|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Generation of CHAP Secrets...> the iSCSI draft talks of up to 128 bits of shared secret. While performing > HASH, the MD5 will yield 128 bits, but SHA-1 (recommended Hashing algorithm, > Sec 7.3.1) will generate 160 bits. Seems to me that the shared secret should > be allowed to be up to 160 bits..unless we allow MD5 for CHAP and then > possibly pad the hash? Or am I missing something here? There's no inherent upper limit on the size of the shared secret and it's not related to the output size of the hash algorithms. 128 bits is more than enough to get the job done, hence there's no need to require that implementations support more than that. Generating more random bits and tossing some of them away is fine (e.g., IPsec ESP does exactly this to make its MD5 and SHA-1 HMACs fit in 96 bits), but they have to be *true* random bits - more below. While SHA-1 is the required hash for IPsec ESP, it does not work with CHAP for historical reasons (one has to use MD5) - see, the IANA registry, the PPP AUTHENTICATION ALGORITHMS section of: http://www.iana.org/assignments/ppp-numbers While I'm sure Vijay did not mean to imply this, I want to warn implementers away from a potentially disastrous implementation shortcut: **DO NOT** run a weak secret (e.g., password) through a hash or similar algorithm to generate something that appears to be a sufficiently-sized random CHAP secret. The result of doing this is no stronger than the original weak secret (e.g., password) - if this shortcut technique is used, the result falls under iSCSI's "MUST enforce IPsec encryption" language. This is a well-known implementation mistake (e.g., Netscape was publicly bitten by it several years ago). A specific example is that if one runs a password with 15 bits of randomness through MD5, the resulting 128 bit output still has 15 bits of randomness - an attacker need only run the dictionary words through MD5 [15 bit search space] to mount an exhaustive attack, and the fact that the quantities being checked are 128 bits in size does not improve security. If one wants 128 bits of randomness, one needs to start with 128 random bits - it really is that simple. Using a hash does not increase the amount of randomness. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 FAX: +1 (508) 497-8018 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Aug 21 18:18:52 2002 11658 messages in chronological order |