|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Generation of CHAP Secrets...Question... How will my endpoint determine the randomness of the CHAP key and therefor determine if the CHAP key is valid for the encryption level of the link ? I am assuming by the requirement as stated that I have to test the CHAP secret for randomness to determine that there are really more than 96 bits of randomness in the secret, and if there are not, and the link is not encrypted reject the connection. Bill -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu] On Behalf Of Black_David@emc.com Sent: Tuesday, August 20, 2002 11:23 AM To: Hutchinson_Adam@emc.com; ips@ece.cmu.edu Subject: RE: Generation of CHAP Secrets... > Do the following statements mean that users should not be allowed to > create their own secrets (passwords) to ensure the randomness of all secrets? > > When CHAP is performed over a non-encrypted channel, it is vulnerable > to an off-line dictionary attack. Implementations MUST support use of > up to 128 bits random CHAP secrets, including the means to generate > such secrets and to accept them from an external generation source. > Implementations MUST NOT provide secret generation (or expansion) > means other than random generation. Yes, that is correct. iSCSI requires 96 or more bits of randomness in CHAP secrets to thwart exhaustive search and dictionary attacks. A typical user- chosen password/secret has less than 20 bits of randomness. If weaker CHAP secrets are used, the iSCSI connection MUST be encrypted: An administrative entity of an environment in which CHAP is used with a secret that has less than 96 random bits MUST enforce IPsec encryp- tion (according to the implementation requirements in Section 7.3.2 Confidentiality) to protect the connection. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 FAX: +1 (508) 497-8018 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Aug 21 18:18:52 2002 11658 messages in chronological order |