ANSI INCITS 501-2016 Information Technology C Security Features for SCSI Commands (SFSC).pdf

1、American National StandardDeveloped byfor Information Technology Security Features forSCSI Commands (SFSC)INCITS 501-2016INCITS 501-2016INCITS 501-2016American National Standardfor Information Technology Security Features forSCSI Commands (SFSC)SecretariatInformation Technology Industry CouncilAppro

2、ved July 7. 2016American National Standards Institute, Inc.AbstractThis standard defines security features for use by all SCSI devices. This standard defines the securitymode that is basic to every device model and the parameter data that may apply to any device model.Approval of an American Nationa

3、l Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmate

4、rially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely volun

5、tary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwil

6、l in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to

7、the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw

8、 this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2

9、016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printed in the United States of

10、 AmericaCAUTION: The developers of this standard have requested that holders of patents that may be re-quired for the implementation of the standard disclose such patents to the publisher. However, nei-ther the developers nor the publisher have undertaken a patent search in order to identify which,

11、ifany, patents may apply to this standard. As of the date of publication of this standard, followingcalls for the identification of patents that may be required for the implementation of the standard,notice of one or more such claims has been received. By publication of this standard, no positionis

12、taken with respect to the validity of this claim or of any rights in connection therewith. The knownpatent holder(s) has (have), however, filed a statement of willingness to grant a license underthese rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to ob-tain s

13、uch a license. Details may be obtained from the publisher. No further patent search is con-ducted by the developer or publisher in respect to any standard it processes. No representation ismade or implied that this is the only license that may be required to avoid infringement in the use ofthis stan

14、dard.iContentsPageForeword. viiiIntroduction xiiSCSI standards familyxii1 Scope. 12 Normative references. 13 Definitions, symbols, abbreviations, and conventions 43.1 Definitions. 43.2 Abbreviations and symbols. 133.2.1 Abbreviations. 133.2.2 Symbols. 143.2.3 Mathematical operators . 143.3 Keywords

15、143.4 Conventions 163.5 Numeric and character conventions . 163.5.1 Numeric conventions . 163.5.2 Units of measure 173.5.3 Byte encoded character strings conventions. 183.6 Bit and byte ordering. 184 Security features model common to all device types . 204.1 Security features for SCSI devices. 204.1

16、.1 Security associations. 204.1.1.1 Principles of SAs. 204.1.1.2 SA parameters 214.1.1.3 Creating an SA . 244.1.2 Key derivation functions. 244.1.2.1 KDFs overview 244.1.2.2 IKEv2-based iterative KDF . 254.1.2.3 HMAC-based KDFs 254.1.2.4 AES-XCBC-PRF-128 IKEv2-based iterative KDF 274.1.3 Using IKEv2

17、-SCSI to create an SA 284.1.3.1 Overview. 284.1.3.2 IKEv2-SCSI Protocol summary. 314.1.3.3 IKEv2-SCSI Authentication. 344.1.3.3.1 Overview 344.1.3.3.2 Pre-shared key authentication. 354.1.3.3.3 Digital signature authentication 364.1.3.3.3.1 Overview. 364.1.3.3.3.2 Certificates and digital signature

18、authentication . 364.1.3.3.3.3 Example of certificate use for digital signature authentication 374.1.3.3.3.4 Handling of the Certificate Request payload and the Certificate payload. 374.1.3.3.4 Constraints on skipping the Authentication step 374.1.3.4 Summary of IKEv2-SCSI shared keys nomenclature a

19、nd shared key sizes 394.1.3.5 Device Server Capabilities step 404.1.3.6 IKEv2-SCSI Key Exchange step. 424.1.3.6.1 Overview 42ii4.1.3.6.2 Key Exchange step SECURITY PROTOCOL OUT command 424.1.3.6.3 Key Exchange step SECURITY PROTOCOL IN command 434.1.3.6.4 Key Exchange step completion . 444.1.3.6.5 A

20、fter the Key Exchange step . 444.1.3.7 IKEv2-SCSI Authentication step. 444.1.3.7.1 Overview 444.1.3.7.2 Authentication step SECURITY PROTOCOL OUT command 454.1.3.7.3 Authentication step SECURITY PROTOCOL IN command 464.1.3.8 Generating shared keys 474.1.3.8.1 Overview 474.1.3.8.2 Generating shared k

21、eys when the Authentication step is skipped 484.1.3.8.3 Generating shared keys when the Authentication step is processed 484.1.3.8.4 Initializing shared key generation 484.1.3.8.4.1 Initializing for SA creation shared key generation. 484.1.3.8.4.2 Initializing for generation of shared keys used by t

22、he created SA 494.1.3.8.5 Generating shared keys used for SA management. 494.1.3.8.6 Generating shared keys for use by the created SA. 504.1.3.9 IKEv2-SCSI SA generation. 514.1.3.10 Abandoning an IKEv2-SCSI CCS. 534.1.3.11 Deleting an IKEv2-SCSI SA 544.1.4 Security progress indication. 544.1.5 ESP-S

23、CSI encapsulations for parameter data 554.1.5.1 Overview. 554.1.5.2 ESP-SCSI required inputs 554.1.5.3 ESP-SCSI data format before encryption and after decryption 564.1.5.4 ESP-SCSI outbound data descriptors 574.1.5.4.1 Overview 574.1.5.4.2 ESP-SCSI CDBs or Data-Out Buffer parameter lists including

24、a descriptor length. 584.1.5.4.2.1 Initialization vector absent 584.1.5.4.2.2 Initialization vector present . 604.1.5.4.3 ESP-SCSI Data-Out Buffer parameter lists for externally specified descriptor length. 614.1.5.4.3.1 Initialization vector absent 614.1.5.4.3.2 Initialization vector present . 624.

