SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Fwd: Generation of CHAP Secrets...



    David,

    I believe, the secret size does have a direct impact on the cryptograohic strength of the hash. If the secret size is less than the hashed value of the algorithm, then it makes it easier for an exhaustive search attack. For reference, here is a quote from the CHAP RFC page 3:

    The CHAP algorithm requires that the length of the secret MUST be at
       least 1 octet.  The secret SHOULD be at least as large and
       unguessable as a well-chosen password.  It is preferred that the
       secret be at least the length of the hash value for the hashing
       algorithm chosen (16 octets for MD5).  This is to ensure a
       sufficiently large range for the secret to provide protection against
       exhaustive search attacks.

    In a message dated 8/21/2002 9:50:42 AM Eastern Daylight Time, Black_David@emc.com writes:


    There's no inherent upper limit on the size of the shared secret and it's
    not related to the output size of the hash algorithms.  128 bits is more
    than enough to get the job done, hence there's no need to require that
    implementations support more than that.  Generating more random bits and
    tossing some of them away is fine (e.g., IPsec ESP does exactly this to
    make its MD5 and SHA-1 HMACs fit in 96 bits), but they have to be *true*
    random bits - more below.





    > the iSCSI draft talks of up to 128 bits of shared secret.  While
    performing 
    > HASH, the MD5 will yield 128 bits, but SHA-1 (recommended Hashing
    algorithm, 
    > Sec 7.3.1) will generate 160 bits.  Seems to me that the shared secret
    should 
    > be allowed to be up to 160 bits..unless we allow MD5 for CHAP and then 
    > possibly pad the hash? Or am I missing something here?
    
    There's no inherent upper limit on the size of the shared secret and it's
    not related to the output size of the hash algorithms.  128 bits is more
    than enough to get the job done, hence there's no need to require that
    implementations support more than that.  Generating more random bits and
    tossing some of them away is fine (e.g., IPsec ESP does exactly this to
    make its MD5 and SHA-1 HMACs fit in 96 bits), but they have to be *true*
    random bits - more below.
    
    While SHA-1 is the required hash for IPsec ESP, it does not work with
    CHAP for historical reasons (one has to use MD5) - see, the IANA registry,
    the PPP AUTHENTICATION ALGORITHMS section of:
    
        http://www.iana.org/assignments/ppp-numbers
    
    While I'm sure Vijay did not mean to imply this, I want to warn
    implementers away from a potentially disastrous implementation shortcut:
    
        **DO NOT** run a weak secret (e.g., password) through a hash
        or similar algorithm to generate something that appears to be
        a sufficiently-sized random CHAP secret.
    
    The result of doing this is no stronger than the original weak
    secret (e.g., password) - if this shortcut technique is used, the
    result falls under iSCSI's "MUST enforce IPsec encryption" language.
    
    This is a well-known implementation mistake (e.g.,
    Netscape was publicly bitten by it several years ago).  A specific
    example is that if one runs a password with 15 bits of randomness through
    MD5, the resulting 128 bit output still has 15 bits of randomness - an
    attacker need only run the dictionary words through MD5 [15 bit search
    space] to mount an exhaustive attack, and the fact that the quantities
    being checked are 128 bits in size does not improve security.
    
    If one wants 128 bits of randomness, one needs to start with 128 random
    bits - it really is that simple.  Using a hash does not increase the
    amount of randomness.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449            FAX: +1 (508) 497-8018
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    




Home

Last updated: Thu Aug 22 15:18:52 2002
11662 messages in chronological order