12/12/2008 Summers - SAiSCSI 1

Secure Asymmetric iSCSI For Online Storage

Sarah A. Summers

12/12/2008 2Summers - SAiSCSI

Outline of Presentation

Goals of the Project Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Proposed Enhancements Results Disaster Recovery Additional Research Lessons Learnt, Future Work, Conclusions

12/12/2008 3Summers - SAiSCSI

Goals

1. Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage

devices for mirroring and backup.

2. Develop and implement a user interface to simplify usage of the scheme

3. Consider the use of the scheme for disaster recovery

Overview of SCSI, iSCSI and IPsec

12/12/2008 4Summers - SAiSCSI

SCSI

Application Layer Storage Protocol Standard device interface bus enabling block data

I/O Logically addresses blocks Utilizes a client/server (initiator/target) architecture Data transferred in Command Descriptor Blocks Limitations

Length of SCSI bus limits distance over which SCSI can operate

Limited number of devices can be connected to it

12/12/2008 5Summers - SAiSCSI

iSCSI

End-to-end protocol to enable transportation of storage I/O block data over IP networks Maps SCSI functionality to the TCP/IP protocol SCSI CDBs encapsulated in iSCSI Protocol Data

Units Can be implemented in software and hardware Limitations

No built in security, relies on IPsec

12/12/2008 6Summers - SAiSCSI

IPsec

Extension of the IP protocol that provides security to IP and upper layers of the OSI model Encapsulating Security Protocol (ESP) – provides

confidentiality and optionally authentication Performs 3 basic steps

Header calculation and placement Trailer calculation and placement ESP authentication field calculation and placement

Internet Key Exchange (IKE) Transport Mode

12/12/2008 7Summers - SAiSCSI

sg3_utils

sg3_utils package containing low level utilities for devices using the SCSI command set

Utilizes the sg interface sg_dd is a variant of the dd command – specialized

for block oriented devices that use the SCSI command set

sg_dd if=test.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0

12/12/2008 8Summers - SAiSCSI

Review of Efficient Asymmetric Secure iSCSI

12/12/2008 9Summers - SAiSCSI

Efficient Asymmetric Secure iSCSI

Utilizes the sg_dd command to achieve the transfer of files between initiator and target

Dual key cryptographic enhancement to IPsec Custom key to encrypt data IKE generated keys to

encrypt headers

12/12/2008 10Summers - SAiSCSI

EASI Packet Modification

12/12/2008 11Summers - SAiSCSI

Testing of Efficient Asymmetric Secure iSCSI

12/12/2008 12Summers - SAiSCSI

VMware Virtual Machine Test Bed

12/12/2008 13Summers - SAiSCSI

Limitations of the Existing Scheme User data must be an integer multiple of block size

(1024 bytes) Target Storage File Limitations

Only one file can be stored at a time Pre-set size of target storage file limits the size of the user data

that can be stored sg_dd Utility Limitation

Count and block size values must be specified when issuing the sg_dd command

Reading data from the target using the cp utility results in the entire target file being retrieved

Mounting of a target storage disk is not possible with the existing implementation

12/12/2008 14Summers - SAiSCSI

12/12/2008 15Summers - SAiSCSI

Motivations for Enhancements

Bring existing implementation closer to a complete and usable secure data transfer/storage system

Allow transfer of files of arbitrary size

Allow duplicate transfer of files to second target storage device

Relative complexity of existing scheme in terms of user interaction

Proposed Enhancements

12/12/2008 16Summers - SAiSCSI

Secure Asymmetric iSCSI For Online Storage Enhancements

Enhancements to the sg_dd utility to: Transfer of files of arbitrary size Transfer to two targets

Graphical User Interface Initiator interface Target interface

12/12/2008 17Summers - SAiSCSI

Implementation Logic for Arbitrary File Transfer

Set block_size = 1024

If input_file != target_storage_device

Determine size of file in bytes If ((size % 1024) != 0)

{ while((size_file_in_bytes % 1024) != 0)

{ size++; }

} count = size/1024 create CDB using count value

12/12/2008 18Summers - SAiSCSI

Implementation Logic for File Transfer to Two Targets

Set block_size = 1024

If (second output file == TRUE)

{

Determine device type

Determine number of blocks in second target

create command descriptor block for second target

}

else

set second output file to be /dev/null12/12/2008 19Summers - SAiSCSI

File Transfer Performance Results

12/12/2008 20Summers - SAiSCSI

Comparison Data for Transfer of Arbitrary Sized Files

12/12/2008 21Summers - SAiSCSI

1E+02 1E+03 1E+04 1E+05 1E+06 1E+07 1E+08 1E+090.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.011

0.034

0.246

0.958

9.139

93.040

0.002

0.030

0.187

1.357

10.574

105.310

0.00700000000000002

0.132

0.00600000000000001

0.115

0.0250000000000001

0.132

0.911

4.496

44.781

493.966999999999

0.027

0.100

0.766

5.144

49.840

488.995

orig real arb Real orig user arb user orig system arb system

File Size (bytes)

Tim

e (

se

co

nd

s)

Comparison Data for Transfer to Two Targets

12/12/2008 22Summers - SAiSCSI

1E+02 1E+03 1E+04 1E+05 1E+06 1E+07 1E+08 1E+090.001

0.010

0.100

1.000

10.000

100.000

1000.000

0.004

0.062

0.374

2.204

21.148

210.620

0.010

0.034

0.209

1.500

16.242

161.000

0.021

0.266

0.012

0.23

0.031

0.198

1.091

8.608

95.665

941.019

0.054

0.284

1.532

11.360

99.680

977.990

orig real 2 targets real orig user 2 targets user 2 targets system orig system

File Size (bytes)

