iSCSI: possible DH-CHAP rationale

To: ips@ece.cmu.edu
Subject: iSCSI: possible DH-CHAP rationale
From: Black_David@emc.com
Date: Mon, 15 Apr 2002 17:39:33 -0400
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Reminder: This is NOT posted in my role as wg chair.

I thought I'd attempt to lay out a possible short
rationale for why DH-CHAP may be interesting:

(1) Assumption: If one is concerned about active attacks
	on session authentication, one should also be
	concerned about active attacks on the TCP session
	that 	results after the authentication (e.g., TCP
	hijack for which exploit code is readily available).
(2) For iSCSI, the defense against active attacks
	on the TCP session after authentication is
	IPsec ESP.
(3) Hence, if one is concerned about active attacks,
	one should be running IPsec, and hence the
	scenario of concern for CHAP/DH-CHAP/SRP is
	passive attacks (e.g., packet sniffer).

DH-CHAP is clearly superior to CHAP in dealing with
passive attacks.  I don't think SRP is significantly
better in this regard.

Comments?
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: DH-CHAP
Next by Date: RE: iSCSI: possible DH-CHAP rationale
Prev by thread: iSCSI: DH-CHAP and impersonation
Next by thread: RE: iSCSI: possible DH-CHAP rationale
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 15 19:18:19 2002
9681 messages in chronological order