Re: iSCSI: Login authentication SRP/CHAP

To: "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
Subject: Re: iSCSI: Login authentication SRP/CHAP
From: Steven Senum <ssenum@cisco.com>
Date: Wed, 17 Oct 2001 15:59:52 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <3C7122FAF06DD5118ED600500473364826312B@esply01.cnt.com>
Sender: owner-ips@ece.cmu.edu

Hi Michael,

I can't answer your questions on SRP, but I probably
can answer a few on CHAP.

The CHAP_A key (algorithm) is specified in RFC 1994:

         5       CHAP with MD5 [3]

The CHAP_I (identifier), CHAP_C (challenge),
CHAP_N (name) and CHAP_R (response)
are also specified in RFC 1994:

   Identifier

      The Identifier field is one octet.  The Identifier field MUST be
      changed each time a Challenge is sent.

      The Response Identifier MUST be copied from the Identifier field
      of the Challenge which caused the Response.

   Value (challenge and response)

      The Value field is one or more octets.  The most significant octet
      is transmitted first.

      The Challenge Value is a variable stream of octets.  The
      importance of the uniqueness of the Challenge Value and its
      relationship to the secret is described above.  The Challenge
      Value MUST be changed each time a Challenge is sent.  The length
      of the Challenge Value depends upon the method used to generate
      the octets, and is independent of the hash algorithm used.

      The Response Value is the one-way hash calculated over a stream of
      octets consisting of the Identifier, followed by (concatenated
      with) the "secret", followed by (concatenated with) the Challenge
      Value.  The length of the Response Value depends upon the hash
      algorithm used (16 octets for MD5).

   Name

      The Name field is one or more octets representing the
      identification of the system transmitting the packet.  There are
      no limitations on the content of this field.  For example, it MAY
      contain ASCII character strings or globally unique identifiers in
      ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
      The size is determined from the Length field.

Basically, iSCSI just uses a different encoding,
since it is sending "text" keys, instead of binary.

A sample output from my (Cisco's) implementation is as follows:

I-> AuthMethod=CHAP,none (CSG,NSG=0,1 T=1)

T-> AuthMethod=CHAP (CSG,NSG=0,1 T=0)

I-> CHAP_A=5 (CSG,NSG=0,1 T=0)

T-> CHAP_A=5 (CSG,NSG=0,1 T=0)
    CHAP_I=70
    CHAP_C=0x9593dd5e25f87b9e0fcc6891e6670461

I-> CHAP_N=u1 (CSG,NSG=0,1 T=1)
    CHAP_R=0x7e64294a4376affca14cdaecf3c72e21

T-> (CSG,NSG=0,1 T=1)

You can also look at Cisco's Linux implementation on SourceForge:

http://sourceforge.net/projects/linux-iscsi


Hope this helps.

Regards,
Steve Senum



Michael Schoberg wrote:
> 
> I'm having some problems figuring out the exact implementation for the login
> authentication protocols being proposed.  Is anyone else having similar
> issues answering these questions:
> 
> What is the hashing algorithm that will be used for SRP authentication
> (SHA-1, MD5, HMAC-SHA1)?
> 
> The SRP negotiation passes the following information (T->I):
> 
> SRP_s = SRP salt
> SRP_N = (SRP n value - Large prime number.  All computations are performed
> modulo n)
> SRP_g = Primitive root modulo of n
> 
> By passing [N] & [g] (T->I), does this mean the initiator must verify that
> [N] is a prime and [g] is a primitive root modulo of [N]?  What are the
> min/max digits for [N] and [g]?  If any of these are not satisfied (N not
> prime, g not primitive modulo root, #digits too small or large), could it be
> used as an attack against the initiator or be used to derive the initiator's
> password?
> 
> The reference to RFC 1994 does not fully describe the CHAP function for
> iSCSI, it describes the CHAP message protocol which isn't really used in our
> case.  There's some parameters that need to be nailed down.  What is the
> CHAP hash algorithm: (MD5)?  What is the sequence of hashes that take place
> on a CHAP challenge to form the CHAP digest?
> 
> The iSCSI draft allows for algorithm selection (CHAP_A=<A1,A2,...>) but
> doesn't describe any.  Are these supposed to dictate the hashing function or
> give a description of [what/how it] gets hashed (or both)?  Will there be a
> mandatory set (A1..An) that compliant iSCSI implementations must provide?
> Is there a reference that actually shows the sequence for a CHAP digest
> being formed from MD5 hashes?
> 
> It would help to have an appendix with real username/password examples of
> the result exchange?  A table with a few sample sets would be useful for
> validating designs.

References:
- iSCSI: Login authentication SRP/CHAP
  - From: Michael Schoberg <michael_schoberg@cnt.com>

Prev by Date: iSCSI: Login authentication SRP/CHAP
Next by Date: RE: iSCSI: Login authentication SRP/CHAP
Prev by thread: iSCSI: Login authentication SRP/CHAP
Next by thread: RE: iSCSI: Login authentication SRP/CHAP
Index(es):
- Date
- Thread

Home

Last updated: Wed Oct 17 18:17:24 2001
7273 messages in chronological order