SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI: possible DH-CHAP rationale



    
    
    David,
    
    The problem with Assumption 1 (as David Jablon hinted) is that
    obtaining a password can cause much more damage then a single
    connection hijack.
    
    And it might be more then just freely reusing it on that target.
    I, for example, use the same password for all systems (shame
    on me... but otherwise I'd be lost)- when the first system
    complains on expiration I go into an overall renewal process.
    
    Another related point - from iSCSI Security Considerations section:
    
    "The CHAP authentication method (see Chapter 10) is vulnerable
    to an off-line dictionary attack. In environments where this
    attack is a concern, CHAP SHOULD NOT be used without additional
    protection. Underlying IPsec encryption provides protection against
    this attack."
    
    So for DH-CHAP it would be fair to put the warning:
    
    "The DH-CHAP authentication method (see Chapter 10) is vulnerable
    to an impersonation combined with off-line dictionary attack.
    In environments where this attack is a concern, DH-CHAP SHOULD NOT
    be used without additional protection. Underlying IPsec
    authentication provides protection against this attack."
    
    If DH-CHAP is made the only MUST implement method, since IPsec is
    not mandatory to use - such a MUST NOT use for the only MUST implement
    method is a strange outcome.
    
      Regards,
       Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    Black_David@emc.com@ece.cmu.edu on 16/04/2002 00:39:33
    
    Please respond to Black_David@emc.com
    
    Sent by:    owner-ips@ece.cmu.edu
    
    
    To:    ips@ece.cmu.edu
    cc:
    Subject:    iSCSI: possible DH-CHAP rationale
    
    
    
    Reminder: This is NOT posted in my role as wg chair.
    
    I thought I'd attempt to lay out a possible short
    rationale for why DH-CHAP may be interesting:
    
    (1) Assumption: If one is concerned about active attacks
     on session authentication, one should also be
     concerned about active attacks on the TCP session
     that       results after the authentication (e.g., TCP
     hijack for which exploit code is readily available).
    (2) For iSCSI, the defense against active attacks
     on the TCP session after authentication is
     IPsec ESP.
    (3) Hence, if one is concerned about active attacks,
     one should be running IPsec, and hence the
     scenario of concern for CHAP/DH-CHAP/SRP is
     passive attacks (e.g., packet sniffer).
    
    DH-CHAP is clearly superior to CHAP in dealing with
    passive attacks.  I don't think SRP is significantly
    better in this regard.
    
    Comments?
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    
    


Home

Last updated: Wed Apr 17 10:18:35 2002
9699 messages in chronological order