|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: DH-CHAPWhether or not one likes SRP, I don't see the compelling argument for DH-CHAP. Here's why. Regarding Yongge Wang's active attack on DH-CHAP ... At 10:47 AM 4/12/02 -0400, Theodore Tso wrote: >Um, how is this not a man-in-the-middle attack? Intercepting a D-H >exchange (which is what you have to do in order to gain access to the >CHAP exchange) is pretty much the classic example of a MITM attack. Here's a difference: In Yongge's attack, the enemy listens and sends a packet, but doesn't really need to block other traffic. In an eavesdropper attacks (e.g on CHAP) the enemy only listens. In the classic DH MITM attack, the enemy completely controls the communication channel and intercepts, modifies, and forwards modified packets. Yongge's attack falls between these extremes. For many scenarios, I'll argue that there's no big extra barrier for an eavesdropper to also be able to send. So if CHAP is insufficient, then so is DH-CHAP. >> 2. Secondly, this attack is not only easy to mount in wireless >> environment, but also easy to mount in the Internet environment. >> Assume that the traffic from initiator to target passes through >> 2 or 3 routers. Then the firt router from initiator to target or >> any computer in the LAN of initiator can easily mount this attack. > >Um, that's not realistic. In order to carry out such an attack at a >router, the attacker would have to take over the router, and the >router would have to have the facilities to allow this sort of MITM >attack to occur. With most routers being specialized hardware devices >(read: i.e., Cisco's), assuming that an attacker would be able to >subvert a router so that it could carry out this attack is stretching >the bounds of credibility. Be fair. The attack can be mounted from any compromised node, wire, or "ether" between the two legitimate end points. If enemy access to the network media and all intervening nodes is not realistic, then there's a simpler point that can be made: In a trustworthy network, SRP is unnecessary, and so is DH-CHAP, and so is CHAP. In this case, a clear-text password works OK. I think it's a contrivance to draw a big distinction between eavesdroppers and enemies that can also send. And, to be fair to the other side, it seems contrived to draw a huge distinction between one who can sniff data from the network, and one who can hijack an unencrypted authenticated session. So if you're not using IPsec to encrypt session data, why protect the authentication password at all? A simple argument (which I presume is a motivation for requiring even CHAP) is that the password itself may be more valuable than the data obtained in a given password-authenticated session. -- David
Home Last updated: Sun Apr 14 00:18:24 2002 9656 messages in chronological order |