SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME

    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...

    Question...

How will my endpoint determine the randomness of the CHAP key and
therefor determine if the CHAP key is valid for the encryption level of
the link ?  I am assuming by the requirement as stated that I have to
test the CHAP secret for randomness to determine that there are really
more than 96 bits of randomness in the secret, and if there are not, and
the link is not encrypted reject the connection.

Bill

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu] On Behalf Of
Black_David@emc.com
Sent: Tuesday, August 20, 2002 11:23 AM
To: Hutchinson_Adam@emc.com; ips@ece.cmu.edu
Subject: RE: Generation of CHAP Secrets...


> Do the following statements mean that users should not be allowed to 
> create their own secrets (passwords) to ensure the randomness of all
secrets?
>  
> When CHAP is performed over a non-encrypted channel, it is vulnerable 
> to an off-line dictionary attack. Implementations MUST support use of 
> up to 128 bits random CHAP secrets, including the means to generate 
> such secrets and to accept them from an external generation source. 
> Implementations MUST NOT provide secret generation (or expansion) 
> means other than random generation.

Yes, that is correct.  iSCSI requires 96 or more bits of randomness in
CHAP secrets to thwart exhaustive search and dictionary attacks.  A
typical user- chosen password/secret has less than 20 bits of
randomness.  If weaker CHAP secrets are used, the iSCSI connection MUST
be encrypted:

   An administrative entity of an environment in which CHAP is used with

   a secret that has less than 96 random bits MUST enforce IPsec encryp-
   tion (according to the implementation requirements in Section 7.3.2 
   Confidentiality) to protect the connection.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449            FAX: +1 (508) 497-8018
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Home

Last updated: Wed Aug 21 18:18:52 2002
11658 messages in chronological order