> On Jan 8, 2015, at 9:30 AM, Tejas vaykole <[email protected]> wrote:
>
> ...
>> Various crypto protocols indeed uses SHA-1 (typically in more complex form
>> like HMAC) for message authentication. And each of them will obviously have
>> some identifier for that. But that has nothing to do with CHAP. For CHAP
>> in iSCSI, you have to look in the iSCSI RFC, and you will find in there only
>> a single identifier, which is for CHAP using MD5.
> Yes ,you are right. But their is some correction. In iSCSI RFC(3720) page 186
> (CHAP 11.1.4) Points to RFC1994(CHAP) for the implementation of CHAP and
> RFC3720 also mandates initiator/targets to implement MD5 as one required
> option. But it does not bar the possibility of implementing another hash
> algorithm with CHAP.
Correct. But implementing it at one end of the protocol has no effect; you
need to implement it in both initiator and target.
You can pick a random number to indicate “CHAP with SHA-1” (such as the 7 you
mentioned) and put that in both initiator and target, if you have the ability
to modify both. That will work; at that point you have a proprietary extension
to iSCSI. But if you want standard initiators or targets to use SHA-1 in a
CHAP exchange, you have to start by getting it added to the standard, and then
wait for implementers to implement that new feature.
The other point I would add is “why bother?” There is no cryptographic reason
for doing this, given the present state of knowledge around MD5 and other
hashes. It might be worth while proposing such an extension to the standard as
a precaution in case a pre-image attack on MD5 is discovered, but at this point
such an attack is entirely hypothetical.
If your answer is “as an experiment, to see if it can be done”, sure. You can
do that, and I would predict that you would get it to work pretty easily
(again, given that you have control over the implementations of both initiator
and target to make matching changes). But if you want to take it beyond an
experiment, the first step would be to do the standards work, and the first
step in that work is to justify the effort of making the change. I expect that
you may have some difficulty convincing others it’s worth the trouble.
paul
--
You received this message because you are subscribed to the Google Groups
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.
