|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: DH-CHAP resolutionWell, it looks like everything is going to CHAP. Before these last messages came out, I had already basically written up a document describing what I see are the main issues in authentication in iSCSI, along with the alternative approaches and their advantages and disadvantages. For anyone who's interested, you can find it at: http://cm.bell-labs.com/who/philmac/research/iscsi-authentication The last paragraph of that document desribes another approach that may be appropriate for iSCSI: Use CHAP with long keys, and if someone wants password authentication with high security, use another protocol *completely separate from iSCSI* to download user credentials (i.e., the long key for use with CHAP in iSCSI). Hopefully this protocol would be secured with PAK, or some other strong password authentication key exchange protocol, but that does not affect iSCSI. This type of approach is used in Plan 9. It is also similar to an approach currently being considered in the ipsra working group. -Phil
Home Last updated: Thu May 09 12:18:45 2002 10023 messages in chronological order |