|
ISO/IEC 14776-481
Edition 1.0 2019-12
INTERNATIONAL
STANDARD
colour
inside
Information technology – Small Computer System Interface (SCSI) –
Part 481: Security features for SCSI commands (SFSC)
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about
ISO/IEC copyright or have an enquiry about obtaining additional rights to this publication, please contact the address
below or your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de
CH-1211 Geneva 20
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.
IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary
(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.
need further assistance, please contact the Customer Service
.
ISO/IEC 14776-481
Edition 1.0 2019-12
INTERNATIONAL
STANDARD
colour
inside
Information technology – Small Computer System Interface (SCSI) –
Part 481: Security features for SCSI commands (SFSC)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 35.200 ISBN 978-2-8322-7663-1
ISO/IEC
14776-481
Information technology -
Small Computer System Interface (SCSI) -
Part 481: Security features for SCSI commands (SFSC)
Reference
ISO/IEC 14776-481
Contents
Page
FOREWORD. 9
INTRODUCTION. 11
1 Scope. 12
2 Normative references. 12
3 Terms and definitions, symbols, abbreviations, and conventions . 14
3.1 Terms and definitions . 14
3.2 Abbreviations and symbols. 24
3.2.1 Abbreviations. 24
3.2.2 Symbols. 25
3.2.3 Mathematical operators . 25
3.3 Keywords. 25
3.4 Editorial conventions . 27
3.5 Numeric and character conventions . 27
3.5.1 Numeric conventions . 27
3.5.2 Units of measure . 28
3.5.3 Byte encoded character strings conventions. 29
3.6 Bit and byte ordering . 29
4 Security features model common to all device types. 31
4.1 Security features for SCSI devices. 31
4.1.1 Security associations. 31
4.1.1.1 Principles of SAs . 31
4.1.1.2 SA parameters. 32
4.1.1.3 Creating an SA . 34
4.1.2 Key derivation functions . 35
4.1.2.1 KDFs overview . 35
4.1.2.2 IKEv2-based iterative KDF . 36
4.1.2.3 HMAC-based KDFs . 36
4.1.2.4 AES-XCBC-PRF-128 IKEv2-based iterative KDF . 38
4.1.3 Using IKEv2-SCSI to create an SA . 38
4.1.3.1 Overview. 38
4.1.3.2 IKEv2-SCSI Protocol summary . 42
4.1.3.3 IKEv2-SCSI Authentication. 44
4.1.3.3.1 Overview. 44
4.1.3.3.2 Pre-shared key authentication. 45
4.1.3.3.3 Digital signature authentication . 46
4.1.3.3.3.1 Overview. 46
4.1.3.3.3.2 Certificates and digital signature authentication . 46
4.1.3.3.3.3 Example of certificate use for digital signature authentication. 47
4.1.3.3.3.4 Handling of the Certificate Request payload and the Certificate payload . 47
4.1.3.3.4 Constraints on skipping the Authentication step. 47
4.1.3.4 Summary of IKEv2-SCSI shared keys nomenclature and shared key sizes . 49
4.1.3.5 Device Server Capabilities step. 50
4.1.3.6 IKEv2-SCSI Key Exchange step . 52
4.1.3.6.1 Overview. 52
4.1.3.6.2 Key Exchange step SECURITY PROTOCOL OUT command. 52
4.1.3.6.3 Key Exchange step SECURITY PROTOCOL IN command. 53
4.1.3.6.4 Key Exchange step completion . 54
4.1.3.6.5 After the Key Exchange step . 54
4.1.3.7 IKEv2-SCSI Authentication step. 54
4.1.3.7.1 Overview. 54
4.1.3.7.2 Authentication step SECURITY PROTOCOL OUT command . 55
4.1.3.7.3 Authentication step SECURITY PROTOCOL IN command . 56
4.1.3.8 Generating shared keys . 57
4.1.3.8.1 Overview. 57
4.1.3.8.2 Generating shared keys when the Authentication step is skipped . 58
4.1.3.8.3 Generating shared keys when the Authentication step is processed . 58
4.1.3.8.4 Initializing shared key generation . 58
4.1.3.8.4.1 Initializing for SA creation shared key generation . 58
4.1.3.8.4.2 Initializing for generation of shared keys used by the created SA. 59
4.1.3.8.5 Generating shared keys used for SA management. 59
4.1.3.8.6 Generating shared keys for use by the created SA. 60
4.1.3.9 IKEv2-SCSI SA generation. 61
4.1.3.10 Abandoning an IKEv2-SCSI CCS. 62
4.1.3.11 Deleting an IKEv2-SCSI SA . 63
4.1.4 Security progress indication . 63
4.1.5 ESP-SCSI encapsulations for parameter data . 64
4.1.5.1 Overview. 64
4.1.5.2 ESP-SCSI required inputs . 64
4.1.5.3 ESP-SCSI data format before encryption and after decryption . 65
4.1.5.4 ESP-SCSI outbound data descriptors . 66
4.1.5.4.1 Overview. 66
4.1.5.4.2 ESP-SCSI CDBs or Data-Out Buffer parameter lists including a descriptor length. 67
4.1.5.4.2.1 Initialization vector absent . 67
4.1.5.4.2.2 Initialization vector present . 68
4.1.5.4.3 ESP-SCSI Data-Out Buffer parameter lists for externally specified descriptor length. 70
4.1.5.4.3.1 Initialization vector absent . 70
4.1.5.4.3.2 Initialization vector present . 71
4.1.5.5 ESP-SCSI Data-In Buffer parameter data descriptors . 71
4.1.5.5.1 Overview. 71
4.1.5.5.2 ESP-SCSI Data-In Buffer parameter data including a descriptor length . 72
...