SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: DH-CHAP



    Excerpt of message (sent 12 April 2002) by Julian Satran:
    > I think that we will have to decide if MIM and any other active attacks 
    > should be a major concern.
    > IMHO they are for (at least) the following reasons:
    > 
    > wireless is be coming important and MIM attacks  are so much simpler in 
    > this are
    > bidirectional authentication is important as loading active content from 
    > an unauthenticated target is a major risk (imagine that you load a 
    > slightly modified OS from an impersonating target) and both target and 
    > initiator should be concerned about impersonators
    > 
    >  DH-CHAP (or should I call it DB-CHAP?)  used for bilateral authentication 
    > as 2 exchanges besides not "synchronizing" authentication is even more 
    > exposed to active attack than CHAP.
    
    I'm not sure I understand that last part.
    
    For MIM in general, I would suggest that it is useful to have the
    different parts of the system be somewhat similar in strength.
    
    There are two cases to consider: IPsec in use for the iSCSI
    connections, and IPsec not in use.
    
    If IPsec is in use, then MIM attacks are ruled out by IPsec.  In that
    setting, CHAP works fine.  The other two work too, of course, but they
    repeat work that IPsec/IKE has already done.
    
    If IPsec is NOT in use, then protecting the authentication handshake
    from MIM attacks is not all that meaningful.  After all, the attacker
    can transparently forward the authentication handshake (acting as a
    wire, so it succeeds even in authentication scheme that are
    MIM-proof).  Once authentication has finished, the attacker can then
    take over the full feature mode connection, and manipulate the iSCSI
    traffic at will.  The fact that the client was strongly authenticated
    is no help.
    
    A different way to look at it:
    
    A customer decides to use or not use IPsec based on a threat analysis.
    If the threat analysis says that active attack (MIM) is a significant
    risk, then you conclude that you need to turn on IPsec, because that
    is the only way to protect the storage traffic against active attack.
    
    If you worry about passive attack (eavesdropping) you probably still
    want IPsec.
    
    If in your installation, network attacks are considered unlikely
    (perhaps because of the physical partitioning of the various networks)
    then you would conclude IPsec is not needed.  In that case, the very
    same analysis says that the risks in CHAP aren't a concern either.
    
    Bottom line: I do not see why active attack on authentication in a
    setting where IPsec is not used is an interesting case.
    
    	paul
    
    

    • References:
      • RE: DH-CHAP
        • From: "Julian Satran" <Julian_Satran@il.ibm.com>


Home

Last updated: Fri Apr 12 16:18:20 2002
9636 messages in chronological order