|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI:SRP> They asked us to "consider" DH+Chap but it was not a hard requirement, you > told us that they would accept Chap, but wanted us to consider a way to > make it more secure. I think the work that has been done, is clearly > considering it, and with the combination of SRP and current Chap clearly > meets requirements. That work is not complete. There are at least two technical explanations missing that have to go into the iSCSI specification in order to pursue this course of action: (1) Why is CHAP by itself not sufficient? (2) Why is SRP preferable to DH-CHAP? The second one is crucial as it is the justification to the IESG that technology potentially subject to patents needs to be used in preference to unencumbered technology. I also think that the focus on MUST/SHOULD/MAY to the detriment of technical discussion of the alternatives is premature - we have to have solid technical reasons for our decisions ... and if we don't provide them the first time, the IESG will be happy to return the iSCSI draft to the WG for us to do them over. I suggest focusing on at least (1) and (2) above rather than MUST/SHOULD/MAY. Since some people clearly want to dig into this, here's a one-sentence summary of DH+CHAP: The basic idea is to augment the CHAP challenge with the key that results from the Diffie-Hellman exchange so that the CHAP response depends on both of them. This is not identical to what I may have discussed with some people in the past, as it has now received some expert review and been modified accordingly. For CHAP, see RFC 1994. For the Diffie-Hellman exchange, Section 22.1 of Schneier's Applied Cryptography book, is one of many sources that describe it. For anyone concerned about computation operations, one additional invocation of the one-way hash is needed on each side in addition to the DH calculations and CHAP's one-way hash invocation. In practice, the DH calculations (exponentiations in particular) are the computationally expensive part. That should be enough to start a discussion of requirements and implementation implications in the absence of the complete Internet-Draft; I'm sorry that the latter's not available yet ... I will try to get it done soon. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Apr 03 16:18:19 2002 9458 messages in chronological order |