Errors in IKEv2-SCSI security protocol commands . 1255.3.8 Errors in IKEv2-SCSI security protocol parameter data 1275.3.8.1 Overview. 1275.3.8.2 Errors with high denial of service attack potential. 1275.3.8

35、.3 Errors with low denial of service attack potential 1285.3.9 Translating IKEv2 errors 128Annex A (Informative) Security goals and threat model 130A.1 Introduction. 130A.2 Security goals. 130A.3 Threat model 131A.4 Types of attacks . 131A.5 SCSI security considerations . 132ivAnnex B (Informative)

36、Variations between this standard and equivalent security protocols 133B.1 IKEv2 protocol details and variations for IKEv2-SCSI 133B.2 ESP protocol details and variations for ESP-SCSI. 136Bibliography 137vTablesPageTable 1 Numbering conventions examples 17Table 2 Comparison of decimal prefixes and bi

37、nary prefixes. 18Table 3 Minimum SA parameters . 21Table 4 USAGE_TYPE SA parameter . 23Table 5 Security protocols that create SAs 24Table 6 KDFs summary 25Table 7 HMAC-based KDFs. 26Table 8 Hash functions used by HMAC based on KDF_ID 27Table 9 RFC 3566 parameter translations for the KDF based on AES

38、-XCBC-PRF-128 . 27Table 10 IKEv2-SCSI shared key names and SA shared key names 39Table 11 Shared key size determination 40Table 12 Device Server Capabilities step parameter data requirements . 41Table 13 IKEv2-SCSI command terminations that do not abandon the CCS 53Table 14 ESP-SCSI data format befo

39、re encryption and after decryption . 56Table 15 ESP-SCSI outbound data descriptors . 57Table 16 ESP-SCSI CDBs or Data-Out Buffer parameter list descriptor without initialization vector. 58Table 17 ESP-SCSI CDBs or Data-Out Buffer full parameter list descriptor 60Table 18 ESP-SCSI Data-Out Buffer par

40、ameter list descriptor without length and initialization vector . 61Table 19 ESP-SCSI Data-Out Buffer parameter list descriptor without length. 62Table 20 ESP-SCSI Data-In Buffer parameter data descriptors 63Table 21 ESP-SCSI Data-In Buffer parameter data descriptor without initialization vector . 6

41、3Table 22 ESP-SCSI Data-In Buffer full parameter data descriptor. 65Table 23 ESP-SCSI Data-In Buffer parameter data descriptor without length and initialization vector 66Table 24 ESP-SCSI Data-In Buffer parameter data descriptor without length . 67Table 25 Security algorithm codes . 68Table 26 SECUR

42、ITY PROTOCOL SPECIFIC field for SECURITY PROTOCOL IN protocol 00h 71Table 27 Supported security protocols SECURITY PROTOCOL IN parameter data. 72Table 28 Certificate data SECURITY PROTOCOL IN parameter data 73Table 29 Security compliance information SECURITY PROTOCOL IN parameter data . 74Table 30 C

43、ompliance descriptor format 75Table 31 COMPLIANCE DESCRIPTOR TYPE field 75Table 32 FIPS 140 compliance descriptor 76Table 33 RELATED STANDARD field. 76Table 34 SECURITY PROTOCOL SPECIFIC field for the SA creation capabilities . 78Table 35 Supported device server capabilities formats parameter data 7

44、8Table 36 IKEv2-SCSI device server capabilities parameter data. 79Table 37 SECURITY PROTOCOL SPECIFIC field as defined by the IKEv2-SCSI SECURITY PROTOCOL IN command . 80Table 38 SECURITY PROTOCOL SPECIFIC field as defined by the IKEv2-SCSI SECURITY PROTOCOL OUT command . 81Table 39 IKEv2-SCSI SECUR

45、ITY PROTOCOL OUT command and SECURITY PROTOCOL IN command parameter data 82Table 40 IKEv2-SCSI header checking of SAIs . 84Table 41 NEXT PAYLOAD field. 85Table 42 MESSAGE ID field. 86Table 43 Next payload values in SECURITY PROTOCOL OUT/IN parameter data . 87Table 44 IKEv2-SCSI payload format. 90Tab

46、le 45 Key Exchange payload format. 91Table 46 Identification payload format 92Table 47 ID TYPE field 93Table 48 Certificate payload format 94Table 49 CERTIFICATE ENCODING field 94viTable 50 Certificate Request payload format . 95Table 51 Authentication payload format. 96Table 52 Nonce payload format

47、 . 99Table 53 Notify payload format. 100Table 54 Delete payload format . 101Table 55 Encrypted payload format 103Table 56 Plaintext format for Encrypted payload CIPHERTEXT field. 105Table 57 IKEv2-SCSI SA Creation Capabilities payload format. 108Table 58 IKEv2-SCSI SA Cryptographic Algorithms payloa

48、d format . 109Table 59 IKEv2-SCSI SAUT Cryptographic Algorithms payload format. 111Table 60 IKEv2-SCSI Timeout Values payload format. 113Table 61 IKEv2-SCSI cryptographic algorithm descriptor format . 114Table 62 ALGORITHM TYPE field . 114Table 63 ENCR IKEv2-SCSI cryptographic algorithm descriptor f

49、ormat 115Table 64 ENCR ALGORITHM IDENTIFIER field 116Table 65 PRF IKEv2-SCSI cryptographic algorithm descriptor format. 117Table 66 PRF ALGORITHM IDENTIFIER field. 118Table 67 INTEG IKEv2-SCSI cryptographic algorithm descriptor format . 119Table 68 INTEG ALGORITHM IDENTIFIER field. 119Table 69 D-H IKEv2-SCSI cryptographic algorithm descriptor format 120Table 70 D-H ALGORITHM IDENTIFIER field . 121Table 71 SA_AUTH_OUT and SA_AUTH_IN IKEv2-SCSI cry

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1