Configuring secured iscsi connections, Using challenge-handshake, Authentication protocol – Dell PowerVault NX1950 User Manual

Secured iSCSI Using Challenge-Handshake Authentication Protocol

51

4

Configuring Secured iSCSI

Connections Using

Challenge-Handshake

Authentication Protocol

Few security features for the iSCSI protocol are included in the iSCSI layer

itself, apart from any security layers that may be present in the lower TCP/IP

and Ethernet layers. You can enable and disable the iSCSI security features as

required.
The Microsoft

®

iSCSI Initiator uses the Challenge-Handshake

Authentication Protocol (CHAP) to verify the identity of iSCSI host systems

attempting to access iSCSI Targets. The iSCSI Initiator and iSCSI Target use

CHAP and share a predefined secret. The Initiator combines the secret with

other information into a value and calculates a one-way hash using the

Message Digest 5 (MD5) function. The hash value is transmitted to the

Target. The Target computes a one-way hash of its shared secret and other

information. If the hash values match, the Initiator is authenticated. The

other security information includes an ID value that is increased with each

CHAP dialog to protect against replay attacks. The Dell™ PowerVault™

NX1950 storage solution also supports Mutual CHAP.
CHAP is generally regarded as more secure than Password Authentication

Protocol (PAP). Fore more information regarding CHAP and PAP, see the

RFC 1334 website at http://rfc.arogo.net/rfc1334.html.