SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: Login authentication SRP/CHAP



    Michael,.
    
    For the SRP questions:
    
    The hash is SHA-1 for which the parameter definitions are given in
     RFC -2945. We'll make that more clear (will reference the SRP-SHA1
    mechanism there).
    
    The issue of the allowed DH groups (N,g)  is still open - would hopefully
    be closed by next revision and a statement for that will be added.
    
      Regards,
         Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    Steven Senum <ssenum@cisco.com>@ece.cmu.edu on 17/10/2001 22:59:52
    
    Please respond to Steven Senum <ssenum@cisco.com>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
    cc:
    Subject:  Re: iSCSI: Login authentication SRP/CHAP
    
    
    
    Hi Michael,
    
    I can't answer your questions on SRP, but I probably
    can answer a few on CHAP.
    
    The CHAP_A key (algorithm) is specified in RFC 1994:
    
             5       CHAP with MD5 [3]
    
    The CHAP_I (identifier), CHAP_C (challenge),
    CHAP_N (name) and CHAP_R (response)
    are also specified in RFC 1994:
    
       Identifier
    
          The Identifier field is one octet.  The Identifier field MUST be
          changed each time a Challenge is sent.
    
          The Response Identifier MUST be copied from the Identifier field
          of the Challenge which caused the Response.
    
       Value (challenge and response)
    
          The Value field is one or more octets.  The most significant octet
          is transmitted first.
    
          The Challenge Value is a variable stream of octets.  The
          importance of the uniqueness of the Challenge Value and its
          relationship to the secret is described above.  The Challenge
          Value MUST be changed each time a Challenge is sent.  The length
          of the Challenge Value depends upon the method used to generate
          the octets, and is independent of the hash algorithm used.
    
          The Response Value is the one-way hash calculated over a stream of
          octets consisting of the Identifier, followed by (concatenated
          with) the "secret", followed by (concatenated with) the Challenge
          Value.  The length of the Response Value depends upon the hash
          algorithm used (16 octets for MD5).
    
       Name
    
          The Name field is one or more octets representing the
          identification of the system transmitting the packet.  There are
          no limitations on the content of this field.  For example, it MAY
          contain ASCII character strings or globally unique identifiers in
          ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
          The size is determined from the Length field.
    
    Basically, iSCSI just uses a different encoding,
    since it is sending "text" keys, instead of binary.
    
    A sample output from my (Cisco's) implementation is as follows:
    
    I-> AuthMethod=CHAP,none (CSG,NSG=0,1 T=1)
    
    T-> AuthMethod=CHAP (CSG,NSG=0,1 T=0)
    
    I-> CHAP_A=5 (CSG,NSG=0,1 T=0)
    
    T-> CHAP_A=5 (CSG,NSG=0,1 T=0)
        CHAP_I=70
        CHAP_C=0x9593dd5e25f87b9e0fcc6891e6670461
    
    I-> CHAP_N=u1 (CSG,NSG=0,1 T=1)
        CHAP_R=0x7e64294a4376affca14cdaecf3c72e21
    
    T-> (CSG,NSG=0,1 T=1)
    
    You can also look at Cisco's Linux implementation on SourceForge:
    
    http://sourceforge.net/projects/linux-iscsi
    
    
    Hope this helps.
    
    Regards,
    Steve Senum
    
    
    
    Michael Schoberg wrote:
    >
    > I'm having some problems figuring out the exact implementation for the
    login
    > authentication protocols being proposed.  Is anyone else having similar
    > issues answering these questions:
    >
    > What is the hashing algorithm that will be used for SRP authentication
    > (SHA-1, MD5, HMAC-SHA1)?
    >
    > The SRP negotiation passes the following information (T->I):
    >
    > SRP_s = SRP salt
    > SRP_N = (SRP n value - Large prime number.  All computations are
    performed
    > modulo n)
    > SRP_g = Primitive root modulo of n
    >
    > By passing [N] & [g] (T->I), does this mean the initiator must verify
    that
    > [N] is a prime and [g] is a primitive root modulo of [N]?  What are the
    > min/max digits for [N] and [g]?  If any of these are not satisfied (N not
    > prime, g not primitive modulo root, #digits too small or large), could it
    be
    > used as an attack against the initiator or be used to derive the
    initiator's
    > password?
    >
    > The reference to RFC 1994 does not fully describe the CHAP function for
    > iSCSI, it describes the CHAP message protocol which isn't really used in
    our
    > case.  There's some parameters that need to be nailed down.  What is the
    > CHAP hash algorithm: (MD5)?  What is the sequence of hashes that take
    place
    > on a CHAP challenge to form the CHAP digest?
    >
    > The iSCSI draft allows for algorithm selection (CHAP_A=<A1,A2,...>) but
    > doesn't describe any.  Are these supposed to dictate the hashing function
    or
    > give a description of [what/how it] gets hashed (or both)?  Will there be
    a
    > mandatory set (A1..An) that compliant iSCSI implementations must provide?
    > Is there a reference that actually shows the sequence for a CHAP digest
    > being formed from MD5 hashes?
    >
    > It would help to have an appendix with real username/password examples of
    > the result exchange?  A table with a few sample sets would be useful for
    > validating designs.
    
    
    
    


Home

Last updated: Thu Oct 18 17:17:31 2001
7287 messages in chronological order