110EFFICIENT ASYMMETRIC SECURE ISCSIBYMURTHY S. ANDUKURIA thesis submitted to the Graduate faculty of theUniversity of Colorado at Colorado Springsin partial fulfillment of therequirements for the degree ofMaster of ScienceDepartment of Computer Science2006 Copyright by Murthy S. Andukuri 2006All Rights ReservedThis thesis for the Master of Science in Computer Science degree byMurthy S. Andukuri has been approved for theDepartment of Computer Science by_C. Edward chow, Chair_Marijke Augusteijn_Jugal Kalita_DateMurthy, Andukuri S. (M.S., Computer Science)Efficient Asymmetric Secure iSCSIThesis directed by : Professor C. Edward ChowiSCSI is an application level protocol that enables storage of data on a disk attached to a networked remote host. IPsec, when used in conjunction with iSCSI, secures this data while in transit. IPsec provides security by encrypting the data at the sender and decrypting at the receiver. This means that the data is exposed and vulnerable at the receiver. There are currently two choices to secure the data at rest on the remote disk - both involving the use of third party encryption software to either (1) re-encrypt the data at the remote end or, (2) Encrypt the data before transmitting to the remote end. The second option, while better than the first, still requires additional encryption software on the remote site, impacts on overall performance, and introduces additional security risk . The current thesis proposes a new asymmetric IPsec scheme to enhance the security of data at the remote end, while simultaneously avoiding the cost of additional of software and improving the over all performance. The idea is to apply IPsec encryption/decryption in a segmented manner on the iSCSI traffic, such that the user data remains encrypted after leaving the sender, and is decrypted only when it is retrieved by the sender. A dual key cryptographic scheme is proposed where the private key is used to encrypt the iSCSI payload at the sender and traditional IPsec is modified to encrypt/decrypt only on the TCP/iSCSI headers. A development test bed was built using User-Mode-Linux virtual machines for developing/debugging the asymmetric IPsec software and running as the sender and receiver to verify the functionality and security features of the proposed design. A benchmark test bed was built with two real PCs where the asymmetric IPsec modules can be dynamically loaded. The performance results show that the existing implementation of the proposed asymmetric IPsec scheme reduces the IPsec processing time by about 25%.AcknowledgementsI would like to express my sincere appreciation to Dr. Edward Chow for his patience during the unusually long time I took to come up with the idea for this thesis, and to implement the scheme as described in the thesis. CONTENTSChapter1.Introduction11.1Motivation for enhancing remote storage security12IPsec92.1The SAD and SPD databases102.2How the SAD and SPD are used for outbound traffic112.3How the SAD and SPD are used for inbound traffic122.4IPsec deployment options132.4.1Basic options of IPsec deployment132.4.1.1IPsec AH in transport mode142.4.1.2IPsec ESP in transport mode152.4.1.3IPsec AH in tunnel mode162.4.1.4IPSec ESP in tunnel mode182.5IPsec Implementations192.6IPsec operation modes192.6.1Daemon mode of IPsec operation192.6.2Manual mode of IPsec operation19Chapter 3213SCSI based Storage Options213.1SCSI based Internet storage architectures233.1.1FCIP: Fiber channel over IP233.1.2iFCP243.1.3iSCSI243.1.4ISCSI Command progression between Initiator and target263.1.4.1iSCSI Protocol layers273.1.5Motivation for the project323.1.6Stages in iSCSI initiator-target interactions333.1.6.1Naming/Addressing333.1.6.1.1Formats of iSCSI name333.1.6.2Session establishment and management343.1.7Phases of iSCSI session of interest in the current thesis363.1.8Full Feature Phase373.2iSCSI Writes383.3iSCSI Reads393.4Other PDU exchange relevant to the thesis404Details of the proposed enhancement414.1When the initiator is sending iSCSI date to the target414.2When the initiator is trying to read the iSCSI data from the target414.3The native IPsec operation on iSCSI424.4How the native-IPsec issues are managed in the implementation444.4.1Identify iSCSI data.444.4.2Encrypt the headers separately444.4.2.1iSCSI packets which do not carry any user data.454.4.2.2iSCSI packets carrying user data.454.4.3Updating TCP checksums:474.4.3.1The sending side in the initiator:474.4.3.2Th