Re: iSCSI: Login authentication SRP/CHAP

To: ietf-ips <ips@ece.cmu.edu>
Subject: Re: iSCSI: Login authentication SRP/CHAP
From: Steve Senum <ssenum@cisco.com>
Date: Thu, 18 Oct 2001 16:25:10 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <3C7122FAF06DD5118ED600500473364826312D@esply01.cnt.com>
Sender: owner-ips@ece.cmu.edu

Michael,

Michael Schoberg wrote:
> 
> Steve,
> 
> So a CHAP calculation is:
>         <initialize digest>
>         MD5(<CHAP_I>)
>         MD5(<secret>)
>         MD5(<CHAP_C>)
>         -> 16 byte digest
> -or-
>         <initialize digest>
>         MD5(<CHAP_I> | <secret> | <CHAP_C>)  Where "|" is a concatenation
> function.
>         -> 16 byte digest

The above looks correct.

> 
> Shouldn't we be using the CHAP_N field rather than CHAP_I (CHAP Identifier)?

No, CHAP_I is correct.  CHAP_N (CHAP Name) is used to determine
the shared secret.

> 
> I also noticed that RFC 1994 says to use the identifier (CHAP_I) as a
> reference in the response.  The iSCSI draft doesn't refer to the CHAP_I
> value in the response.

Ofer and I didn't put CHAP_I in the response because:

1. It would break the bi-directional CHAP option.  We would
have to define a different key for the response to avoid
key ambiguities.

2. We don't really need it, as PPP CHAP's purpose was to
match up challenges and responses on an unreliable link.
However, since it is part of the hash calculation, we
still need to send it with the challenge.

Regards,
Steve Senum


> : The CHAP_I (identifier), CHAP_C (challenge),
> : CHAP_N (name) and CHAP_R (response)
> : are also specified in RFC 1994:
> :
> :    Identifier
> :
> :       The Identifier field is one octet.  The Identifier field MUST be
> :       changed each time a Challenge is sent.
> :
> :       The Response Identifier MUST be copied from the Identifier field
> :       of the Challenge which caused the Response.
> :
> :    Value (challenge and response)
> :
> :       The Value field is one or more octets.  The most
> : significant octet
> :       is transmitted first.
> :
> :       The Challenge Value is a variable stream of octets.  The
> :       importance of the uniqueness of the Challenge Value and its
> :       relationship to the secret is described above.  The Challenge
> :       Value MUST be changed each time a Challenge is sent.  The length
> :       of the Challenge Value depends upon the method used to generate
> :       the octets, and is independent of the hash algorithm used.
> :
> :       The Response Value is the one-way hash calculated over
> : a stream of
> :       octets consisting of the Identifier, followed by (concatenated
> :       with) the "secret", followed by (concatenated with) the
> : Challenge
> :       Value.  The length of the Response Value depends upon the hash
> :       algorithm used (16 octets for MD5).
> :
> :    Name
> :
> :       The Name field is one or more octets representing the
> :       identification of the system transmitting the packet.  There are
> :       no limitations on the content of this field.  For
> : example, it MAY
> :       contain ASCII character strings or globally unique
> : identifiers in
> :       ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
> :       The size is determined from the Length field.

References:
- RE: iSCSI: Login authentication SRP/CHAP
  - From: Michael Schoberg <michael_schoberg@cnt.com>

Prev by Date: RE: iSCSI: Login authentication SRP/CHAP
Next by Date: RE: Question on security document
Prev by thread: RE: iSCSI: Login authentication SRP/CHAP
Next by thread: RE: iSCSI: Login authentication SRP/CHAP
Index(es):
- Date
- Thread

Home

Last updated: Fri Oct 19 05:17:42 2001
7292 messages in chronological order