SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...



    > the iSCSI draft talks of up to 128 bits of shared secret.  While
    performing 
    > HASH, the MD5 will yield 128 bits, but SHA-1 (recommended Hashing
    algorithm, 
    > Sec 7.3.1) will generate 160 bits.  Seems to me that the shared secret
    should 
    > be allowed to be up to 160 bits..unless we allow MD5 for CHAP and then 
    > possibly pad the hash? Or am I missing something here?
    
    There's no inherent upper limit on the size of the shared secret and it's
    not related to the output size of the hash algorithms.  128 bits is more
    than enough to get the job done, hence there's no need to require that
    implementations support more than that.  Generating more random bits and
    tossing some of them away is fine (e.g., IPsec ESP does exactly this to
    make its MD5 and SHA-1 HMACs fit in 96 bits), but they have to be *true*
    random bits - more below.
    
    While SHA-1 is the required hash for IPsec ESP, it does not work with
    CHAP for historical reasons (one has to use MD5) - see, the IANA registry,
    the PPP AUTHENTICATION ALGORITHMS section of:
    
    	http://www.iana.org/assignments/ppp-numbers
    
    While I'm sure Vijay did not mean to imply this, I want to warn
    implementers away from a potentially disastrous implementation shortcut:
    
    	**DO NOT** run a weak secret (e.g., password) through a hash
    	or similar algorithm to generate something that appears to be
    	a sufficiently-sized random CHAP secret.
    
    The result of doing this is no stronger than the original weak
    secret (e.g., password) - if this shortcut technique is used, the
    result falls under iSCSI's "MUST enforce IPsec encryption" language.
    
    This is a well-known implementation mistake (e.g.,
    Netscape was publicly bitten by it several years ago).  A specific
    example is that if one runs a password with 15 bits of randomness through
    MD5, the resulting 128 bit output still has 15 bits of randomness - an
    attacker need only run the dictionary words through MD5 [15 bit search
    space] to mount an exhaustive attack, and the fact that the quantities
    being checked are 128 bits in size does not improve security.
    
    If one wants 128 bits of randomness, one needs to start with 128 random
    bits - it really is that simple.  Using a hash does not increase the
    amount of randomness.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449            FAX: +1 (508) 497-8018
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Wed Aug 21 18:18:52 2002
11658 messages in chronological order