SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: possible DH-CHAP rationale



    Reminder: This is NOT posted in my role as wg chair.
    
    I thought I'd attempt to lay out a possible short
    rationale for why DH-CHAP may be interesting:
    
    (1) Assumption: If one is concerned about active attacks
    	on session authentication, one should also be
    	concerned about active attacks on the TCP session
    	that 	results after the authentication (e.g., TCP
    	hijack for which exploit code is readily available).
    (2) For iSCSI, the defense against active attacks
    	on the TCP session after authentication is
    	IPsec ESP.
    (3) Hence, if one is concerned about active attacks,
    	one should be running IPsec, and hence the
    	scenario of concern for CHAP/DH-CHAP/SRP is
    	passive attacks (e.g., packet sniffer).
    
    DH-CHAP is clearly superior to CHAP in dealing with
    passive attacks.  I don't think SRP is significantly
    better in this regard.
    
    Comments?
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Mon Apr 15 19:18:19 2002
9681 messages in chronological order