Re: Generation of CHAP Secrets...

To: ips@ece.cmu.edu
Subject: Re: Generation of CHAP Secrets...
From: "Julian Satran" <Julian_Satran@il.ibm.com>
Date: Tue, 20 Aug 2002 22:09:50 +0300
Content-Type: multipart/alternative; boundary="=_alternative 006940ECC2256C1B_="
Sender: owner-ips@ece.cmu.edu

That is correct. It also says that you should not knowingly provide means to extend a "short(weak)" secret into an apparently long secret.

Julo

Hutchinson_Adam@emc.com
Sent by: owner-ips@ece.cmu.edu

08/20/2002 08:05 PM

To: ips@ece.cmu.edu
cc:
Subject: Generation of CHAP Secrets...

Do the following statements mean that users should not be allowed to create their own secrets (passwords) to ensure the randomness of all secrets?

When CHAP is performed over a non-encrypted channel, it is vulnerable

to an off-line dictionary attack. Implementations MUST support

use of up to 128 bits random CHAP secrets, including the means to

generate such secrets and to accept them from an external generation

source. Implementations MUST NOT provide secret generation (or expansion)

means other than random generation.

---

Adam

Home

Last updated: Wed Aug 21 18:18:53 2002
11658 messages in chronological order