SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Generation of CHAP Secrets...



    Bill,
    
    > How will my endpoint determine the randomness of the CHAP key and
    > therefor determine if the CHAP key is valid for the encryption level of
    > the link ?  I am assuming by the requirement as stated that I have to
    > test the CHAP secret for randomness to determine that there are really
    > more than 96 bits of randomness in the secret, and if there are not, and
    > the link is not encrypted reject the connection.
    
    The randomness requirement is placed on the "administrative entity" which
    is not the iSCSI protocol endpoint.  The CHAP secret does not have to
    be checked for randomness *by the iSCSI endpoint* (good thing, as it's
    not possible to check a bit string for a minimum amount of randomness if
    one does not know how it was generated).  The thing that an iSCSI endpoint
    SHOULD do is check the size of the CHAP secret if it can determine it (e.g.,
    if an external RADIUS server is being used, an iSCSI endpoint may not know
    the size of the CHAP secret being used to authenticate its peer):
    
       A compliant implementation SHOULD NOT continue with the login step in 
       which it should send a CHAP response (CHAP_R - Section 10.1.4 Chal-
       lenge Handshake Authentication Protocol (CHAP)) unless it can verify 
       that either the CHAP secret is at least 96 bits, or that IPsec 
       encryption is being used to protect the connection.
    
    Also, please note the following related requirement:
    
    	Implementations MUST NOT provide secret generation (or expansion)
    	means other than random generation.
    
    This text prohibits the "disastrous implementation shortcut"
    that I warned about in a previous message.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449            FAX: +1 (508) 497-8018
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Wed Aug 21 23:18:56 2002
11659 messages in chronological order