RE: DH-CHAP

[Black_David@emc.com]

> POST to IP Storage working group
> ----------------------------------
> Just had a look at DH-CHAP protocol.
> Assume the following is the correct formulation of DH-CHAP.
> Then I suspect it is not secure against active off-line dictionary
> attacks.

That is correct.  DH-CHAP is not secure against active attacks, and
is not intended to be secure against active attacks, just passive
ones.  Section 1 of the DH-CHAP draft says:

    DH-CHAP strengths CHAP in a fashion that 
    requires an attacker to perform an online attack (which will 
    generally lead to an authentication failure) in order to capture 
    the information required to mount an off-line dictionary attack on 
    each CHAP secret.  

The "(which will generally lead to an authentication failure)" text
is incorrect and will be removed in the -01 version of the draft,
as an impersonation attack against one-way authentication will not
generally lead to an authentication failure.

The impersonation attack that Yongge Wang describes is noted in Section
6.3 of the DH-CHAP draft which says that both CHAP and DH-CHAP Initiators
are vulnerable to both impersonation and man-in-the-middle attacks.

[... details of impersonation attack snipped ...]
 
> If you have any interest in revising DH-CHAP to get a secure version,
> I may spend some time to help you on this matter...

Thanks, but resistance to this sort of active attack is not a design
goal of DH-CHAP.  I would have hoped this was clear from the first
paragraph of Section 1, but I could add a sentence to make this
explicit if that would improve the clarity of the draft.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------