On 15 Dec 2009 at 22:47, shyam_i...@dell.com wrote:

> From the spec:
> "
>    CHAP secrets MUST be an integral number of bytes (octets). A
>    compliant implementation SHOULD NOT continue with the login step in
>    which it should send a CHAP response (CHAP_R, Section 11.1.4
>    Challenge Handshake Authentication Protocol (CHAP)) unless it can
>    verify that the CHAP secret is at least 96 bits, or that IPsec
>    encryption is being used to protect the connection.
> "

You picked up an "interesting" issue: The Microsoft Initiator limits the length 
of 
the secret to 16 characters (AFAIR). I wrote a lottle program that generates 
random secrets and estimated the entropy (i.e. number of bits):

With 16 random letters, you are at about 92 bits (e.g. mMPuhxfKAYuIFTjZ)
With 16 random letters with digits you are at about 95 bits (e.g. 
b3v4B8mRoiFWjpF9)

The bad thing is that some characters look quite similar so users, like '0' 
and'O', or '1' and 'l'. When trying to omit those potentially confusing 
characters 
(plus adding other punctuation characters, leaving out space for obvious 
reasons), 
I'm at about 83 bits (e.g. u\FphNwuuWCT74+h).

As a side note: Passwords with only six letters in one case only make about 28 
bits. Now if you think that most users will use words, you can guess how poor 
those passwords actually are.

Using the fully printable ASCII characterset without those characters that are 
considered "unsafe" in UNIX, 16 characters would have about 102 bits of entropy 
(e.g. !)Zbl(p7%Hd88L>T)

> 
> The spec suggests that a chap secret be at least 96bits or (12
> characters) but I see that only the AUTH_STR_MAX_LEN of 256 characters
> is used for error checking.

Even when just using digits, that would be 850 bits of entropy, probably enough 
;-
)

Regards,
Ulrich

> 
> Am I reading this correctly ?
> 
> -Shyam Iyer
> 
> --
> 
> You received this message because you are subscribed to the Google Groups 
> "open-iscsi" group.
> To post to this group, send email to open-is...@googlegroups.com.
> To unsubscribe from this group, send email to 
> open-iscsi+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/open-iscsi?hl=en.
> 
> 


--

You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To post to this group, send email to open-is...@googlegroups.com.
To unsubscribe from this group, send email to 
open-iscsi+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/open-iscsi?hl=en.


Reply via email to