Users Guide
Configuring Secured iSCSI Connections Using CHAP 35
Configuring Secured iSCSI
Connections Using
Challenge-Handshake
Authentication Protocol
Few security features for the iSCSI protocol are included in the iSCSI layer
itself, apart from any security layers that may be present in the lower TCP/IP
and Ethernet layers. You can enable and disable the iSCSI security features as
required.
The Microsoft
®
iSCSI Initiator uses the Challenge-Handshake
Authentication Protocol (CHAP) to verify the identity of iSCSI host systems
attempting to access iSCSI Targets. The iSCSI Initiator and iSCSI Target use
CHAP and share a predefined secret. The Initiator combines the secret with
other information into a value and calculates a one-way hash using the
Message Digest 5 (MD5) function. The hash value is transmitted to the
Target. The Target computes a one-way hash of its shared secret and other
information. If the hash values match, the Initiator is authenticated. The
other security information includes an ID value that is increased with each
CHAP dialog to protect against replay attacks. The Dell™ PowerVault™ NAS
storage solution also supports Mutual CHAP.
CHAP is generally regarded as more secure than Password Authentication
Protocol (PAP).