Methods and apparatus for security over fibre channel

US 7,965,843 B1
Filed: 12/27/2001
Issued: 06/21/2011
Est. Priority Date: 12/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for processing frames in a fibre channel network having a first network entity and a second network entity, the method comprising:

receiving a first frame at the first network entity from the second network entity in the fibre channel network, wherein the first frame is associated with a fabric login (FLOGI) or port login (PLOGI) message;

identifying a security enable parameter in the first frame, wherein the security enable parameter is used by the second network entity, when the second network entity is added to the fibre channel network, to determine if the first network entity has authentication capability or supports other security functions;

transmitting an acknowledgment to the second network entity that the first network entity has authentication capability or supports other security functions, the acknowledgment including algorithm information and a salt parameter;

receiving a second frame at the first network entity from the second network entity;

identifying a security control indicator in the second frame from the second network entity, wherein the security control indicator is used to determine if the second frame is encrypted or authenticated;

determining at the first network entity that a security association identifier associated with the second frame corresponds to an entry in a security database;

decrypting a first portion of the second frame by using algorithm information contained in the entry in the security database.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

87 Citations

View as Search Results

23 Claims

1. A method for processing frames in a fibre channel network having a first network entity and a second network entity, the method comprising:
- receiving a first frame at the first network entity from the second network entity in the fibre channel network, wherein the first frame is associated with a fabric login (FLOGI) or port login (PLOGI) message;
  
  identifying a security enable parameter in the first frame, wherein the security enable parameter is used by the second network entity, when the second network entity is added to the fibre channel network, to determine if the first network entity has authentication capability or supports other security functions;
  
  transmitting an acknowledgment to the second network entity that the first network entity has authentication capability or supports other security functions, the acknowledgment including algorithm information and a salt parameter;
  
  receiving a second frame at the first network entity from the second network entity;
  
  identifying a security control indicator in the second frame from the second network entity, wherein the security control indicator is used to determine if the second frame is encrypted or authenticated;
  
  determining at the first network entity that a security association identifier associated with the second frame corresponds to an entry in a security database;
  
  decrypting a first portion of the second frame by using algorithm information contained in the entry in the security database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the entry in the security database was created after a fibre channel network authentication sequence between the first and second network entities.
  - 3. The method of claim 2, wherein the first portion is decrypted using a key contained in the entry in the security database.
  - 4. The method of claim 2, wherein the first portion is encrypted using DES, 3DES or AES.
  - 5. The method of claim 2, further comprising:
    - recognizing that a second portion of the second frame supports authentication;
      
      using algorithm information contained in the entry in the security database to authenticate the second portion of the second frame.
  - 6. The method of claim 5, wherein the second portion is authenticated using MD5 or SHA1.
  - 7. The method of claim 5, wherein the authentication sequence is a fibre channel login sequence between the first and second network entities.
  - 8. The method of claim 7, wherein the login sequence is a PLOGI or FLOGI sequence.
  - 9. The method of claim 7, wherein the first and second network entities are domain controllers and the authentication sequence is a FC-CT sequence.
  - 10. The method of claim 7, wherein the first and second network entities are domain controllers and the authentication sequence is a SW_ILS sequence.

11. A method for transmitting encrypted frames in a fibre channel network having a first network entity and a second network entity, the method comprising:
- transmitting a first fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity, the first fibre channel frame including a security enable parameter, wherein the first fibre channel frame is associated with a fabric login (FLOGI) or a port login (PLOGI) message, wherein the security enable parameter is used by the first network entity, when the first network entity is added to the fibre channel network, to determine if the second network entity has authentication capability or supports other security functions;
  
  receiving an acknowledgment from the second network entity indicating that the second network entity has authentication capability or supports other security functions, the acknowledgement including key and algorithm information and a salt parameter;
  
  inserting key and algorithm information from the second network entity into a security database;
  
  identifying a second fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity;
  
  determining if the second fibre channel frame corresponds to the selectors of an entry in a security database;
  
  encrypting a first portion of the second fibre channel frame using key and algorithm information associated with the entry in the security database;
  
  providing a security control indicator in the second fibre channel frame, wherein the security control indicator is used to determine if the frame is encrypted or authenticated;
  
  transmitting the second fibre channel frame to the second network entity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 12. The method of claim 11, wherein the entry in the security database was created after a fibre channel network authentication sequence between the first and second network entities.
  - 13. The method of claim 11, wherein the payload is encapsulated using the Authentication Header protocol or the Encapsulating Security Payload protocol.
  - 14. The method of claim 13, further comprising adding security information to the header of the second fibre channel frame.
  - 15. The method of claim 12, wherein a first portion of the second fibre channel frame is encrypted using DES, 3DES, or AES.
  - 16. The method of claim 12, wherein parameters in the header are normalized prior to encrypting the first portion of the second fibre channel frame.
  - 17. The method of claim 16, wherein the payload is padded prior to encrypting the first portion of the second fibre channel frame.
  - 18. The method of claim 12, further comprising:
    - computing authentication data using key and algorithm information as well as a second portion of the second fibre channel frame.
  - 19. The method of claim 18, wherein authentication data is computed using MD5 or SHA1.
  - 20. The method of claim 18, wherein the authentication sequence is a fibre channel login sequence between the first and second network entities.
  - 21. The method of claim 20, wherein the login sequence is a PLOGI or FLOGI sequence.
  - 22. The method of claim 20, wherein the first and second network entities are domain controllers and the authentication sequence is a FC-CT sequence or an SW_ILS message.

23. An apparatus for transmitting encrypted frames in a fibre channel network having a first network entity and a second network entity, the apparatus comprising:
- means for transmitting a first fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity, the first fibre channel frame including a security enable parameter, wherein the first fibre channel frame is associated with a fabric login (FLOGI) or a port login (PLOGI) message, wherein the security enable parameter is used by the first network entity, when the first network entity is added to the fibre channel network, to determine if the second network entity has authentication capability or supports other security functions;
  
  means for receiving an acknowledgment from the second network entity indicating that the second network entity has authentication capability or supports other security functions, the acknowledgement including key and algorithm information and a salt parameter;
  
  means for inserting key and algorithm information from the second network entity into a security database;
  
  means for identifying a second fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity;
  
  means for determining if the second fibre channel frame corresponds to the selectors of an entry in a security database;
  
  means for encrypting a first portion of the second fibre channel frame using key and algorithm information associated with the entry in the security database;
  
  means for providing a security control indicator in the second fibre channel frame, wherein the security control indicator is used to determine if the frame is encrypted or authenticated;
  
  means for transmitting the second fibre channel frame to the second network entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Di Benedetto, Marco, Maino, Fabio R., Desanti, Claudio
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Teslovich; Tamara

Application Number

US10/034,367
Time in Patent Office

3,463 Days
Field of Search

380/256, 713/160, 713/168, 726/3
US Class Current

380/256
CPC Class Codes

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3239   involving non-keyed hash fu...

Methods and apparatus for security over fibre channel

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for security over fibre channel

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others