|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Generation of CHAP Secrets...Bill, > How will my endpoint determine the randomness of the CHAP key and > therefor determine if the CHAP key is valid for the encryption level of > the link ? I am assuming by the requirement as stated that I have to > test the CHAP secret for randomness to determine that there are really > more than 96 bits of randomness in the secret, and if there are not, and > the link is not encrypted reject the connection. The randomness requirement is placed on the "administrative entity" which is not the iSCSI protocol endpoint. The CHAP secret does not have to be checked for randomness *by the iSCSI endpoint* (good thing, as it's not possible to check a bit string for a minimum amount of randomness if one does not know how it was generated). The thing that an iSCSI endpoint SHOULD do is check the size of the CHAP secret if it can determine it (e.g., if an external RADIUS server is being used, an iSCSI endpoint may not know the size of the CHAP secret being used to authenticate its peer): A compliant implementation SHOULD NOT continue with the login step in which it should send a CHAP response (CHAP_R - Section 10.1.4 Chal- lenge Handshake Authentication Protocol (CHAP)) unless it can verify that either the CHAP secret is at least 96 bits, or that IPsec encryption is being used to protect the connection. Also, please note the following related requirement: Implementations MUST NOT provide secret generation (or expansion) means other than random generation. This text prohibits the "disastrous implementation shortcut" that I warned about in a previous message. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 FAX: +1 (508) 497-8018 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Aug 21 23:18:56 2002 11659 messages in chronological order |