|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: DH-CHAPExcerpt of message (sent 12 April 2002) by Julian Satran: > I think that we will have to decide if MIM and any other active attacks > should be a major concern. > IMHO they are for (at least) the following reasons: > > wireless is be coming important and MIM attacks are so much simpler in > this are > bidirectional authentication is important as loading active content from > an unauthenticated target is a major risk (imagine that you load a > slightly modified OS from an impersonating target) and both target and > initiator should be concerned about impersonators > > DH-CHAP (or should I call it DB-CHAP?) used for bilateral authentication > as 2 exchanges besides not "synchronizing" authentication is even more > exposed to active attack than CHAP. I'm not sure I understand that last part. For MIM in general, I would suggest that it is useful to have the different parts of the system be somewhat similar in strength. There are two cases to consider: IPsec in use for the iSCSI connections, and IPsec not in use. If IPsec is in use, then MIM attacks are ruled out by IPsec. In that setting, CHAP works fine. The other two work too, of course, but they repeat work that IPsec/IKE has already done. If IPsec is NOT in use, then protecting the authentication handshake from MIM attacks is not all that meaningful. After all, the attacker can transparently forward the authentication handshake (acting as a wire, so it succeeds even in authentication scheme that are MIM-proof). Once authentication has finished, the attacker can then take over the full feature mode connection, and manipulate the iSCSI traffic at will. The fact that the client was strongly authenticated is no help. A different way to look at it: A customer decides to use or not use IPsec based on a threat analysis. If the threat analysis says that active attack (MIM) is a significant risk, then you conclude that you need to turn on IPsec, because that is the only way to protect the storage traffic against active attack. If you worry about passive attack (eavesdropping) you probably still want IPsec. If in your installation, network attacks are considered unlikely (perhaps because of the physical partitioning of the various networks) then you would conclude IPsec is not needed. In that case, the very same analysis says that the risks in CHAP aren't a concern either. Bottom line: I do not see why active attack on authentication in a setting where IPsec is not used is an interesting case. paul
Home Last updated: Fri Apr 12 16:18:20 2002 9636 messages in chronological order |