|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: possible DH-CHAP rationaleDavid, The problem with Assumption 1 (as David Jablon hinted) is that obtaining a password can cause much more damage then a single connection hijack. And it might be more then just freely reusing it on that target. I, for example, use the same password for all systems (shame on me... but otherwise I'd be lost)- when the first system complains on expiration I go into an overall renewal process. Another related point - from iSCSI Security Considerations section: "The CHAP authentication method (see Chapter 10) is vulnerable to an off-line dictionary attack. In environments where this attack is a concern, CHAP SHOULD NOT be used without additional protection. Underlying IPsec encryption provides protection against this attack." So for DH-CHAP it would be fair to put the warning: "The DH-CHAP authentication method (see Chapter 10) is vulnerable to an impersonation combined with off-line dictionary attack. In environments where this attack is a concern, DH-CHAP SHOULD NOT be used without additional protection. Underlying IPsec authentication provides protection against this attack." If DH-CHAP is made the only MUST implement method, since IPsec is not mandatory to use - such a MUST NOT use for the only MUST implement method is a strange outcome. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 Black_David@emc.com@ece.cmu.edu on 16/04/2002 00:39:33 Please respond to Black_David@emc.com Sent by: owner-ips@ece.cmu.edu To: ips@ece.cmu.edu cc: Subject: iSCSI: possible DH-CHAP rationale Reminder: This is NOT posted in my role as wg chair. I thought I'd attempt to lay out a possible short rationale for why DH-CHAP may be interesting: (1) Assumption: If one is concerned about active attacks on session authentication, one should also be concerned about active attacks on the TCP session that results after the authentication (e.g., TCP hijack for which exploit code is readily available). (2) For iSCSI, the defense against active attacks on the TCP session after authentication is IPsec ESP. (3) Hence, if one is concerned about active attacks, one should be running IPsec, and hence the scenario of concern for CHAP/DH-CHAP/SRP is passive attacks (e.g., packet sniffer). DH-CHAP is clearly superior to CHAP in dealing with passive attacks. I don't think SRP is significantly better in this regard. Comments? --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Wed Apr 17 10:18:35 2002 9699 messages in chronological order |