Re: iSCSI: Use of SRP (draft -04)

To: biran@il.ibm.com, ips@ece.cmu.edu
Subject: Re: iSCSI: Use of SRP (draft -04)
From: Steve Senum <ssenum@cisco.com>
Date: Wed, 28 Feb 2001 17:14:31 -0600
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <C1256A01.007962B1.00@d12mta02.de.ibm.com>
Sender: owner-ips@ece.cmu.edu

Ofer:

If SRP is mutual, then I think the draft should state that with
text similiar to the Kerberos method, and also state how
to handle mixed SRB and Kerberos authentication (or disallow it).

Also, I am not sure I agree that SRP is entirely mutual.
See draft-ietf-pppext-eap-srp-00.txt for a proposal
for using SRP with PPP.

Regards,
Steve Senum

biran@il.ibm.com wrote:
> 
> Steve,
> 
> You are correct, we'll change the SRP message sequence similar to telnet (U
> --- N,g,s -- A -- B...).
> 
> For simultaneous authentication processes (InitAuth, TargetAuth) it seems a
> problem of over flexibility. The simpler
> and reasonable way would be to negotiate one authentication method
> AuthMethod and leave the one way / mutual
> authentication decision to the specific method selected. In KERB5 the
> client decides it by setting the krb_ap_req mutual
> flag, in SRP it's actually mutual.
> 
>   Regards,
>       Ofer
> 
> Ofer Biran
> Systems and Software
> IBM Research Lab in Haifa
> biran@il.ibm.com  972-4-8296253
> 
> Steve Senum <ssenum@cisco.com> on 02/28/2001 01:41:01 AM
> 
> Please respond to Steve Senum <ssenum@cisco.com>
> 
> To:   ietf-ips <ips@ece.cmu.edu>
> cc:
> Subject:  iSCSI: Use of SRP (draft -04)
> 
> Julian:
> 
> With respect to use of the SRP protocol for authentication,
> I think the current draft is incomplete.  The SRP spec
> requires that values for the Prime Modulus value 'N' and the
> Generator value 'g' be sent by the authenticating entity
> as well as 's' and 'B' (or known through some other method).
> Look at RFC 2944 to see how telnet handles this.
> 
> Also, if both Initiator and Target choose to authenticate with
> SRP, or if InitAuth=KERB5 and TargetAuth=srp, the same key names
> will be needed by both sides at the same time, resulting in the
> same key name appearing twice in the same text message.  This
> will make it difficult for the receiver to know which key names
> goes with which authentication process, since there can be two
> going on at one time.
> 
> Regards,
> Steve Senum

References:
- Re: iSCSI: Use of SRP (draft -04)
  - From: biran@il.ibm.com

Prev by Date: Re: iSCSI: Use of SRP (draft -04)
Next by Date: Re: iSCSI.04 Comments
Prev by thread: Re: iSCSI: Use of SRP (draft -04)
Next by thread: Re: iSCSI: Use of SRP (draft -04)
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:29 2001
6315 messages in chronological order