SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: possible DH-CHAP rationale



    Important clarification:
    
    DH-CHAP is clearly superior to CHAP in dealing with
    passive attacks.  I don't think SRP is significantly
    better **than DH-CHAP** in this regard.
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Monday, April 15, 2002 5:40 PM
    > To: ips@ece.cmu.edu
    > Subject: iSCSI: possible DH-CHAP rationale
    > 
    > 
    > Reminder: This is NOT posted in my role as wg chair.
    > 
    > I thought I'd attempt to lay out a possible short
    > rationale for why DH-CHAP may be interesting:
    > 
    > (1) Assumption: If one is concerned about active attacks
    > 	on session authentication, one should also be
    > 	concerned about active attacks on the TCP session
    > 	that 	results after the authentication (e.g., TCP
    > 	hijack for which exploit code is readily available).
    > (2) For iSCSI, the defense against active attacks
    > 	on the TCP session after authentication is
    > 	IPsec ESP.
    > (3) Hence, if one is concerned about active attacks,
    > 	one should be running IPsec, and hence the
    > 	scenario of concern for CHAP/DH-CHAP/SRP is
    > 	passive attacks (e.g., packet sniffer).
    > 
    > DH-CHAP is clearly superior to CHAP in dealing with
    > passive attacks.  I don't think SRP is significantly
    > better in this regard.
    > 
    > Comments?
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    > black_david@emc.com         Cell: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Tue Apr 16 14:18:25 2002
9687 messages in chronological order