Setting up authentication
Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used for secure
logon between the iSCSI Initiator and iSCSI target. CHAP uses a challenge-response security
mechanism for verifying the identity of an initiator without revealing a secret password that is
shared by the two entities. It is also referred to as a three-way handshake. An important concept
of CHAP is that the initiator must prove to the target that it knows a shared secret without actually
revealing the secret. (Sending the secret across the wire could reveal it to an eavesdropper.) CHAP
provides a mechanism for doing this.
NOTE: Setting up authentication for your iSCSI devices is optional. If you require authentication,
HP recommends that you configure it after you have properly verified installation and operation
of the iSCSI implementation without authentication.
In a secure environment, authentication may not be required, access to the targets is limited only
to trusted initiators.
In a less secure environment, the target cannot determine if a connection request is truly from a
given host. In that case, the target can use CHAP to authenticate an initiator.
When an initiator contacts a target that uses CHAP, the target (called the authenticator) responds
by sending the initiator a challenge. The challenge is a piece of information that is unique for this
authentication session. The initiator then encrypts this information, using a previously-issued password
that is shared by both initiator and target. The encrypted information is then returned to the target.
The target has the same password and uses it as a key to encrypt the information it originally sent
to the initiator. It compares its results with the encrypted results sent by the initiator. If they are the
same, the initiator is assumed to be authentic
These schemes are often called proof of possession protocols. The challenge requires that an entity
prove possession of a shared key or one of the key pairs in a public key scheme.
This procedure is repeated throughout the session to verify that the correct initiator is still connected.
Repeating these steps prevents someone from stealing the initiator’s session by replaying information
that was intercepted on the line.
There are sever alInternet RFCs that cover CHAP in more detail:
• RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996
• RFC 2433 (Microsoft PPP CHAP Extensions, October 1998)
• RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000)
CHAP restrictions
The CHAP restrictions are as follows:
• Maximum length of 100 characters
• Minimum length of 1 character
• No restriction on the type of characters that can be entered
Microsoft Initiator CHAP secret restrictions
• Maximum length of 16 characters
• Minimum length of 12 characters
• No restriction on the type of characters that can be entered
• When an initiator uses iSNS for target discovery, only normal session CHAP applies
Set up the iSCSI Initiator 119
To Next Page
Loading...
Need help?
General
