METHODS AND APPARATUS FOR SECURITY OVER FIBRE CHANNEL

US 20110219438A1
Filed: 05/13/2011
Published: 09/08/2011
Est. Priority Date: 12/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating network entities in a fibre channel network, the method comprising:

receiving a fibre channel authentication message from a first network entity at a second network entity in a fibre channel network, wherein the authentication message provides information for authenticating or reauthenticating the first network entity in the fibre channel network;

determining that both the first network entity and the second network entity support security;

verifying that the first network entity corresponds to an entry in an authentication table associated with the second network entity;

receiving first network entity verification information that confirms the identify of the first network entity.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

52 Citations

View as Search Results

25 Claims

1. A method for authenticating network entities in a fibre channel network, the method comprising:
- receiving a fibre channel authentication message from a first network entity at a second network entity in a fibre channel network, wherein the authentication message provides information for authenticating or reauthenticating the first network entity in the fibre channel network;
  
  determining that both the first network entity and the second network entity support security;
  
  verifying that the first network entity corresponds to an entry in an authentication table associated with the second network entity;
  
  receiving first network entity verification information that confirms the identify of the first network entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, further comprising generating a session key at the second network entity, wherein the session key is generated using public information associated with the first network entity and a random parameter.
  - 3. The method of claim 1, further comprising:
    - exchanging security association parameters such as the SPI and the algorithm identifier.
  - 4. The method of claim 1, wherein the authentication message is associated with a request for a fabric login.
  - 5. The method of claim 1, wherein determining that both the first and second network entities support security comprises identifying a security enable parameter in the initialization message.
  - 6. The method of claim 1 further comprising determining which authentication and key exchange protocol are supported by the two entities.
  - 7. The method of claim 2, wherein the public information associated with the first network entity is provided to the second network entity by the first network entity.
  - 8. The method of claim 2, wherein the session key generated at the second network entity is also generated at the first network entity using public information associated with the second network entity and a random parameter provided by the second network entity.
  - 9. The method of claim 8, wherein the public information associated with the second network entity is provided to the first network entity by the second network entity.
  - 10. The method of claim 8, wherein first network entity verification information is generated at the first network entity using public information associated with the first and second network entities and the session key.
  - 11. The method of claim 10, further comprising verifying that the first network entity verification information received corresponds to verification information generated at the second network entity using public information associated with the first and second network entities and the session key.
  - 12. The method of claim 11, further comprising transmitting second network entity verification information to the first network entity, wherein the second network entity verification information is generated at the second network entity using public information associated with the first network entity, the first network entity verification information, and the session key.
  - 13. The method of claim 12, wherein the second network entity verification information transmitted corresponds to second network entity verification information generated at the first network entity using public information associated with the first network entity, the first network entity verification information, and the session key.
  - 14. The method of claim 8, wherein the second network entity is a storage device in a storage area network.
  - 15. The method of claim 8, wherein the first and second network entities are domain controllers in a storage area network.
  - 16. The method of claim 8, wherein the first and second network entities are switches.
  - 17. The method of claim 8, wherein the first network entity is a host.
  - 18. The method of claim 17, wherein the second network entity is a storage device.
  - 19. The method of claim 8, wherein the authentication message is a fibre channel authentication message.
  - 20. The method of claim 19, wherein the authentication message is a login message.
  - 21. The method of claim 20, wherein the authentication message is a PLOGI or FLOGI message.
  - 22. The method of claim 8, further comprising:
    - storing security association information associated with the first network entity.
  - 23. The method of claim 8, further comprising:
    - transporting security association information in the messages exchanged between the two network entities
  - 24. The method of claim 22, wherein security association information comprises an identifier associated with the first network entity and the session key.
  - 25. The method of claim 24, wherein security association information further comprises an encryption algorithm identifier and an authentication algorithm identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Di Benedetto, Marco, Maino, Fabio R., Desanti, Claudio

Granted Patent

US 8,914,858 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3239   involving non-keyed hash fu...

METHODS AND APPARATUS FOR SECURITY OVER FIBRE CHANNEL

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR SECURITY OVER FIBRE CHANNEL

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links