SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME

    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...

    > the iSCSI draft talks of up to 128 bits of shared secret.  While
performing 
> HASH, the MD5 will yield 128 bits, but SHA-1 (recommended Hashing
algorithm, 
> Sec 7.3.1) will generate 160 bits.  Seems to me that the shared secret
should 
> be allowed to be up to 160 bits..unless we allow MD5 for CHAP and then 
> possibly pad the hash? Or am I missing something here?

There's no inherent upper limit on the size of the shared secret and it's
not related to the output size of the hash algorithms.  128 bits is more
than enough to get the job done, hence there's no need to require that
implementations support more than that.  Generating more random bits and
tossing some of them away is fine (e.g., IPsec ESP does exactly this to
make its MD5 and SHA-1 HMACs fit in 96 bits), but they have to be *true*
random bits - more below.

While SHA-1 is the required hash for IPsec ESP, it does not work with
CHAP for historical reasons (one has to use MD5) - see, the IANA registry,
the PPP AUTHENTICATION ALGORITHMS section of:

	http://www.iana.org/assignments/ppp-numbers

While I'm sure Vijay did not mean to imply this, I want to warn
implementers away from a potentially disastrous implementation shortcut:

	**DO NOT** run a weak secret (e.g., password) through a hash
	or similar algorithm to generate something that appears to be
	a sufficiently-sized random CHAP secret.

The result of doing this is no stronger than the original weak
secret (e.g., password) - if this shortcut technique is used, the
result falls under iSCSI's "MUST enforce IPsec encryption" language.

This is a well-known implementation mistake (e.g.,
Netscape was publicly bitten by it several years ago).  A specific
example is that if one runs a password with 15 bits of randomness through
MD5, the resulting 128 bit output still has 15 bits of randomness - an
attacker need only run the dictionary words through MD5 [15 bit search
space] to mount an exhaustive attack, and the fact that the quantities
being checked are 128 bits in size does not improve security.

If one wants 128 bits of randomness, one needs to start with 128 random
bits - it really is that simple.  Using a hash does not increase the
amount of randomness.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449            FAX: +1 (508) 497-8018
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Home

Last updated: Wed Aug 21 18:18:52 2002
11658 messages in chronological order