SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: DH-CHAP and impersonation



    Perry,
    
    > > The attacker on DH-CHAP does not need to control the links.
    > > A simple example is as follows:
    > 
    > > The initiator and the attacker sit on one local Ethernet-I(e.g., 
    > > connected by a hub), the target sits on another Ethernet-II though
    > > still in the same organization.  The Ethernet-I and Ethernet-II
    > > are connected by a switch or a router. Now the attacker could easily
    > > (almost trivially) launch the attack though neither the attacker
    controls
    > > the links between the initiator and the target nor the attacker 
    > > sits between the initiator and the target.
    > 
    > I must admit that I completely fail to understand the difference
    > between this and a normal "man in the middle" attack. In either, you
    > insert yourself into the communications and play to each end.
    > 
    > I'm also very much unclear on why this attack, given the CHAP
    > authentication layered on top of the Diffie-Hellman exchange, is of
    > concern.
    
    I don't think Yongge Wang has completely explained his example.
    Consider the following sequence of events:
    - The attacker crashes or disconnects the IP Storage Target, so
    	that it can't respond to ARPs (e.g., pulls out an Ethernet cable).
    - The attacker waits for the Initiator's ARP cache to time out.
    - The attacker's system responds to the Initiator's re-ARP for
    	the Target's IP with the attacker's Ethernet MAC instead of
    	the Target's.
    - The attacker runs DH-CHAP far enough to get a response from
    	the Initiator.
    The attacker is impersonating the (off-line and still
    confused) target.  The attacker needs to be on the same
    subnet as the Target (VLAN would do) in order to see and
    respond to the ARP.  Depending on the IP address configuration,
    being on the same subnet as the Initiator may work in some cases.
    It's also the case that switched Ethernet infrastructures are
    tending towards smaller subnets for reasons like poor scaling
    of the Ethernet spanning-tree algorithm, which limits the
    opportunity for this.
    
    Note that the attacker relies on the Target being off-line or
    otherwise unable to participate.  If the Initiator finds the
    Target via a DNS lookup, a corruption attack on the DNS server
    followed by a well-placed TCP RST achieves similar results
    without taking the Target offline (nastier, and one more reason
    why everyone should run DNSSEC even though almost nobody does).
    
    These are the sorts of thing I had in mind for an Impersonation
    attack in the DH-CHAP draft, and I don't think they qualify as
    Man-in-the-Middle attacks.
    
    Thanks,
    --David
    ---------------------------------------------------
     David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Mon Apr 15 18:18:22 2002
9680 messages in chronological order