Method and Apparatus for Authentication in Storage Systems using QR code
Publication Date: 2018-Oct-11
The IP.com Prior Art Database
Method and apparatus for authentication in storage systems using QR code. Abstract: Disclosed is a method for authenticating the storage systems with the use of QR code. This makes the authentication process more secure as it overcomes the single administrative domain problem and dictionary attack problem. 1. Background: Internet Small Computer Systems Interface (iSCSI) is a transport protocol that carry the SCSI commands over the TCP/IP layers. To make iSCSI secure it uses two different security methods. One is end-to-end security using an authentication method in iSCSI login phase (called security negotiation stage) this operates on iSCSI connection level. Second security method is protecting the packets by securing the channel using IP Sec. However, both security methods are optional, hence all the authentication methods of security negotiation phase must be designed to keep in mind that IP Sec is optional. Some of the commonly used authentication methods in iSCSI login phase are
- Challenge Handshake Authentication Protocol (CHAP) - Secure remote password (SRP) - Kerberos and - Simple Public-Key Mechanism(SPKM)
The Default authentication method is "None" which mean "No authentication". Most widely used authentication method is CHAP. RFC 3720 says, all the Compliant iSCSI initiator and target must support CHAP authentication method. In CHAP authentication mechanism iSCSI initiator authenticates itself to the iSCSI target and/or iSCSI target authenticates itself to the iSCSI initiator. When CHAP is used without a secure channel (when IP Sec is not in use), it is vulnerable to off-line dictionary attack. The smaller the chap secret used by endpoints the more vulnerable the system becomes without encryption. Another security breach in CHAP is when using a single administrative domain. Single administrative domain means either - A single CHAP secret is used for authenticating an initiator to multiple targets. - A single CHAP secret is used for authenticating a target to multiple initiators. When a single chap secret is used for authenticating a target, then Any of the initiators can impersonate the target to any other initiator, and compromise of such an initiator enables an attacker to impersonate the target to all such initiators. iSCSI also provides public or private extensions for authentication methods. This disclosure describes a new extension for authentication that can be used as public or a private extension. This new way of authenticating claims to overcome the problems existing in current authentication algorithms provided used by iSCSI. 2. Summary:
The idea is to have an QR code base authentication method which is more reliable and secure than the existing authentication algorithms used by iSCSI in security negotiation phase. In this QR code based authentication, iSCSI endpoint will generate a dynamic QR code, which will be valid for only that login.
Using dynamic QR code for authentication has several benefits over traditional aut...