RE: iSCSI: Login authentication SRP/CHAP

To: "'Michael Schoberg'" <michael_schoberg@cnt.com>
Subject: RE: iSCSI: Login authentication SRP/CHAP
From: "Lee, CJ" <CJ_Lee@adaptec.com>
Date: Wed, 17 Oct 2001 14:44:06 -0700
Cc: "'ips@ece.cmu.edu'" <ips@ece.cmu.edu>
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Michael,
     According to RFC2945, SHA1 is the hash algorithm used by SRP.  For
CHAP, according to 08 draft, MD5 is the required to be implemented algorithm
and other algorithms can certainly be added if so desired.  Unlike RFC2945,
RFC1994 describes CHAP in the context of PPP LCP negotiation and one
should/could not apply it directly to be used in iSCSI login authentication.
Take a look at the 08 draft Appendix A, CHAP challenge, response exchanges
are carried out using login commands and responses.  RFC1994 merely spells
out how response is calculated based on the challenge and info. associated
with the authentication session (ID) and the communicating peer (secret).

CJ Lee
Adaptec, Inc.

-----Original Message-----
From: Michael Schoberg [mailto:michael_schoberg@cnt.com]
Sent: Wednesday, October 17, 2001 12:53 PM
To: IPS Reflector (E-mail)
Subject: iSCSI: Login authentication SRP/CHAP


I'm having some problems figuring out the exact implementation for the login
authentication protocols being proposed.  Is anyone else having similar
issues answering these questions:

What is the hashing algorithm that will be used for SRP authentication
(SHA-1, MD5, HMAC-SHA1)?
  
The SRP negotiation passes the following information (T->I):

SRP_s = SRP salt
SRP_N = (SRP n value - Large prime number.  All computations are performed
modulo n)
SRP_g = Primitive root modulo of n

By passing [N] & [g] (T->I), does this mean the initiator must verify that
[N] is a prime and [g] is a primitive root modulo of [N]?  What are the
min/max digits for [N] and [g]?  If any of these are not satisfied (N not
prime, g not primitive modulo root, #digits too small or large), could it be
used as an attack against the initiator or be used to derive the initiator's
password?



The reference to RFC 1994 does not fully describe the CHAP function for
iSCSI, it describes the CHAP message protocol which isn't really used in our
case.  There's some parameters that need to be nailed down.  What is the
CHAP hash algorithm: (MD5)?  What is the sequence of hashes that take place
on a CHAP challenge to form the CHAP digest?

The iSCSI draft allows for algorithm selection (CHAP_A=<A1,A2,...>) but
doesn't describe any.  Are these supposed to dictate the hashing function or
give a description of [what/how it] gets hashed (or both)?  Will there be a
mandatory set (A1..An) that compliant iSCSI implementations must provide?
Is there a reference that actually shows the sequence for a CHAP digest
being formed from MD5 hashes?



It would help to have an appendix with real username/password examples of
the result exchange?  A table with a few sample sets would be useful for
validating designs.

Prev by Date: RE: iSCSI: Login authentication SRP/CHAP
Next by Date: Question on security document
Prev by thread: RE: iSCSI: Login authentication SRP/CHAP
Next by thread: Re: iSCSI: Login authentication SRP/CHAP
Index(es):
- Date
- Thread

Home

Last updated: Thu Oct 18 07:17:47 2001
7276 messages in chronological order