|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: possible DH-CHAP rationaleReminder: This is NOT posted in my role as wg chair. I thought I'd attempt to lay out a possible short rationale for why DH-CHAP may be interesting: (1) Assumption: If one is concerned about active attacks on session authentication, one should also be concerned about active attacks on the TCP session that results after the authentication (e.g., TCP hijack for which exploit code is readily available). (2) For iSCSI, the defense against active attacks on the TCP session after authentication is IPsec ESP. (3) Hence, if one is concerned about active attacks, one should be running IPsec, and hence the scenario of concern for CHAP/DH-CHAP/SRP is passive attacks (e.g., packet sniffer). DH-CHAP is clearly superior to CHAP in dealing with passive attacks. I don't think SRP is significantly better in this regard. Comments? --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Mon Apr 15 19:18:19 2002 9681 messages in chronological order |