SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...



    > Do the following statements mean that users should not be allowed to
    > create their own secrets (passwords) to ensure the randomness of all
    secrets?
    >  
    > When CHAP is performed over a non-encrypted channel, it is vulnerable
    > to an off-line dictionary attack. Implementations MUST support
    > use of up to 128 bits random CHAP secrets, including the means to
    > generate such secrets and to accept them from an external generation
    > source. Implementations MUST NOT provide secret generation (or expansion)
    > means other than random generation.
    
    Yes, that is correct.  iSCSI requires 96 or more bits of randomness in CHAP
    secrets to thwart exhaustive search and dictionary attacks.  A typical user-
    chosen password/secret has less than 20 bits of randomness.  If weaker
    CHAP secrets are used, the iSCSI connection MUST be encrypted:
    
       An administrative entity of an environment in which CHAP is used with 
       a secret that has less than 96 random bits MUST enforce IPsec encryp-
       tion (according to the implementation requirements in Section 7.3.2 
       Confidentiality) to protect the connection.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449            FAX: +1 (508) 497-8018
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Wed Aug 21 18:18:53 2002
11658 messages in chronological order