SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: DH-CHAP



    
    
    >In your example, is this attack only possible in a HUBed environment?
    >Would it still be as easy in a Switched only environment?
    
    John,
    For most Switched environment, this attack is possible though for
    some switched network (with some special intelligent conficurations,
    e.g., if the switch will not broadcast the traffic of initiator to the
    attackers's side... however, this configuration is seldom used...
    switch is not supposed to be as smart as a router in Internet), 
    this attack will not work.
    
    The only requirement for the attack to work is that the 
    attacker's network card could "see" the request from the initiator.
    For most networks, the attacker could see this due to the low-level
    broadcast property of Ethernet.
    
    Regards,
    Yongge
    
    --------------
    "Yongge Wang" <ywang@karthika.com>@ece.cmu.edu on 04/14/2002 09:33:40 AM
    
    Sent by:    owner-ips@ece.cmu.edu
    
    
    To:    "Bill Studenmund" <wrstuden@wasabisystems.com>
    cc:    <ips@ece.cmu.edu>
    Subject:    RE: DH-CHAP
    
    
    
    >There is one difference. The attack will get noticed.
    
    Yes, you are correct. If the initiator logs all failure login, then
    there is a failure log record.. but there may be many kinds of
    failure log reports and the log due to this kind of attacks is
    almost indistinguishable (for most concise log files)
    from other failures. Thus we are not sure this failure is due to
    a attack.
    
    >Yongge's attack (as I understand it) is essentially a MITM attack, except
    >that MITM usually tries to continue the conversation while in this case
    >the rogue just leaves after it gets the response it needs.
    
    You can say this is MITM if you define MITM in this way.
    However, in the literature, the man-in-the-middle attack is defined
    in the way David (Jablon) has pointed out: The attack controls the entire
    communication links between the two real entities. This is a subtle
    difference.
    
    The attacker on DH-CHAP does not need to control the links.
    A simple example is as follows:
    
    The initiator and the attacker sit on one local Ethernet-I(e.g.,
    connected by a hub), the target sits on another Ethernet-II though
    still in the same organization.  The Ethernet-I and Ethernet-II
    are connected by a switch or a router. Now the attacker could easily
    (almost trivially) launch the attack though neither the attacker controls
    the links between the initiator and the target nor the attacker
    sits between the initiator and the target.
    
    >This attack involves the rogue agent sending a response to the initiator
    >giving it a g^x mod n to use. That g^x mod n will not be the one the
    >target chose, so this attack will result in a login failure; a failure
    >with the same signature as a MitM attack.
    >
    >So that is one difference between DH-CHAP and CHAP - you have to go to an
    >active attack to get at the password.
    
    Agreed. The fact pointed out by David (Jablon) is: Is this attack
    essentially harder than the pure passive attack? In many situations,
    it is not.... In the scenario I descreibed above this attack is as easy
    as the pure passive attacks. (Note that a real Man-In-the-middle attack
    is generally hard to mount than a pure passive attack).
    
    I am just poiting out a vulverable situation for DH-CHAP.
    Whether DH-CHAP will be included in the iSCSI standard,
    it makes no difference to me.
    
    Thanks for your discussion in this matter.
    
    Best regards,
    Yongge
    
    
    
    

    • Follow-Ups:
      • RE: DH-CHAP
        • From: Bill Studenmund <wrstuden@wasabisystems.com>
    • References:
      • RE: DH-CHAP
        • From: "John Hufferd" <hufferd@us.ibm.com>


Home

Last updated: Mon Apr 15 13:18:21 2002
9668 messages in chronological order