Hashing algorithm used with iSCSI for CHAP authentication

12 views
Skip to first unread message

KUMAR NITISH

unread,
Aug 4, 2025, 9:02:46 AMAug 4
to open-...@googlegroups.com
Hi,

This mail is regarding usage of algorithms SHA1, SHA2 and SHA3 with iSCSI for CHAP authentication.
RFC 1994 mentions support for only the MD5 algorithm, I have copied the RFC excerpt below.

"The Algorithm field is one octet and indicates the authentication method to be used.
Up-to-date values are specified in the most recent "Assigned Numbers" [2].
One value is required to be implemented: 5 CHAP with MD5 [3]"

Clearly the RFC does not mention other values that map to SHA1, SHA2 and SHA3.
But I see open-iscsi and scst-iscsi implementations have used values 6, 7, 8 for these algorithms.

open-iscsi : auth.c
        AUTH_CHAP_ALG_MD5 = 5,
        AUTH_CHAP_ALG_SHA1 = 6,
        AUTH_CHAP_ALG_SHA256 = 7,
        AUTH_CHAP_ALG_SHA3_256 = 8,

iscsi-scst : chap.c
#define CHAP_DIGEST_ALG_MD5   5
#define CHAP_DIGEST_ALG_SHA1  6
#define CHAP_DIGEST_ALG_SHA256  7
#define CHAP_DIGEST_ALG_SHA3_256  8

Can someone please share details on how open-iscsi and iscsi-scst implementations decided to use these numbers?
Is this covered in any specification/RFC, how would targets or other OSes know the value to be used?
Please share any document references.

Thanks,
Nitish

KUMAR NITISH

unread,
Aug 6, 2025, 6:55:28 AMAug 6
to open-...@googlegroups.com
Ping!
If anyone has context to the query from the email below, please reply.

Chris Leech

unread,
Aug 6, 2025, 12:41:33 PMAug 6
to open-...@googlegroups.com, KUMAR NITISH
Hello Nitish,

As you mentioned, RFC 7143 (iSCSI) references RFC 1994 (PPP CHAP) and
both require that algorithm 5 (MD5) be implemented. But, RFC 1994
also states that up-to-date values are specified as assigned numbers
(calling out RFC 1700). RFC 1700 was obsoleted by RFC 3232, which
established a separate IANA database for assigned numbers.

If you look up the PPP Authentication Algorithms in the IANA database,
you can see the assignments for SHA-1, SHA-256 and SHA3-256.
https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9

Maurizio Lombardi and myself from Red Hat worked with David Black to
get these assigned numbers from IANA, and then implemented the
Open-iSCSI and Linux kernel target support. The need at the time was
to provide an option for FIPS compliant algorithms in environments
where MD5 is not allowed to be used.

I hope this helps!

- Chris Leech
> --
> You received this message because you are subscribed to the Google Groups "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/open-iscsi/CAGEDioPc0UQMtrXr4fLQbedDT4cja5WPcLV-cU6Nn-C34TNHsw%40mail.gmail.com.

Reply all
Reply to author
Forward
0 new messages