E setting up authentication, Chap restrictions, The mpx100/100b chap secret restrictions – HP EVA Array iSCSI Connectivity Option User Manual

Page 203

Advertising

E Setting up authentication

Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used for secure logon

between the iSCSI Initiator and iSCSI target. CHAP uses a challenge-response security mechanism for

verifying the identity of an initiator without revealing a secret password that is shared by the two entities.

It is also referred to as a three-way handshake. An important concept of CHAP is that the initiator must

prove to the target that it knows a shared secret without actually revealing the secret. (Sending the secret

across the wire could reveal it to an eavesdropper.) CHAP provides a mechanism for doing this.

NOTE:

Setting up authentication for your iSCSI devices is optional. If you require authentication, HP

recommends that you configure it after you have properly verified installation and operation of the iSCSI

implementation without authentication.

In a secure environment, authentication may not be required, access to the targets is limited only to

trusted initiators.
In a less secure environment, the target cannot determine if a connection request is truly from a given host.

In that case, the target can use CHAP to authenticate an initiator.
When an initiator contacts a target that uses CHAP, the target (called the authenticator) responds

by sending the initiator a challenge. The challenge is a piece of information that is unique for this

authentication session. The initiator then encrypts this information, using a previously-issued password

that is shared by both initiator and target. The encrypted information is then returned to the target. The

target has the same password and uses it as a key to encrypt the information it originally sent to the

initiator. It compares its results with the encrypted results sent by the initiator. If they are the same,

the initiator is assumed to be authentic
These schemes are often called proof of possession protocols. The challenge requires that an entity prove

possession of a shared key or one of the key pairs in a public key scheme.
This procedure is repeated throughout the session to verify that the correct initiator is still connected.

Repeating these steps prevents someone from stealing the initiator’s session by replaying information that

was intercepted on the line.
There are several Internet RFCs that cover CHAP in more detail:

•

RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996)

•

RFC 2433 (Microsoft PPP CHAP Extensions, October 1998)

•

RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000)

This appendix contains the following sections:

• CHAP restrictions

, page 203

• Enabling single direction CHAP during discovery and normal session