Re: SHA-1 hashing Algorithm for CHAP
On Thursday, January 8, 2015 7:33:44 PM UTC+5:30, Tejas vaykole wrote: Hello Mike, On Monday, January 5, 2015 11:11:20 PM UTC+5:30, Mike Christie wrote: Could you point me to the SCST code you are referring to? What files/functions/lines? Here is the link that tells you about the SCST target- http://scst.sourceforge.net/ You can pull the source code with this command on linux - svn checkout svn://svn.code.sf.net/p/scst/svn/trunk scst-trunk And this is the file that implement CHAP authentication - http://sourceforge.net/p/scst/svn/HEAD/tree/trunk/iscsi-scst/usr/chap.c http://sourceforge.net/p/scst/svn/HEAD/tree/trunk/iscsi-scst/usr/chap.c Missed out the line number and functions. line number 320 : static inline void chap_calc_digest_sha1(char chap_id, const char *secret, int secret_len, implements the SHA1 line number 368 : } else if (!strcmp(p, 7)) { checks for the assigned number 7. Why do you need this? I am just curious and would like to try out thing here. On 01/03/2015 03:15 AM, Tejas vaykole wrote: Hello, I am looking at the SCST target code, where it looks like it supports the SHA-1 Algorithim for message digest generation.The number assigned to SHA-1 is '7' Thanks. Tejas On Monday, September 15, 2014 11:30:52 AM UTC+5:30, Uli wrote: Tejas vaykole tejas.v...@gmail.com javascript: schrieb am 11.09.2014 um 12:22 in Nachricht e87c916b-0b75-4570-b690-71197a5c2...@googlegroups.com javascript:: Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. Whcih algorithm number has been assigned to SHA-1 for CHAP? Ic ould not find it. Thanks. Tejas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com javascript:. To post to this group, send email to open-...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/open-iscsi http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com mailto:open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-...@googlegroups.com mailto:open-...@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
Re: SHA-1 hashing Algorithm for CHAP
On Jan 8, 2015, at 9:30 AM, Tejas vaykole tejas.vaykol...@gmail.com wrote: ... Various crypto protocols indeed uses SHA-1 (typically in more complex form like HMAC) for message authentication. And each of them will obviously have some identifier for that. But that has nothing to do with CHAP. For CHAP in iSCSI, you have to look in the iSCSI RFC, and you will find in there only a single identifier, which is for CHAP using MD5. Yes ,you are right. But their is some correction. In iSCSI RFC(3720) page 186 (CHAP 11.1.4) Points to RFC1994(CHAP) for the implementation of CHAP and RFC3720 also mandates initiator/targets to implement MD5 as one required option. But it does not bar the possibility of implementing another hash algorithm with CHAP. Correct. But implementing it at one end of the protocol has no effect; you need to implement it in both initiator and target. You can pick a random number to indicate “CHAP with SHA-1” (such as the 7 you mentioned) and put that in both initiator and target, if you have the ability to modify both. That will work; at that point you have a proprietary extension to iSCSI. But if you want standard initiators or targets to use SHA-1 in a CHAP exchange, you have to start by getting it added to the standard, and then wait for implementers to implement that new feature. The other point I would add is “why bother?” There is no cryptographic reason for doing this, given the present state of knowledge around MD5 and other hashes. It might be worth while proposing such an extension to the standard as a precaution in case a pre-image attack on MD5 is discovered, but at this point such an attack is entirely hypothetical. If your answer is “as an experiment, to see if it can be done”, sure. You can do that, and I would predict that you would get it to work pretty easily (again, given that you have control over the implementations of both initiator and target to make matching changes). But if you want to take it beyond an experiment, the first step would be to do the standards work, and the first step in that work is to justify the effort of making the change. I expect that you may have some difficulty convincing others it’s worth the trouble. paul -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
Re: SHA-1 hashing Algorithm for CHAP
Could you point me to the SCST code you are referring to? What files/functions/lines? Why do you need this? On 01/03/2015 03:15 AM, Tejas vaykole wrote: Hello, I am looking at the SCST target code, where it looks like it supports the SHA-1 Algorithim for message digest generation.The number assigned to SHA-1 is '7' Thanks. Tejas On Monday, September 15, 2014 11:30:52 AM UTC+5:30, Uli wrote: Tejas vaykole tejas.v...@gmail.com javascript: schrieb am 11.09.2014 um 12:22 in Nachricht e87c916b-0b75-4570-b690-71197a5c2...@googlegroups.com javascript:: Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. Whcih algorithm number has been assigned to SHA-1 for CHAP? Ic ould not find it. Thanks. Tejas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com javascript:. To post to this group, send email to open-...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/open-iscsi http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com mailto:open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com mailto:open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
Re: SHA-1 hashing Algorithm for CHAP
What is SCST? Various crypto protocols indeed uses SHA-1 (typically in more complex form like HMAC) for message authentication. And each of them will obviously have some identifier for that. But that has nothing to do with CHAP. For CHAP in iSCSI, you have to look in the iSCSI RFC, and you will find in there only a single identifier, which is for CHAP using MD5. It would certainly be possible to define CHAP using SHA-1 (or for that matter SHA-2) but that hasn’t been done and there hasn’t been a significant push for it. While MD5 has issues, those do not affect its use in CHAP. paul On Jan 3, 2015, at 4:15 AM, Tejas vaykole tejas.vaykol...@gmail.com wrote: Hello, I am looking at the SCST target code, where it looks like it supports the SHA-1 Algorithim for message digest generation.The number assigned to SHA-1 is '7' Thanks. Tejas On Monday, September 15, 2014 11:30:52 AM UTC+5:30, Uli wrote: Tejas vaykole tejas.v...@gmail.com schrieb am 11.09.2014 um 12:22 in Nachricht e87c916b-0b75-4570-b690-71197a5c2...@googlegroups.com: Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. Whcih algorithm number has been assigned to SHA-1 for CHAP? Ic ould not find it. Thanks. Tejas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
Re: SHA-1 hashing Algorithm for CHAP
I have never seen a spec for CHAP with any other hash algorithms. No spec, so no implementations. paul On Sep 11, 2014, at 6:22 AM, Tejas vaykole tejas.vaykol...@gmail.com wrote: Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. Thanks. Tejas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
Re: SHA-1 hashing Algorithm for CHAP
On Sep 15, 2014, at 1:19 PM, Mike Christie micha...@cs.wisc.edu wrote: On 09/11/2014 05:22 AM, Tejas vaykole wrote: Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. We only support MD5. The API use is hard coded, so there is no simple config step. You would have to write the code. What target are you using? I don't think it matters; there is no CHAP other than MD5 CHAP in the iSCSI standard. See RFC 7143, page 228. So there are *no* conforming implementations of CHAP for any other hash. paul -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
SHA-1 hashing Algorithm for CHAP
Hello, I am trying out with the open-iscsi initiator.I see that the initiator uses MD5 algorithm for CHAP. I need help in configuring the initiator to use SHA-1 hashing Algorithm for CHAP. Thanks. Tejas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at http://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.