RE: iSCSI: Login authentication SRP/CHAP

To: "'Steven Senum'" <ssenum@cisco.com>, "IPS Reflector (E-mail)" <ips@ece.cmu.edu>
Subject: RE: iSCSI: Login authentication SRP/CHAP
From: Michael Schoberg <michael_schoberg@cnt.com>
Date: Thu, 18 Oct 2001 15:47:02 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Steve,

So a CHAP calculation is:
	<initialize digest>
	MD5(<CHAP_I>)
	MD5(<secret>)
	MD5(<CHAP_C>)
	-> 16 byte digest
-or-
	<initialize digest>
	MD5(<CHAP_I> | <secret> | <CHAP_C>)  Where "|" is a concatenation
function.
	-> 16 byte digest

Shouldn't we be using the CHAP_N field rather than CHAP_I (CHAP Identifier)?


I also noticed that RFC 1994 says to use the identifier (CHAP_I) as a
reference in the response.  The iSCSI draft doesn't refer to the CHAP_I
value in the response.

Thanks.



: The CHAP_I (identifier), CHAP_C (challenge),
: CHAP_N (name) and CHAP_R (response)
: are also specified in RFC 1994:
: 
:    Identifier
: 
:       The Identifier field is one octet.  The Identifier field MUST be
:       changed each time a Challenge is sent.
: 
:       The Response Identifier MUST be copied from the Identifier field
:       of the Challenge which caused the Response.
: 
:    Value (challenge and response)
: 
:       The Value field is one or more octets.  The most 
: significant octet
:       is transmitted first.
: 
:       The Challenge Value is a variable stream of octets.  The
:       importance of the uniqueness of the Challenge Value and its
:       relationship to the secret is described above.  The Challenge
:       Value MUST be changed each time a Challenge is sent.  The length
:       of the Challenge Value depends upon the method used to generate
:       the octets, and is independent of the hash algorithm used.
: 
:       The Response Value is the one-way hash calculated over 
: a stream of
:       octets consisting of the Identifier, followed by (concatenated
:       with) the "secret", followed by (concatenated with) the 
: Challenge
:       Value.  The length of the Response Value depends upon the hash
:       algorithm used (16 octets for MD5).
: 
:    Name
: 
:       The Name field is one or more octets representing the
:       identification of the system transmitting the packet.  There are
:       no limitations on the content of this field.  For 
: example, it MAY
:       contain ASCII character strings or globally unique 
: identifiers in
:       ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
:       The size is determined from the Length field.

Follow-Ups:
- Re: iSCSI: Login authentication SRP/CHAP
  - From: Steve Senum <ssenum@cisco.com>

Prev by Date: RE: Question on security document
Next by Date: Re: iSCSI: Login authentication SRP/CHAP
Prev by thread: Re: iSCSI: Login authentication SRP/CHAP
Next by thread: Re: iSCSI: Login authentication SRP/CHAP
Index(es):
- Date
- Thread

Home

Last updated: Thu Oct 18 18:17:29 2001
7288 messages in chronological order