SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI login authentication



    >>>>> "Williams" == Williams, Jim <Jim.Williams@emulex.com> writes:
    
     Williams> ...How long is it acceptable to take in performing or
     Williams> verifying authentication?  How big are the numbers
     Williams> involved?  There are public domain authentication software.
     Williams> Have experiments been done to determine the computation
     Williams> requirements on a typical embedded processor versus number
     Williams> size?
    
    A note in 1999 on the ipsec lists quotes measurements by Eric Young:
    
        Some just generated numbers :-).
    
        mul  256 ^  256 % 256 ->     1.446ms
        mul  512 ^  512 % 512 ->     8.430ms
        mul 1024 ^ 1024 % 1024 ->   53.510ms
        mul 2048 ^ 2048 % 2048 ->  366.214ms
        mul 4096 ^ 4096 % 4096 -> 2519.000ms
    
        Pentium II 450, Visual C 6.0 + 586 
        asm.  This build is targeted at
        512^512%512
    
        eric
        --
        Eric Young | eay@pobox.com
    
     Williams> draft-ietf-ips-iscsi-12 states:
    
     Williams> "N [for SRP] is required to be a Sophie-German prime.
     Williams> [...] N MUST be at least 768 bits. [...]  The Initiator
     Williams> MUST verify that they satisfy the above requirements. [...]
     Williams> This verification MAY start by trying to match N and g with
     Williams> a well-known group that satisfies the above requirements."
    
     Williams> What is the maximum length of N?  Also stated is:
    
     Williams> "The length of N,g,s,A,B,M in binary form (not the length
     Williams> of the character string that represents them in encoded
     Williams> form) MUST not exceed 1024 bytes."
    
     Williams> 1024 bytes is 8192 bits.  Do we really want to allow
     Williams> numbers that big? 
    
    The reason given for the 8192 bit length is to allow for future
    growth.  That sounds reasonable.  
    
    There's an I-D proposing D-H groups up to 8192 bits
    (draft-ietf-ipsec-ike-modp-groups).  It looks like groups beyond 2048
    are only interesting if you believe AES needs keys longer than 128
    bits for your purposes.
    
     Williams> Also, why is selecting N and g from a well-known group a
     Williams> "MAY"?  Verifying that N is a Sophie-German prime by means
     Williams> of probabilistic primality testing requires significantly
     Williams> more computation than the authentication itself.  Also
     Williams> letting a target or initiator choses its own custimized
     Williams> value of N does not seem conducive to good security.
    
    The standardized groups (at least for IKE) have had the primality of N
    verified rigorously, not just probabilistically.  A probabilistic test
    may be adequate for individual exchanges, but it feels a bit
    uncomfortable. 
    
     Williams> I would suggest more appropriate might be something like:
     Williams> "N MUST be at least 768 bits.  N SHOULD be no larger than
     Williams> <TBD> bits and MUST be selected from the well-known group
     Williams> <xyz>.  If a target or initiator receives a proposed value
     Williams> of N larger than <TBD> bits it MAY be rejected.  and if it
     Williams> is not contained in the well-known group <xyz>, this value
     Williams> SHOULD (MUST??)  be rejected.  Otherwise the value of N
     Williams> SHOULD be accepted."
    
    I proposed earlier that the ability to specify N and g should be
    deleted and replaced by an enumerated list of specific standarized
    groups, exactly as IKE does it.  There has been no feedback on that
    except for Tom Wu's comment that g=2 is not an appropriate choice for
    SRP (unlike IKE).  So that means the IKE groups are not directly
    useable because we would have to replace g=2 by g=<a generator> for
    SRP. 
    
    I don't know if the objection to g=2 is applicable to DH-CHAP;
    unfortunately, that question goes well beyond my crypto skills but
    there are others on this list who do have the ability to answer that
    question.
    
    The SRP RFC lists several groups, but it does not explicitly state how
    they were verified.  It would be good to know that each N was
    rigorously tested for primality.
    
    So I would like to see us enumerate a small set of groups, starting at
    768 bits and preferably at this time going no higher than 2048 bits at
    the very most.  Those groups would be identified in the protocol by an
    ID (small IANA implication here?).  That eliminates the complexity
    and risk of permitting other groups or pseudo-groups.  For the list of
    groups, I'd suggests the SRP list (preferably with the supporting data
    I mentioned) and perhaps the IKE groups if there is someone who can
    produce appropriate values for g.
    
    Actually, I'd be comfortable with just a single group of size 768;
    it's certainly hard to see why putting anything stronger in DH-CHAP
    makes sense.  For SRP, I'd argue the same because anyplace that feels
    it needs stronger protection will clearly want to use IPsec, and then
    the SRP exchange is protected inside IPsec.
    
        paul
    
    


Home

Last updated: Tue Apr 30 12:18:28 2002
9880 messages in chronological order