Hashing algorithm used with iSCSI for CHAP authentication
12 views
Skip to first unread message
KUMAR NITISH
Aug 4, 2025, 9:02:46 AMAug 4
to open-...@googlegroups.com
Hi,
This mail is regarding usage of algorithms SHA1, SHA2 and SHA3 with iSCSI for CHAP authentication.
RFC 1994 mentions support for only the MD5 algorithm, I have copied the RFC excerpt below.
"The Algorithm field is one octet and indicates the authentication method to be used.
Up-to-date values are specified in the most recent "Assigned Numbers" [2].
One value is required to be implemented: 5 CHAP with MD5 [3]"
Clearly the RFC does not mention other values that map to SHA1, SHA2 and SHA3.
But I see open-iscsi and scst-iscsi implementations have used values 6, 7, 8 for these algorithms.
open-iscsi : auth.c
AUTH_CHAP_ALG_MD5 = 5,
AUTH_CHAP_ALG_SHA1 = 6,
AUTH_CHAP_ALG_SHA256 = 7,
AUTH_CHAP_ALG_SHA3_256 = 8,
iscsi-scst : chap.c
#define CHAP_DIGEST_ALG_MD5 5
#define CHAP_DIGEST_ALG_SHA1 6
#define CHAP_DIGEST_ALG_SHA256 7
#define CHAP_DIGEST_ALG_SHA3_256 8
Can someone please share details on how open-iscsi and iscsi-scst implementations decided to use these numbers?
Is this covered in any specification/RFC, how would targets or other OSes know the value to be used?
Please share any document references.
Thanks,
Nitish
KUMAR NITISH
Aug 6, 2025, 6:55:28 AMAug 6
to open-...@googlegroups.com
Ping!
If anyone has context to the query from the email below, please reply.
Chris Leech
Aug 6, 2025, 12:41:33 PMAug 6
to open-...@googlegroups.com, KUMAR NITISH
Hello Nitish,
As you mentioned, RFC 7143 (iSCSI) references RFC 1994 (PPP CHAP) and
both require that algorithm 5 (MD5) be implemented. But, RFC 1994
also states that up-to-date values are specified as assigned numbers
(calling out RFC 1700). RFC 1700 was obsoleted by RFC 3232, which
established a separate IANA database for assigned numbers.
If you look up the PPP Authentication Algorithms in the IANA database,
you can see the assignments for SHA-1, SHA-256 and SHA3-256.
https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
Maurizio Lombardi and myself from Red Hat worked with David Black to
get these assigned numbers from IANA, and then implemented the
Open-iSCSI and Linux kernel target support. The need at the time was
to provide an option for FIPS compliant algorithms in environments
where MD5 is not allowed to be used.
I hope this helps!
- Chris Leech
> --
> You received this message because you are subscribed to the Google Groups "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/open-iscsi/CAGEDioPc0UQMtrXr4fLQbedDT4cja5WPcLV-cU6Nn-C34TNHsw%40mail.gmail.com.
As you mentioned, RFC 7143 (iSCSI) references RFC 1994 (PPP CHAP) and
both require that algorithm 5 (MD5) be implemented. But, RFC 1994
also states that up-to-date values are specified as assigned numbers
(calling out RFC 1700). RFC 1700 was obsoleted by RFC 3232, which
established a separate IANA database for assigned numbers.
If you look up the PPP Authentication Algorithms in the IANA database,
you can see the assignments for SHA-1, SHA-256 and SHA3-256.
https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
Maurizio Lombardi and myself from Red Hat worked with David Black to
get these assigned numbers from IANA, and then implemented the
Open-iSCSI and Linux kernel target support. The need at the time was
to provide an option for FIPS compliant algorithms in environments
where MD5 is not allowed to be used.
I hope this helps!
- Chris Leech
> You received this message because you are subscribed to the Google Groups "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/open-iscsi/CAGEDioPc0UQMtrXr4fLQbedDT4cja5WPcLV-cU6Nn-C34TNHsw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages