Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 21 May 2002) by Black_David@emc.com:
> Since DH-CHAP has been excluded from iSCSI, I can now function as a WG
> co-chair on this security topic.  On a conference call today that included
> both IPS WG co-chairs, our Area Director (Allison Mankin), the authors
> of both the iSCSI and IPS Security drafts, along with additional
> security experts and contributors, the group came up with the following
> proposed resolution to the open iSCSI requirements issues in inband
> authentication:
> 
> - CHAP MUST be implemented.  Support for strong machine-generated CHAP
> 	secrets (96+ bits of cryptographic randomness) MUST be implemented,
> 	and CHAP secrets of at least that strength SHOULD be used.
> 	Generation of secrets MAY be external to the iSCSI implementation.

That sounds generally reasonable.  The requirement of 96 or more bits
of entropy is problematic: it is achievable, but I don't believe it is
testable.  In other words, I don't believe it is possible to construct
a conformance test applied from the outside of the system that
verifies this requirement.

Protocol standards should only contain requirements that are testable
by external observers.

> - If weaker CHAP secrets (e.g., passwords, hashes of passwords) are
> 	used, ESP encryption (and integrity) MUST be used to protect them,
> 	and group pre-shared keys MUST NOT be used for IKE authentication
> 	(pairwise pre-shared keys MAY be used).

This is a "must use" requirement.  I thought that "must use"
requirements were things to be avoided.  Certainly they don't belong
in this spec, because the requirement makes no sense in some customer
settings. 

Apart from that, this requirement isn't testable either.  Given
externally supplied CHAP secrets, the implementation has no way to
test whether the supplied secret is "weak" or not, and therefore no
way to decide whether it should enforce an ESP mandate even if it
wanted to.

       paul