E setting up authentication, Chap restrictions, The mpx100/100b chap secret restrictions – HP EVA Array iSCSI Connectivity Option User Manual
Page 203
E Setting up authentication
Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used for secure logon
between the iSCSI Initiator and iSCSI target. CHAP uses a challenge-response security mechanism for
verifying the identity of an initiator without revealing a secret password that is shared by the two entities.
It is also referred to as a three-way handshake. An important concept of CHAP is that the initiator must
prove to the target that it knows a shared secret without actually revealing the secret. (Sending the secret
across the wire could reveal it to an eavesdropper.) CHAP provides a mechanism for doing this.
NOTE:
Setting up authentication for your iSCSI devices is optional. If you require authentication, HP
recommends that you configure it after you have properly verified installation and operation of the iSCSI
implementation without authentication.
In a secure environment, authentication may not be required, access to the targets is limited only to
trusted initiators.
In a less secure environment, the target cannot determine if a connection request is truly from a given host.
In that case, the target can use CHAP to authenticate an initiator.
When an initiator contacts a target that uses CHAP, the target (called the authenticator) responds
by sending the initiator a challenge. The challenge is a piece of information that is unique for this
authentication session. The initiator then encrypts this information, using a previously-issued password
that is shared by both initiator and target. The encrypted information is then returned to the target. The
target has the same password and uses it as a key to encrypt the information it originally sent to the
initiator. It compares its results with the encrypted results sent by the initiator. If they are the same,
the initiator is assumed to be authentic
These schemes are often called proof of possession protocols. The challenge requires that an entity prove
possession of a shared key or one of the key pairs in a public key scheme.
This procedure is repeated throughout the session to verify that the correct initiator is still connected.
Repeating these steps prevents someone from stealing the initiator’s session by replaying information that
was intercepted on the line.
There are several Internet RFCs that cover CHAP in more detail:
•
RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996)
•
RFC 2433 (Microsoft PPP CHAP Extensions, October 1998)
•
RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000)
This appendix contains the following sections:
• Enabling single direction CHAP during discovery and normal session
• Enabling single direction CHAP during discovery and bi-directional CHAP during normal session
• Enabling bi-directional CHAP during discovery and single CHAP during normal session
• Enabling bi-directional CHAP during discovery and bi-directional CHAP during normal session
CHAP restrictions
The mpx100/100b CHAP secret restrictions
•
Maximum length of 100 characters.
EVA iSCSI connectivity user guide
203