iSCSI: IKE groups and DH-CHAP

To: ni1d@arrl.net
Subject: iSCSI: IKE groups and DH-CHAP
From: Black_David@emc.com
Date: Sun, 28 Apr 2002 01:15:38 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

> I proposed earlier that the ability to specify N and g should be
> deleted and replaced by an enumerated list of specific standardized
> groups, exactly as IKE does it.  There has been no feedback on that
> except for Tom Wu's comment that g=2 is not an appropriate choice for
> SRP (unlike IKE).  So that means the IKE groups are not directly
> useable because we would have to replace g=2 by g=<a generator> for
> SRP.

I also like the enumerated list of groups approach, for many of
the reasons Paul and Jim have pointed out. 

> I don't know if the objection to g=2 is applicable to DH-CHAP;
> unfortunately, that question goes well beyond my crypto skills but
> there are others on this list who do have the ability to answer that
> question.

I don't believe so, because DH-CHAP is only doing an unadorned
unauthenticated DH exchange.  I'm also not a crypto expert, but
one possible cause for SRP's stronger requirement is that
it's using significantly larger exponents than a DH exchange would.
Perhaps Tom Wu can explain ...

Thanks,
--David

Prev by Date: RE: ISCSI: Login Parameters - Defaults?
Next by Date: iSCSI: Authentication thoughts
Prev by thread: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by thread: iSCSI: Authentication thoughts
Index(es):
- Date
- Thread

Home

Last updated: Tue Apr 30 13:18:32 2002
9887 messages in chronological order