SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI authentication requirements



    In order to move forward on selecting an alternative mandatory iSCSI login 
    authentication method, it is important to understand what the requirements 
    are. I would like to suggest that the following requirements are essential:
    
    a. Mutual authentication
    b. Pre-shared key support with sufficient key size (e.g. 128 bits)
    c. Resistance to man-in-the-middle attack
    
    On the other hand, I would argue that the following requirements are *not* 
    important:
    
    d. Resistance to hijacking
    e. Dictionary attack resistance
    f. Support for certificate authentication
    
    Goals
    
    Mutual authentication is important so that not only can the iSCSI Target 
    authenticate the Initiator, but also the Initiator can authenticate the 
    Target. The ability to detect a rogue Target is important, especially since 
    iSCSI can be used for booting and rogue Targets could fools Initiators into 
    making use of bogus data. The ability of the Target to authenticate the 
    Initiator is important so that the Target can control access.
    
    Pre-shared key support is important since this is likely to be the most 
    common use of iSCSI login authentication. The pre-shared key should be 
    unique to the two parties, and not suceptible to man-in-the-middle attack, 
    as opposed to the Group Pre-Shared key that is so widely implemented within 
    IPsec VPN clients, and that enables man-in-the-middle vulnerabilties. 
    Sufficient entropy is required to avoid brute-force attacks.
    
    Non-goals
    
    iSCSI login authentication can be used with or without IPsec. When IPsec is 
    not used, the iSCSI connection can be hijacked, but this is not something 
    that login authentication can protect against.
    
    One of the reasons that SRP was chosen was its resistant to dictionary 
    attack when weak secrets are used. However, it is not clear that this is 
    useful functionality for iSCSI login authentication.
    
    Mounting iSCSI volumes is inherently a machine activity, since access to 
    that volume, when mounted, is determined by the operating system and its 
    access controls rather than security services within the wire protocol.
    
    As a result, the credentials used for iSCSI login may be machine 
    credentials, which can be assumed to be pre-shared keys with significant 
    entropy, rather than a user password.
    
    The once scenario in which a user password might be relevant is mounting an 
    iSCSI volume via a storage service provider. However, this is exactly the 
    scenario in which IPsec protection of iSCSI would be most likely. Therefore, 
    I would claim that dictionary attack resistance is not important here 
    either.
    
    If certificate authentication is possible and desired, this can be provided 
    within IKE Main Mode. As a result, certificate-based authentication is not 
    required within iSCSI login.
    
    
    
    
    _________________________________________________________________
    MSN Photos is the easiest way to share and print your photos: 
    http://photos.msn.com/support/worldwide.aspx
    
    


Home

Last updated: Wed Mar 27 16:18:13 2002
9353 messages in chronological order