SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...



    Question...
    
    How will my endpoint determine the randomness of the CHAP key and
    therefor determine if the CHAP key is valid for the encryption level of
    the link ?  I am assuming by the requirement as stated that I have to
    test the CHAP secret for randomness to determine that there are really
    more than 96 bits of randomness in the secret, and if there are not, and
    the link is not encrypted reject the connection.
    
    Bill
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu] On Behalf Of
    Black_David@emc.com
    Sent: Tuesday, August 20, 2002 11:23 AM
    To: Hutchinson_Adam@emc.com; ips@ece.cmu.edu
    Subject: RE: Generation of CHAP Secrets...
    
    
    > Do the following statements mean that users should not be allowed to 
    > create their own secrets (passwords) to ensure the randomness of all
    secrets?
    >  
    > When CHAP is performed over a non-encrypted channel, it is vulnerable 
    > to an off-line dictionary attack. Implementations MUST support use of 
    > up to 128 bits random CHAP secrets, including the means to generate 
    > such secrets and to accept them from an external generation source. 
    > Implementations MUST NOT provide secret generation (or expansion) 
    > means other than random generation.
    
    Yes, that is correct.  iSCSI requires 96 or more bits of randomness in
    CHAP secrets to thwart exhaustive search and dictionary attacks.  A
    typical user- chosen password/secret has less than 20 bits of
    randomness.  If weaker CHAP secrets are used, the iSCSI connection MUST
    be encrypted:
    
       An administrative entity of an environment in which CHAP is used with
    
       a secret that has less than 96 random bits MUST enforce IPsec encryp-
       tion (according to the implementation requirements in Section 7.3.2 
       Confidentiality) to protect the connection.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449            FAX: +1 (508) 497-8018
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    
    


Home

Last updated: Wed Aug 21 18:18:52 2002
11658 messages in chronological order