E setting up authentication – HP 3000 Enterprise Virtual Array User Manual
Page 207
E Setting up authentication
Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used for secure
logon between the iSCSI Initiator and iSCSI target. CHAP uses a challenge-response security mechanism
for verifying the identity of an initiator without revealing a secret password that is shared by the two
entities. It is also referred to as a three-way handshake. An important concept of CHAP is that the
initiator must prove to the target that it knows a shared secret without actually revealing the secret.
(Sending the secret across the wire could reveal it to an eavesdropper.) CHAP provides a mechanism
for doing this.
NOTE:
Setting up authentication for your iSCSI devices is optional. If you require authentication, HP
recommends that you configure it after you have properly verified installation and operation of the
iSCSI implementation without authentication.
In a secure environment, authentication may not be required, access to the targets is limited only to
trusted initiators.
In a less secure environment, the target cannot determine if a connection request is truly from a given
host. In that case, the target can use CHAP to authenticate an initiator.
When an initiator contacts a target that uses CHAP, the target (called the authenticator) responds by
sending the initiator a challenge. The challenge is a piece of information that is unique for this
authentication session. The initiator then encrypts this information, using a previously-issued password
that is shared by both initiator and target. The encrypted information is then returned to the target.
The target has the same password and uses it as a key to encrypt the information it originally sent to
the initiator. It compares its results with the encrypted results sent by the initiator. If they are the same,
the initiator is assumed to be authentic
These schemes are often called proof of possession protocols. The challenge requires that an entity
prove possession of a shared key or one of the key pairs in a public key scheme.
This procedure is repeated throughout the session to verify that the correct initiator is still connected.
Repeating these steps prevents someone from stealing the initiator’s session by replaying information
that was intercepted on the line.
There are several Internet RFCs that cover CHAP in more detail:
•
RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996)
•
RFC 2433 (Microsoft PPP CHAP Extensions, October 1998)
•
RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000)
This appendix contains the following sections:
• Enabling single direction CHAP during discovery and normal session
• Enabling single direction CHAP during discovery and bi-directional CHAP during normal ses-
• Enabling bi-directional CHAP during discovery and single CHAP during normal session
EVA iSCSI Connectivity User Guide
207