|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Authenticating with SRP
Ken,
The SRP login example in Appendix C was not updated
with the last change of using pre-defined group identifiers
instead of sending N,g explicitly, this should be corrected
in the first opportunity.
> and the second doesn't let the target provide a SRP_N or
> a SRP_g.
Both sides should know a-priory the N,g of the 'well known'
pre-defined groups, and they are not sent anymore on the wire.
(11.1.3 - "and G,Gn (Gn stands for G1,G2...) are identifiers
of SRP groups specified in [SEC-IPS]." )
Regards,
Ofer
Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com 972-4-8296253
Ken Sandars
<ksandars@eurolog To: Julian Satran/Haifa/IBM@IBMIL
ic.com> cc: ips@ece.cmu.edu, owner-ips@ece.cmu.edu
Sent by: Subject: iSCSI: Authenticating with SRP
owner-ips@ece.cmu
.edu
06/02/03 16:49
Hi Julo,
When authenticating with SRP, I'm not sure exactly which parameters are
required. In particular, the example in appendix C conflicts with section
11.1.3.
Based on the example login transaction (Appendix C):
I-> Login (CSG,NSG=0,1 T=1)
InitiatorName=iqn.1999-07.com.os:hostid.77
TargetName=iqn.1999-07.com.example:diskarray.sn.88
AuthMethod=KRB5,SRP,None
T-> Login-PR (CSG,NSG=0,0 T=0)
AuthMethod=SRP
I-> Login (CSG,NSG=0,0 T=0)
SRP_U=bob
TargetAuth=Yes
T-> Login (CSG,NSG=0,0 T=0)
SRP_g=2
SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
SRP_N=??????
In 11.1.3, the suggested sequence is:
I-> Login (CSG,NSG=0,1 T=1)
InitiatorName=iqn.1999-07.com.os:hostid.77
TargetName=iqn.1999-07.com.example:diskarray.sn.88
AuthMethod=KRB5,SRP,None
T-> Login-PR (CSG,NSG=0,0 T=0)
AuthMethod=SRP
I-> Login (CSG,NSG=0,0 T=0)
SRP_U=bob
TargetAuth=Yes
T-> Login (CSG,NSG=0,0 T=0)
SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048
SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
I-> Login (CSG,NSG=0,0 T=0)
SRP_A=0xABCDEF12345345354
SRP_GROUP=SRP-1536
......
I don't understand this sequence, and neither does the initiator we are
playing with! ;-)
The first sequence doesn't negotiate the SRP_GROUP parameter, and the
second
doesn't let the target provide a SRP_N or a SRP_g.
Should the full sequence be (try 1):
I-> Login (CSG,NSG=0,1 T=1)
InitiatorName=iqn.1999-07.com.os:hostid.77
TargetName=iqn.1999-07.com.example:diskarray.sn.88
AuthMethod=KRB5,SRP,None
T-> Login-PR (CSG,NSG=0,0 T=0)
AuthMethod=SRP
I-> Login (CSG,NSG=0,0 T=0)
SRP_U=bob
TargetAuth=Yes
T-> Login (CSG,NSG=0,0 T=0)
SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048
SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
I-> Login (CSG,NSG=0,0 T=0)
SRP_GROUP=SRP-1536
T-> Login (CSG,NSG=0,0 T=0)
SRP_g=2
SRP_N=0XABCD123132523453 (as per SRP_GROUP)
I-> Login (CSG,NSG=0,0 T=0)
SRP_A=0xABCDEF12345345354
.... and things proceed from here
However, this introduces an extra step which may be collapsed (try 2):
I-> Login (CSG,NSG=0,1 T=1)
InitiatorName=iqn.1999-07.com.os:hostid.77
TargetName=iqn.1999-07.com.example:diskarray.sn.88
AuthMethod=KRB5,SRP,None
T-> Login-PR (CSG,NSG=0,0 T=0)
AuthMethod=SRP
SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048
I-> Login (CSG,NSG=0,0 T=0)
SRP_GROUP=SRP-1536
SRP_U=bob
TargetAuth=Yes
T-> Login (CSG,NSG=0,0 T=0)
SRP_g=2
SRP_s=0X12343456745ABCDS (well, lots o' hex digits)
SRP_N=0XABCD123132523453 (as per SRP_GROUP)
I-> Login (CSG,NSG=0,0 T=0)
SRP_A=0xABCDEF12345345354
.... and things proceed from here
Does this look right?
Thanks,
Ken
Ken Sandars
Eurologic Systems
Howard House
Queens Avenue
Bristol
United Kingdom
-----------------------------
Tel : +44 (0)117 9309616
Fax : +44 (0)117 9309601
-----------------------------
Home Last updated: Fri Feb 07 14:19:13 2003 12296 messages in chronological order |