Tim

e (

se

co

nd

s)

User Interface

12/12/2008 23Summers - SAiSCSI

User Interface

12/12/2008 24Summers - SAiSCSI

Developed and implemented using Python and Tkinter Comprised of two components

Initiator Interface Target Interface

User Interface Screenshots

12/12/2008 25Summers - SAiSCSI

Initiator Interface Functionality

Generate IPsec keys

Generate SAD and SPD entries

Start initiator software

Login/Logout to/from the target(s)

Transfer user data to target storage

Retrieve user data from target storage

12/12/2008 26Summers - SAiSCSI

Target Interface Functionality

Create additional target storage file(s)

Configure ietd.conf file for additional target(s)

Generate SAD and SPD entries

Start/stop iscsitarget software

12/12/2008 27Summers - SAiSCSI

Secure Asymmetric iSCSI for Disaster Recovery

HIPPA and SOX require security, privacy and accountability of data

Standard online storage techniques may not be sufficient

Secure Asymmetric iSCSI for online storage may be the solution

Secure storage of Custom key Initiator and custom key can be duplicated Store key with trusted third party

12/12/2008 28Summers - SAiSCSI

Additional Research

12/12/2008 29Summers - SAiSCSI

Mounting a Target Storage Device

Network Protocol Analyzer (Wireshark) Results Discovery – only iSCSI/SCSI commands issued Login – iSCSI/SCSI Read and PDU but PUSH flag not set Mounting results in the issuing of iSCSI/SCSI Writes and Reads iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers strace of mount command

kernel reads file system information which results in invocation of iSCSI/SCSI commands

12/12/2008 30Summers - SAiSCSI

Using cp to transfer to a Mounted Storage Device

Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of

storage device written

Reading from Target Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read

contains names of directories and files currently on target storage

Unidentified data in some Data-out PDUs

12/12/2008 31Summers - SAiSCSI

Lessons Learnt/Observations

sg_dd uses defaults of stdin for input file and stdout for output file. If no output is required use /dev/null

Linux kernel, open-iscsi and iscsitarget under constant development. Therefore changes to these codes need to be incorporated in

new releases. Wireshark and Ethereal appear to interpret/display

identical log files in a different manner. Retrieving data from target using sg_dd requires count

value to be specified.

12/12/2008 32Summers - SAiSCSI

Future Directions Modify the EASI scheme to use the most current Linux

kernel version, open-iscsi and iscsitarget code.

Re-implement the EASI scheme in a way that mounted target storage disk can be used.

Improve the simplification of the setup and use of the implementation through the development of an API.

Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target

12/12/2008 33Summers - SAiSCSI

Conclusions Enhancements to the sg_dd utility has enabled:

Simulated transfer of files of arbitrary size Transfer of files to two targets

Graphical user interface simplifies user interaction: Keys for the encryption of the headers has been simplified Interaction with the initiator and target software has been

simplified Writing and reading user data to /from the target has been

simplified Limitations

Arbitrary file transfer still requires user to specify a count value when reading data from target storage

True arbitrary file transfer is not achieved

12/12/2008 34Summers - SAiSCSI

ADDITIONAL SLIDES

12/12/2008 35Summers - SAiSCSI

SCSI Command Descriptor Block

12/12/2008 36Summers - SAiSCSI

Phases of SCSI I/O Operation

3 main phases: Command

Initiator sends command and parameters to the target in a CDB

Data Data is transferred in accordance with command

issued in CDB Status

Provides confirmation that command executed is received

12/12/2008 37Summers - SAiSCSI

SCSI Architecture in Linux Kernel

12/12/2008 38Summers - SAiSCSI

General Structure of iSCSI PDU

12/12/2008 39Summers - SAiSCSI

iSCSI PDU Basic Header Segment

12/12/2008 40Summers - SAiSCSI

12/12/2008 41Summers - SAiSCSI

iSCSI Protocol Layering Model

Data Encapsulation

12/12/2008 42Summers - SAiSCSI

Open-iSCSI

Open source software implementation of iSCSI initiator Kernel Portion

iSCSI data path User Portion

Control path of iSCSI Management facilities

Release used in EASI: open-iscsi-0.4-423 Current Release: open-iscsi-2.0-869.2

12/12/2008 43Summers - SAiSCSI

iscsitarget

Open source software implementation of iSCSI target Kernel Portion User Portion Release used in EASI: iscsitarget-0.4.11 Current Release: iscsitarget-0.4.16

12/12/2008 44Summers - SAiSCSI

Packet for IPsec Transport Mode

12/12/2008 45Summers - SAiSCSI

Write Processing on the Target

1. Identify iSCSI traffic

2. Identify packets containing user data

3. Decrypt packets not containing user data

4. Process packets containing user data

12/12/2008 46Summers - SAiSCSI

Write Processing on the Target

1. Identify iSCSI traffic

2. Identify packets containing user data

3. Decrypt packets not containing user data

4. Process packets containing user data

12/12/2008 47Summers - SAiSCSI

Read Processing on the Target

1. Identify iSCSI traffic – source port 3260

2. Determine if iSCSI packet contains user data

3. Encrypt packets not containing user data

4. Encrypt packets containing user data

12/12/2008 48Summers - SAiSCSI

Read Processing on the Initiator

1. Identify iSCSI traffic

2. Determine if packet contains user data

3. Decrypt packets containing user data

4. Decrypt packets not containing user data

12/12/2008 49Summers - SAiSCSI

Comparison of Standard IPsec and EASI at Packet Level

12/12/2008 50Summers - SAiSCSI

Initiator GUI

12/12/2008 51Summers - SAiSCSI

Target GUI

12/12/2008 52Summers - SAiSCSI