SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: Login authentication SRP/CHAP



    Michael,
    
    Michael Schoberg wrote:
    > 
    > Steve,
    > 
    > So a CHAP calculation is:
    >         <initialize digest>
    >         MD5(<CHAP_I>)
    >         MD5(<secret>)
    >         MD5(<CHAP_C>)
    >         -> 16 byte digest
    > -or-
    >         <initialize digest>
    >         MD5(<CHAP_I> | <secret> | <CHAP_C>)  Where "|" is a concatenation
    > function.
    >         -> 16 byte digest
    
    The above looks correct.
    
    > 
    > Shouldn't we be using the CHAP_N field rather than CHAP_I (CHAP Identifier)?
    
    No, CHAP_I is correct.  CHAP_N (CHAP Name) is used to determine
    the shared secret.
    
    > 
    > I also noticed that RFC 1994 says to use the identifier (CHAP_I) as a
    > reference in the response.  The iSCSI draft doesn't refer to the CHAP_I
    > value in the response.
    
    Ofer and I didn't put CHAP_I in the response because:
    
    1. It would break the bi-directional CHAP option.  We would
    have to define a different key for the response to avoid
    key ambiguities.
    
    2. We don't really need it, as PPP CHAP's purpose was to
    match up challenges and responses on an unreliable link.
    However, since it is part of the hash calculation, we
    still need to send it with the challenge.
    
    Regards,
    Steve Senum
    
    
    > : The CHAP_I (identifier), CHAP_C (challenge),
    > : CHAP_N (name) and CHAP_R (response)
    > : are also specified in RFC 1994:
    > :
    > :    Identifier
    > :
    > :       The Identifier field is one octet.  The Identifier field MUST be
    > :       changed each time a Challenge is sent.
    > :
    > :       The Response Identifier MUST be copied from the Identifier field
    > :       of the Challenge which caused the Response.
    > :
    > :    Value (challenge and response)
    > :
    > :       The Value field is one or more octets.  The most
    > : significant octet
    > :       is transmitted first.
    > :
    > :       The Challenge Value is a variable stream of octets.  The
    > :       importance of the uniqueness of the Challenge Value and its
    > :       relationship to the secret is described above.  The Challenge
    > :       Value MUST be changed each time a Challenge is sent.  The length
    > :       of the Challenge Value depends upon the method used to generate
    > :       the octets, and is independent of the hash algorithm used.
    > :
    > :       The Response Value is the one-way hash calculated over
    > : a stream of
    > :       octets consisting of the Identifier, followed by (concatenated
    > :       with) the "secret", followed by (concatenated with) the
    > : Challenge
    > :       Value.  The length of the Response Value depends upon the hash
    > :       algorithm used (16 octets for MD5).
    > :
    > :    Name
    > :
    > :       The Name field is one or more octets representing the
    > :       identification of the system transmitting the packet.  There are
    > :       no limitations on the content of this field.  For
    > : example, it MAY
    > :       contain ASCII character strings or globally unique
    > : identifiers in
    > :       ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
    > :       The size is determined from the Length field.
    


Home

Last updated: Fri Oct 19 05:17:42 2001
7292 messages in chronological order