SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME

    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: Authenticating with SRP

    Hi Julo,

When authenticating with SRP, I'm not sure exactly which parameters are 
required. In particular, the example in appendix C conflicts with section 
11.1.3.

Based on the example login transaction (Appendix C):

     I-> Login (CSG,NSG=0,1 T=1)
         InitiatorName=iqn.1999-07.com.os:hostid.77
         TargetName=iqn.1999-07.com.example:diskarray.sn.88
         AuthMethod=KRB5,SRP,None

     T-> Login-PR  (CSG,NSG=0,0 T=0)
         AuthMethod=SRP

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_U=bob
         TargetAuth=Yes

     T-> Login (CSG,NSG=0,0 T=0)
         SRP_g=2
         SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
         SRP_N=??????

In 11.1.3, the suggested sequence is:

     I-> Login (CSG,NSG=0,1 T=1)
         InitiatorName=iqn.1999-07.com.os:hostid.77
         TargetName=iqn.1999-07.com.example:diskarray.sn.88
         AuthMethod=KRB5,SRP,None

     T-> Login-PR  (CSG,NSG=0,0 T=0)
         AuthMethod=SRP

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_U=bob
         TargetAuth=Yes

     T-> Login (CSG,NSG=0,0 T=0)
         SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048
         SRP_s=0X12343456745ABCDS (well, lots o' hex digits)

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_A=0xABCDEF12345345354
         SRP_GROUP=SRP-1536

       ......


I don't understand this sequence, and neither does the initiator we are 
playing with! ;-)

The first sequence doesn't negotiate the SRP_GROUP parameter, and the second 
doesn't let the target provide a SRP_N or a SRP_g.

Should the full sequence be (try 1):

     I-> Login (CSG,NSG=0,1 T=1)
         InitiatorName=iqn.1999-07.com.os:hostid.77
         TargetName=iqn.1999-07.com.example:diskarray.sn.88
         AuthMethod=KRB5,SRP,None

     T-> Login-PR  (CSG,NSG=0,0 T=0)
         AuthMethod=SRP

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_U=bob
         TargetAuth=Yes

     T-> Login (CSG,NSG=0,0 T=0)
         SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048
         SRP_s=0X12343456745ABCDS (well, lots o' hex digits)

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_GROUP=SRP-1536

     T-> Login (CSG,NSG=0,0 T=0)
         SRP_g=2
         SRP_N=0XABCD123132523453 (as per SRP_GROUP)

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_A=0xABCDEF12345345354

      .... and things proceed from here


However, this introduces an extra step which may be collapsed (try 2):

     I-> Login (CSG,NSG=0,1 T=1)
         InitiatorName=iqn.1999-07.com.os:hostid.77
         TargetName=iqn.1999-07.com.example:diskarray.sn.88
         AuthMethod=KRB5,SRP,None

     T-> Login-PR  (CSG,NSG=0,0 T=0)
         AuthMethod=SRP
         SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_GROUP=SRP-1536
         SRP_U=bob
         TargetAuth=Yes

     T-> Login (CSG,NSG=0,0 T=0)
         SRP_g=2
         SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
         SRP_N=0XABCD123132523453 (as per SRP_GROUP)

     I-> Login (CSG,NSG=0,0 T=0)
         SRP_A=0xABCDEF12345345354

      .... and things proceed from here


Does this look right? 

Thanks,
Ken





Ken Sandars
Eurologic Systems
Howard House
Queens Avenue
Bristol
United Kingdom
-----------------------------
Tel : +44 (0)117 9309616
Fax : +44 (0)117 9309601
-----------------------------

Home

Last updated: Fri Feb 07 10:19:11 2003
12295 messages in chronological order