|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Generation of CHAP Secrets...> Do the following statements mean that users should not be allowed to > create their own secrets (passwords) to ensure the randomness of all secrets? > > When CHAP is performed over a non-encrypted channel, it is vulnerable > to an off-line dictionary attack. Implementations MUST support > use of up to 128 bits random CHAP secrets, including the means to > generate such secrets and to accept them from an external generation > source. Implementations MUST NOT provide secret generation (or expansion) > means other than random generation. Yes, that is correct. iSCSI requires 96 or more bits of randomness in CHAP secrets to thwart exhaustive search and dictionary attacks. A typical user- chosen password/secret has less than 20 bits of randomness. If weaker CHAP secrets are used, the iSCSI connection MUST be encrypted: An administrative entity of an environment in which CHAP is used with a secret that has less than 96 random bits MUST enforce IPsec encryp- tion (according to the implementation requirements in Section 7.3.2 Confidentiality) to protect the connection. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 FAX: +1 (508) 497-8018 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Aug 21 18:18:53 2002 11658 messages in chronological order |