|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Authenticating with SRPKen, The SRP login example in Appendix C was not updated with the last change of using pre-defined group identifiers instead of sending N,g explicitly, this should be corrected in the first opportunity. > and the second doesn't let the target provide a SRP_N or > a SRP_g. Both sides should know a-priory the N,g of the 'well known' pre-defined groups, and they are not sent anymore on the wire. (11.1.3 - "and G,Gn (Gn stands for G1,G2...) are identifiers of SRP groups specified in [SEC-IPS]." ) Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 Ken Sandars <ksandars@eurolog To: Julian Satran/Haifa/IBM@IBMIL ic.com> cc: ips@ece.cmu.edu, owner-ips@ece.cmu.edu Sent by: Subject: iSCSI: Authenticating with SRP owner-ips@ece.cmu .edu 06/02/03 16:49 Hi Julo, When authenticating with SRP, I'm not sure exactly which parameters are required. In particular, the example in appendix C conflicts with section 11.1.3. Based on the example login transaction (Appendix C): I-> Login (CSG,NSG=0,1 T=1) InitiatorName=iqn.1999-07.com.os:hostid.77 TargetName=iqn.1999-07.com.example:diskarray.sn.88 AuthMethod=KRB5,SRP,None T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=SRP I-> Login (CSG,NSG=0,0 T=0) SRP_U=bob TargetAuth=Yes T-> Login (CSG,NSG=0,0 T=0) SRP_g=2 SRP_s=0X12343456745ABCDS (well, lots o' hex digits) SRP_N=?????? In 11.1.3, the suggested sequence is: I-> Login (CSG,NSG=0,1 T=1) InitiatorName=iqn.1999-07.com.os:hostid.77 TargetName=iqn.1999-07.com.example:diskarray.sn.88 AuthMethod=KRB5,SRP,None T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=SRP I-> Login (CSG,NSG=0,0 T=0) SRP_U=bob TargetAuth=Yes T-> Login (CSG,NSG=0,0 T=0) SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048 SRP_s=0X12343456745ABCDS (well, lots o' hex digits) I-> Login (CSG,NSG=0,0 T=0) SRP_A=0xABCDEF12345345354 SRP_GROUP=SRP-1536 ...... I don't understand this sequence, and neither does the initiator we are playing with! ;-) The first sequence doesn't negotiate the SRP_GROUP parameter, and the second doesn't let the target provide a SRP_N or a SRP_g. Should the full sequence be (try 1): I-> Login (CSG,NSG=0,1 T=1) InitiatorName=iqn.1999-07.com.os:hostid.77 TargetName=iqn.1999-07.com.example:diskarray.sn.88 AuthMethod=KRB5,SRP,None T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=SRP I-> Login (CSG,NSG=0,0 T=0) SRP_U=bob TargetAuth=Yes T-> Login (CSG,NSG=0,0 T=0) SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048 SRP_s=0X12343456745ABCDS (well, lots o' hex digits) I-> Login (CSG,NSG=0,0 T=0) SRP_GROUP=SRP-1536 T-> Login (CSG,NSG=0,0 T=0) SRP_g=2 SRP_N=0XABCD123132523453 (as per SRP_GROUP) I-> Login (CSG,NSG=0,0 T=0) SRP_A=0xABCDEF12345345354 .... and things proceed from here However, this introduces an extra step which may be collapsed (try 2): I-> Login (CSG,NSG=0,1 T=1) InitiatorName=iqn.1999-07.com.os:hostid.77 TargetName=iqn.1999-07.com.example:diskarray.sn.88 AuthMethod=KRB5,SRP,None T-> Login-PR (CSG,NSG=0,0 T=0) AuthMethod=SRP SRP_GROUP=SRP-768,SRP-1024,SRP-1280,SRP-1536,SRP-2048 I-> Login (CSG,NSG=0,0 T=0) SRP_GROUP=SRP-1536 SRP_U=bob TargetAuth=Yes T-> Login (CSG,NSG=0,0 T=0) SRP_g=2 SRP_s=0X12343456745ABCDS (well, lots o' hex digits) SRP_N=0XABCD123132523453 (as per SRP_GROUP) I-> Login (CSG,NSG=0,0 T=0) SRP_A=0xABCDEF12345345354 .... and things proceed from here Does this look right? Thanks, Ken Ken Sandars Eurologic Systems Howard House Queens Avenue Bristol United Kingdom ----------------------------- Tel : +44 (0)117 9309616 Fax : +44 (0)117 9309601 -----------------------------
Home Last updated: Fri Feb 07 14:19:13 2003 12296 messages in chronological order |