SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: IKE groups and DH-CHAP



    > I proposed earlier that the ability to specify N and g should be
    > deleted and replaced by an enumerated list of specific standardized
    > groups, exactly as IKE does it.  There has been no feedback on that
    > except for Tom Wu's comment that g=2 is not an appropriate choice for
    > SRP (unlike IKE).  So that means the IKE groups are not directly
    > useable because we would have to replace g=2 by g=<a generator> for
    > SRP.
    
    I also like the enumerated list of groups approach, for many of
    the reasons Paul and Jim have pointed out. 
    
    > I don't know if the objection to g=2 is applicable to DH-CHAP;
    > unfortunately, that question goes well beyond my crypto skills but
    > there are others on this list who do have the ability to answer that
    > question.
    
    I don't believe so, because DH-CHAP is only doing an unadorned
    unauthenticated DH exchange.  I'm also not a crypto expert, but
    one possible cause for SRP's stronger requirement is that
    it's using significantly larger exponents than a DH exchange would.
    Perhaps Tom Wu can explain ...
    
    Thanks,
    --David
    


Home

Last updated: Tue Apr 30 13:18:32 2002
9887 messages in chronological order