RE: iSCSI: possible DH-CHAP rationale

[Black_David@emc.com]

Important clarification:

DH-CHAP is clearly superior to CHAP in dealing with
passive attacks.  I don't think SRP is significantly
better **than DH-CHAP** in this regard.

> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com]
> Sent: Monday, April 15, 2002 5:40 PM
> To: ips@ece.cmu.edu
> Subject: iSCSI: possible DH-CHAP rationale
> 
> 
> Reminder: This is NOT posted in my role as wg chair.
> 
> I thought I'd attempt to lay out a possible short
> rationale for why DH-CHAP may be interesting:
> 
> (1) Assumption: If one is concerned about active attacks
> 	on session authentication, one should also be
> 	concerned about active attacks on the TCP session
> 	that 	results after the authentication (e.g., TCP
> 	hijack for which exploit code is readily available).
> (2) For iSCSI, the defense against active attacks
> 	on the TCP session after authentication is
> 	IPsec ESP.
> (3) Hence, if one is concerned about active attacks,
> 	one should be running IPsec, and hence the
> 	scenario of concern for CHAP/DH-CHAP/SRP is
> 	passive attacks (e.g., packet sniffer).
> 
> DH-CHAP is clearly superior to CHAP in dealing with
> passive attacks.  I don't think SRP is significantly
> better in this regard.
> 
> Comments?
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
> black_david@emc.com         Cell: +1 (978) 394-7754
> ---------------------------------------------------
>