SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: Use of SRP (draft -04)



    Ofer:
    
    If SRP is mutual, then I think the draft should state that with
    text similiar to the Kerberos method, and also state how
    to handle mixed SRB and Kerberos authentication (or disallow it).
    
    Also, I am not sure I agree that SRP is entirely mutual.
    See draft-ietf-pppext-eap-srp-00.txt for a proposal
    for using SRP with PPP.
    
    Regards,
    Steve Senum
    
    biran@il.ibm.com wrote:
    > 
    > Steve,
    > 
    > You are correct, we'll change the SRP message sequence similar to telnet (U
    > --- N,g,s -- A -- B...).
    > 
    > For simultaneous authentication processes (InitAuth, TargetAuth) it seems a
    > problem of over flexibility. The simpler
    > and reasonable way would be to negotiate one authentication method
    > AuthMethod and leave the one way / mutual
    > authentication decision to the specific method selected. In KERB5 the
    > client decides it by setting the krb_ap_req mutual
    > flag, in SRP it's actually mutual.
    > 
    >   Regards,
    >       Ofer
    > 
    > Ofer Biran
    > Systems and Software
    > IBM Research Lab in Haifa
    > biran@il.ibm.com  972-4-8296253
    > 
    > Steve Senum <ssenum@cisco.com> on 02/28/2001 01:41:01 AM
    > 
    > Please respond to Steve Senum <ssenum@cisco.com>
    > 
    > To:   ietf-ips <ips@ece.cmu.edu>
    > cc:
    > Subject:  iSCSI: Use of SRP (draft -04)
    > 
    > Julian:
    > 
    > With respect to use of the SRP protocol for authentication,
    > I think the current draft is incomplete.  The SRP spec
    > requires that values for the Prime Modulus value 'N' and the
    > Generator value 'g' be sent by the authenticating entity
    > as well as 's' and 'B' (or known through some other method).
    > Look at RFC 2944 to see how telnet handles this.
    > 
    > Also, if both Initiator and Target choose to authenticate with
    > SRP, or if InitAuth=KERB5 and TargetAuth=srp, the same key names
    > will be needed by both sides at the same time, resulting in the
    > same key name appearing twice in the same text message.  This
    > will make it difficult for the receiver to know which key names
    > goes with which authentication process, since there can be two
    > going on at one time.
    > 
    > Regards,
    > Steve Senum
    


Home

Last updated: Tue Sep 04 01:05:29 2001
6315 messages in chronological order