25、1.5.5 ESP-SCSI Data-In Buffer parameter data descriptors 624.1.5.5.1 Overview 624.1.5.5.2 ESP-SCSI Data-In Buffer parameter data including a descriptor length . 634.1.5.5.2.1 Initialization vector absent 634.1.5.5.2.2 Initialization vector present . 654.1.5.5.3 ESP-SCSI Data-In Buffer parameter data

26、 for externally specified descriptor length. 664.1.5.5.3.1 Initialization vector absent 664.1.5.5.3.2 Initialization vector present . 674.1.6 Security algorithm codes . 684.2 Secure random numbers 705 Security protocol parameters for all device types 715.1 Security protocol information description 7

27、15.1.1 Overview 715.1.2 CDB description. 715.1.3 Supported security protocols list description . 725.1.4 Certificate data description 735.1.4.1 Certificate overview 735.1.4.2 Public Key certificate description 735.1.4.3 Attribute certificate description 735.1.5 Security compliance information descri

28、ption . 74iii5.1.5.1 Security compliance information overview 745.1.5.2 Compliance descriptor overview. 755.1.5.3 FIPS 140 compliance descriptor. 765.2 SA creation capabilities 775.2.1 Overview 775.2.2 SA creation capabilities CDB description 775.2.3 SA creation capabilities parameter data formats.

29、785.2.3.1 Supported device server capabilities formats parameter data format 785.2.3.2 IKEv2-SCSI device server capabilities parameter data format. 795.3 IKEv2-SCSI. 795.3.1 Overview 795.3.2 IKEv2-SCSI SECURITY PROTOCOL IN CDB description 805.3.3 IKEv2-SCSI SECURITY PROTOCOL OUT CDB description 815.

30、3.4 IKEv2-SCSI parameter data format. 825.3.5 IKEv2-SCSI payloads 905.3.5.1 IKEv2-SCSI payload format 905.3.5.2 No Next payload . 915.3.5.3 Key Exchange payload. 915.3.5.4 Identification Application Client payload and Identification Device Server payload 925.3.5.5 Certificate payload 945.3.5.6 Certi

31、ficate Request payload 955.3.5.7 Authentication payload . 965.3.5.8 Nonce payload 995.3.5.9 Notify payload. 1005.3.5.10 Delete payload 1015.3.5.11 Encrypted payload 1025.3.5.11.1 Combined mode encryption. 1025.3.5.11.2 Encrypted payload introduction . 1035.3.5.11.3 IKEv2-SCSI AAD . 1065.3.5.11.4 Pro

32、cessing a received Encrypted payload. 1065.3.5.12 IKEv2-SCSI SA Creation Capabilities payload. 1085.3.5.13 IKEv2-SCSI SA Cryptographic Algorithms payload 1095.3.5.14 IKEv2-SCSI SAUT Cryptographic Algorithms payload. 1115.3.5.15 IKEv2-SCSI Timeout Values payload. 1135.3.6 IKEv2-SCSI cryptographic alg

33、orithm descriptors. 1145.3.6.1 Overview. 1145.3.6.2 ENCR IKEv2-SCSI cryptographic algorithm descriptor 1155.3.6.3 PRF IKEv2-SCSI cryptographic algorithm descriptor . 1175.3.6.4 INTEG IKEv2-SCSI cryptographic algorithm descriptor . 1195.3.6.5 D-H IKEv2-SCSI cryptographic algorithm descriptor 1205.3.6

34、.6 IKEv2-SCSI authentication algorithm IKEv2-SCSI cryptographic algorithm descriptor 1225.3.7 Errors in IKEv2-SCSI security protocol commands . 1255.3.8 Errors in IKEv2-SCSI security protocol parameter data 1275.3.8.1 Overview. 1275.3.8.2 Errors with high denial of service attack potential. 1275.3.8

35、.3 Errors with low denial of service attack potential 1285.3.9 Translating IKEv2 errors 128Annex A (Informative) Security goals and threat model 130A.1 Introduction. 130A.2 Security goals. 130A.3 Threat model 131A.4 Types of attacks . 131A.5 SCSI security considerations . 132ivAnnex B (Informative)

36、Variations between this standard and equivalent security protocols 133B.1 IKEv2 protocol details and variations for IKEv2-SCSI 133B.2 ESP protocol details and variations for ESP-SCSI. 136Bibliography 137vTablesPageTable 1 Numbering conventions examples 17Table 2 Comparison of decimal prefixes and bi

