Re: iSCSI: Login authentication SRP/CHAP

To: michael_schoberg@cnt.com, Steven Senum <ssenum@cisco.com>
Subject: Re: iSCSI: Login authentication SRP/CHAP
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Thu, 18 Oct 2001 13:34:22 +0300
Cc: "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

Michael,.

For the SRP questions:

The hash is SHA-1 for which the parameter definitions are given in
 RFC -2945. We'll make that more clear (will reference the SRP-SHA1
mechanism there).

The issue of the allowed DH groups (N,g)  is still open - would hopefully
be closed by next revision and a statement for that will be added.

  Regards,
     Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


Steven Senum <ssenum@cisco.com>@ece.cmu.edu on 17/10/2001 22:59:52

Please respond to Steven Senum <ssenum@cisco.com>

Sent by:  owner-ips@ece.cmu.edu


To:   "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
cc:
Subject:  Re: iSCSI: Login authentication SRP/CHAP



Hi Michael,

I can't answer your questions on SRP, but I probably
can answer a few on CHAP.

The CHAP_A key (algorithm) is specified in RFC 1994:

         5       CHAP with MD5 [3]

The CHAP_I (identifier), CHAP_C (challenge),
CHAP_N (name) and CHAP_R (response)
are also specified in RFC 1994:

   Identifier

      The Identifier field is one octet.  The Identifier field MUST be
      changed each time a Challenge is sent.

      The Response Identifier MUST be copied from the Identifier field
      of the Challenge which caused the Response.

   Value (challenge and response)

      The Value field is one or more octets.  The most significant octet
      is transmitted first.

      The Challenge Value is a variable stream of octets.  The
      importance of the uniqueness of the Challenge Value and its
      relationship to the secret is described above.  The Challenge
      Value MUST be changed each time a Challenge is sent.  The length
      of the Challenge Value depends upon the method used to generate
      the octets, and is independent of the hash algorithm used.

      The Response Value is the one-way hash calculated over a stream of
      octets consisting of the Identifier, followed by (concatenated
      with) the "secret", followed by (concatenated with) the Challenge
      Value.  The length of the Response Value depends upon the hash
      algorithm used (16 octets for MD5).

   Name

      The Name field is one or more octets representing the
      identification of the system transmitting the packet.  There are
      no limitations on the content of this field.  For example, it MAY
      contain ASCII character strings or globally unique identifiers in
      ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
      The size is determined from the Length field.

Basically, iSCSI just uses a different encoding,
since it is sending "text" keys, instead of binary.

A sample output from my (Cisco's) implementation is as follows:

I-> AuthMethod=CHAP,none (CSG,NSG=0,1 T=1)

T-> AuthMethod=CHAP (CSG,NSG=0,1 T=0)

I-> CHAP_A=5 (CSG,NSG=0,1 T=0)

T-> CHAP_A=5 (CSG,NSG=0,1 T=0)
    CHAP_I=70
    CHAP_C=0x9593dd5e25f87b9e0fcc6891e6670461

I-> CHAP_N=u1 (CSG,NSG=0,1 T=1)
    CHAP_R=0x7e64294a4376affca14cdaecf3c72e21

T-> (CSG,NSG=0,1 T=1)

You can also look at Cisco's Linux implementation on SourceForge:

http://sourceforge.net/projects/linux-iscsi


Hope this helps.

Regards,
Steve Senum



Michael Schoberg wrote:
>
> I'm having some problems figuring out the exact implementation for the
login
> authentication protocols being proposed.  Is anyone else having similar
> issues answering these questions:
>
> What is the hashing algorithm that will be used for SRP authentication
> (SHA-1, MD5, HMAC-SHA1)?
>
> The SRP negotiation passes the following information (T->I):
>
> SRP_s = SRP salt
> SRP_N = (SRP n value - Large prime number.  All computations are
performed
> modulo n)
> SRP_g = Primitive root modulo of n
>
> By passing [N] & [g] (T->I), does this mean the initiator must verify
that
> [N] is a prime and [g] is a primitive root modulo of [N]?  What are the
> min/max digits for [N] and [g]?  If any of these are not satisfied (N not
> prime, g not primitive modulo root, #digits too small or large), could it
be
> used as an attack against the initiator or be used to derive the
initiator's
> password?
>
> The reference to RFC 1994 does not fully describe the CHAP function for
> iSCSI, it describes the CHAP message protocol which isn't really used in
our
> case.  There's some parameters that need to be nailed down.  What is the
> CHAP hash algorithm: (MD5)?  What is the sequence of hashes that take
place
> on a CHAP challenge to form the CHAP digest?
>
> The iSCSI draft allows for algorithm selection (CHAP_A=<A1,A2,...>) but
> doesn't describe any.  Are these supposed to dictate the hashing function
or
> give a description of [what/how it] gets hashed (or both)?  Will there be
a
> mandatory set (A1..An) that compliant iSCSI implementations must provide?
> Is there a reference that actually shows the sequence for a CHAP digest
> being formed from MD5 hashes?
>
> It would help to have an appendix with real username/password examples of
> the result exchange?  A table with a few sample sets would be useful for
> validating designs.

Prev by Date: RE: Question on security document
Next by Date: RE: Question on security document
Prev by thread: RE: iSCSI: Login authentication SRP/CHAP
Next by thread: RE: iSCSI: Login authentication SRP/CHAP
Index(es):
- Date
- Thread

Home

Last updated: Thu Oct 18 17:17:31 2001
7287 messages in chronological order