|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: DH-CHAP and impersonationPerry, > > The attacker on DH-CHAP does not need to control the links. > > A simple example is as follows: > > > The initiator and the attacker sit on one local Ethernet-I(e.g., > > connected by a hub), the target sits on another Ethernet-II though > > still in the same organization. The Ethernet-I and Ethernet-II > > are connected by a switch or a router. Now the attacker could easily > > (almost trivially) launch the attack though neither the attacker controls > > the links between the initiator and the target nor the attacker > > sits between the initiator and the target. > > I must admit that I completely fail to understand the difference > between this and a normal "man in the middle" attack. In either, you > insert yourself into the communications and play to each end. > > I'm also very much unclear on why this attack, given the CHAP > authentication layered on top of the Diffie-Hellman exchange, is of > concern. I don't think Yongge Wang has completely explained his example. Consider the following sequence of events: - The attacker crashes or disconnects the IP Storage Target, so that it can't respond to ARPs (e.g., pulls out an Ethernet cable). - The attacker waits for the Initiator's ARP cache to time out. - The attacker's system responds to the Initiator's re-ARP for the Target's IP with the attacker's Ethernet MAC instead of the Target's. - The attacker runs DH-CHAP far enough to get a response from the Initiator. The attacker is impersonating the (off-line and still confused) target. The attacker needs to be on the same subnet as the Target (VLAN would do) in order to see and respond to the ARP. Depending on the IP address configuration, being on the same subnet as the Initiator may work in some cases. It's also the case that switched Ethernet infrastructures are tending towards smaller subnets for reasons like poor scaling of the Ethernet spanning-tree algorithm, which limits the opportunity for this. Note that the attacker relies on the Target being off-line or otherwise unable to participate. If the Initiator finds the Target via a DNS lookup, a corruption attack on the DNS server followed by a well-placed TCP RST achieves similar results without taking the Target offline (nastier, and one more reason why everyone should run DNSSEC even though almost nobody does). These are the sorts of thing I had in mind for an Impersonation attack in the DH-CHAP draft, and I don't think they qualify as Man-in-the-Middle attacks. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Mon Apr 15 18:18:22 2002 9680 messages in chronological order |