37、nary prefixes. 18Table 3 Minimum SA parameters . 21Table 4 USAGE_TYPE SA parameter . 23Table 5 Security protocols that create SAs 24Table 6 KDFs summary 25Table 7 HMAC-based KDFs. 26Table 8 Hash functions used by HMAC based on KDF_ID 27Table 9 RFC 3566 parameter translations for the KDF based on AES

38、-XCBC-PRF-128 . 27Table 10 IKEv2-SCSI shared key names and SA shared key names 39Table 11 Shared key size determination 40Table 12 Device Server Capabilities step parameter data requirements . 41Table 13 IKEv2-SCSI command terminations that do not abandon the CCS 53Table 14 ESP-SCSI data format befo

39、re encryption and after decryption . 56Table 15 ESP-SCSI outbound data descriptors . 57Table 16 ESP-SCSI CDBs or Data-Out Buffer parameter list descriptor without initialization vector. 58Table 17 ESP-SCSI CDBs or Data-Out Buffer full parameter list descriptor 60Table 18 ESP-SCSI Data-Out Buffer par

40、ameter list descriptor without length and initialization vector . 61Table 19 ESP-SCSI Data-Out Buffer parameter list descriptor without length. 62Table 20 ESP-SCSI Data-In Buffer parameter data descriptors 63Table 21 ESP-SCSI Data-In Buffer parameter data descriptor without initialization vector . 6

41、3Table 22 ESP-SCSI Data-In Buffer full parameter data descriptor. 65Table 23 ESP-SCSI Data-In Buffer parameter data descriptor without length and initialization vector 66Table 24 ESP-SCSI Data-In Buffer parameter data descriptor without length . 67Table 25 Security algorithm codes . 68Table 26 SECUR

42、ITY PROTOCOL SPECIFIC field for SECURITY PROTOCOL IN protocol 00h 71Table 27 Supported security protocols SECURITY PROTOCOL IN parameter data. 72Table 28 Certificate data SECURITY PROTOCOL IN parameter data 73Table 29 Security compliance information SECURITY PROTOCOL IN parameter data . 74Table 30 C

43、ompliance descriptor format 75Table 31 COMPLIANCE DESCRIPTOR TYPE field 75Table 32 FIPS 140 compliance descriptor 76Table 33 RELATED STANDARD field. 76Table 34 SECURITY PROTOCOL SPECIFIC field for the SA creation capabilities . 78Table 35 Supported device server capabilities formats parameter data 7

44、8Table 36 IKEv2-SCSI device server capabilities parameter data. 79Table 37 SECURITY PROTOCOL SPECIFIC field as defined by the IKEv2-SCSI SECURITY PROTOCOL IN command . 80Table 38 SECURITY PROTOCOL SPECIFIC field as defined by the IKEv2-SCSI SECURITY PROTOCOL OUT command . 81Table 39 IKEv2-SCSI SECUR

45、ITY PROTOCOL OUT command and SECURITY PROTOCOL IN command parameter data 82Table 40 IKEv2-SCSI header checking of SAIs . 84Table 41 NEXT PAYLOAD field. 85Table 42 MESSAGE ID field. 86Table 43 Next payload values in SECURITY PROTOCOL OUT/IN parameter data . 87Table 44 IKEv2-SCSI payload format. 90Tab

46、le 45 Key Exchange payload format. 91Table 46 Identification payload format 92Table 47 ID TYPE field 93Table 48 Certificate payload format 94Table 49 CERTIFICATE ENCODING field 94viTable 50 Certificate Request payload format . 95Table 51 Authentication payload format. 96Table 52 Nonce payload format

47、 . 99Table 53 Notify payload format. 100Table 54 Delete payload format . 101Table 55 Encrypted payload format 103Table 56 Plaintext format for Encrypted payload CIPHERTEXT field. 105Table 57 IKEv2-SCSI SA Creation Capabilities payload format. 108Table 58 IKEv2-SCSI SA Cryptographic Algorithms payloa

48、d format . 109Table 59 IKEv2-SCSI SAUT Cryptographic Algorithms payload format. 111Table 60 IKEv2-SCSI Timeout Values payload format. 113Table 61 IKEv2-SCSI cryptographic algorithm descriptor format . 114Table 62 ALGORITHM TYPE field . 114Table 63 ENCR IKEv2-SCSI cryptographic algorithm descriptor f

49、ormat 115Table 64 ENCR ALGORITHM IDENTIFIER field 116Table 65 PRF IKEv2-SCSI cryptographic algorithm descriptor format. 117Table 66 PRF ALGORITHM IDENTIFIER field. 118Table 67 INTEG IKEv2-SCSI cryptographic algorithm descriptor format . 119Table 68 INTEG ALGORITHM IDENTIFIER field. 119Table 69 D-H IKEv2-SCSI cryptographic algorithm descriptor format 120Table 70 D-H ALGORITHM IDENTIFIER field . 121Table 71 SA_AUTH_OUT and SA_AUTH_IN IKEv2-SCSI cry