|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: possible DH-CHAP rationaleImportant clarification: DH-CHAP is clearly superior to CHAP in dealing with passive attacks. I don't think SRP is significantly better **than DH-CHAP** in this regard. > -----Original Message----- > From: Black_David@emc.com [mailto:Black_David@emc.com] > Sent: Monday, April 15, 2002 5:40 PM > To: ips@ece.cmu.edu > Subject: iSCSI: possible DH-CHAP rationale > > > Reminder: This is NOT posted in my role as wg chair. > > I thought I'd attempt to lay out a possible short > rationale for why DH-CHAP may be interesting: > > (1) Assumption: If one is concerned about active attacks > on session authentication, one should also be > concerned about active attacks on the TCP session > that results after the authentication (e.g., TCP > hijack for which exploit code is readily available). > (2) For iSCSI, the defense against active attacks > on the TCP session after authentication is > IPsec ESP. > (3) Hence, if one is concerned about active attacks, > one should be running IPsec, and hence the > scenario of concern for CHAP/DH-CHAP/SRP is > passive attacks (e.g., packet sniffer). > > DH-CHAP is clearly superior to CHAP in dealing with > passive attacks. I don't think SRP is significantly > better in this regard. > > Comments? > --David > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 > black_david@emc.com Cell: +1 (978) 394-7754 > --------------------------------------------------- >
Home Last updated: Tue Apr 16 14:18:25 2002 9687 messages in chronological order |