Efficient Asymmetric Secure iSCSI System



Dr. Edward Chow and Murthy Andukuri have designed an innovative efficient asymmetric secure iSCSI system to keep the data encrypted on a server, and to decrypt the data only when the client needs it. In this system, the iSCSI target saves the encrypted iSCSI payload generated by IPsec protocol to the target disk system, and returns the encrypted iSCSI content to the iSCSI initiator without additional IPsec encryption on the target site.  The solution is revolutionary in that it cuts the processing time significantly. The cut in processing time with the Asymmetric Secure iSCSI System will realize a large reduction in hardware costs. Most existing techniques utilize upper layer encryption and results in redundant encryption on the iSCSI payload if they use IPSec to protect the TCP/iSCSI header information. Expensive hardware accelerators would be needed to get the same performance out of these existing techniques. The design creates the encrypted iSCSI data without additional application layer encryption and significantly cuts total IPSec processing time. The iSCSI initiator can keep the encryption key and initial vector without having to share them with the iSCSI target applications. 

  • Cuts the most dominant processing overhead in a secure iSCSI system to one third of a standard system.
  • Allows customer control of the encryption key on the client side.
  • More secure: accessing data would require possession of the actual hardware.
  • The target system does not need to decrypt/encrypt the user data (only the headers). So, the resources on this system (the CPU and memory, or the Host bus adaptor if it is a dedicated card handling IPSec/iSCSI) need not be as powerful as the one on the initiator. 


TRL 3: Analytical and experimental critical function and/or characteristic proof of concept Active R&D is initiated. This includes analytical studies and laboratory studies to physically validate the analytical predictions of separate elements of the technology. Examples include components that are not yet integrated or representative.