One or more aspects relate, in general, to providing security within computing environments, and in particular, to performing authentication for nodes that communicate with one another via encrypted messages.
Encryption provides data security for data and/or other information being transmitted between two entities, such as a source node and a target node coupled via a plurality of endpoints or links. To standardize aspects of encryption, various standards are provided for different types of communication protocols. For instance, the FC-SP-2 and FC-LS-3 standards are provided for Fibre Channels.
The FC-SP-2 standard, as an example, used for encrypting Fibre Channel links includes protocols for mutual authentication of two endpoints, as well as protocols for negotiating encryption keys that are used in communication sessions between the two endpoints. The standard provides support for a variety of mechanisms to authenticate the involved parties, as well as mechanisms by which key material is provided or developed. The standard is defined for several authentication infrastructures, including secret-based, certificate-based, password-based, and pre-shared key based, as examples.
Generally, a certificate-based infrastructure is considered to provide a strong form of secure authentication, as the identity of an endpoint is certified by a trusted Certificate Authority. The FC-SP-2 standard defines a mechanism by which multiple certified entities can use the public-private key pairs that the certificate binds them to in order to authenticate with each other. This authentication occurs directly between two entities through the use of the Fibre Channel Authentication protocol (FCAP), the design of which is based on authentication that uses certificates and signatures as defined in, for instance, the Internet Key Exchange (IKE) protocol.
However, the exchange and validation of certificates inline is compute intensive, as well as time-consuming. The FCAP protocol is also performed on every Fibre Channel link between the entities. Since it is to be done before any client traffic flows on the links that are to be integrity and/or security protected, it can negatively impact (elongate) the link initialization times, and hence, the time it takes to bring up and begin executing client workloads. The IKE protocol also involves fairly central processing unit intensive mathematical computations, and in an environment that includes large enterprise servers with a large number of Fibre Channel physical ports in a dynamic switched fabric connected to a large number of storage controller ports, the multiplier effect of these computations and the high volume of frame exchanges to complete the IKE protocol can also negatively affect system initialization and cause constraints in heavy normal operation.