SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: possible DH-CHAP rationale



    Ofer,
    
    > The problem with Assumption 1 (as David Jablon hinted) is that
    > obtaining a password can cause much more damage then a single
    > connection hijack.
    > 
    > And it might be more then just freely reusing it on that target.
    > I, for example, use the same password for all systems (shame
    > on me... but otherwise I'd be lost)- when the first system
    > complains on expiration I go into an overall renewal process.
    
    That's correct, but I worry that it misses the forest for the trees.
    The upshot of this rationale seems to be that it's a reasonable
    security policy to not be worried about an attacker having one-at-a-time
    access to iSCSI systems, even if the attack providing that access
    can be replicated at will but to be sufficiently concerned about
    password compromise that provides similar access to justify deploying
    a very strong algorithm to prevent it.  I'm having trouble justifying
    that as a reasonable security policy in practice, although I'll spare
    everyone from yet another gratuitous home security analogy.
    
    I'll join you in trying to infer what David Jablon meant by his
    somewhat cryptic comments.  I thought he was headed in the direction
    of classifying threats based on the attacker's abilities.  I can
    see a valid distinction among:
    - (1) a passive eavesdropper (ability to monitor traffic),
    - (2) an active impersonator (ability to communicate with Initiator,
    	probably coupled with ability to disable the Target or access
    	to it), and
    - (3) an active man-in-the-middle attacker (ability to see and
    	respond to Initiator-Target communications faster than
    	at least one of the communicating entities, may also be
    	able to insert him/herself as a communication intermediary).
    CHAP is vulnerable to a passive eavesdropper via an offline dictionary
    attack, DH-CHAP is vulnerable to an impersonator via an offline dictionary
    attack, but TCP hijack requires man-in-the-middle (have to see the TCP
    sequence numbers in real time for the hijack to work), and succeeds
    immediately without an offline dictionary attack.
    
    If David Jablon is correct in his assertion that "For many scenarios,
    ... there's no big extra barrier for an eavesdropper to also be able
    to send", one of the implications may be that the distinction between
    (2) and (3) [the impersonator does not need to eavesdrop, the hijacker
    does] may be rather slim [although in the quote I've lifted, David
    was suggesting that there was no significant difference between (1)
    and (2)].
     
    > Another related point - from iSCSI Security Considerations section:
    > 
    > "The CHAP authentication method (see Chapter 10) is vulnerable
    > to an off-line dictionary attack. In environments where this
    > attack is a concern, CHAP SHOULD NOT be used without additional
    > protection. Underlying IPsec encryption provides protection against
    > this attack."
    > 
    > So for DH-CHAP it would be fair to put the warning:
    > 
    > "The DH-CHAP authentication method (see Chapter 10) is vulnerable
    > to an impersonation combined with off-line dictionary attack.
    > In environments where this attack is a concern, DH-CHAP SHOULD NOT
    > be used without additional protection. Underlying IPsec
    > authentication provides protection against this attack."
    
    I'll add the second sentence to the -01 version of the DH-CHAP draft,
    which'll probably be submitted today.
    
    > If DH-CHAP is made the only MUST implement method, since IPsec is
    > not mandatory to use - such a MUST NOT use for the only MUST implement
    > method is a strange outcome.
    
    That seems backwards.  If one rephrases it as "in some environments,
    this 'MUST implement' method [CHAP or DH-CHAP] SHOULD only be used
    with this other 'MUST implement' method [IPsec]", the result sounds
    more reasonable to me.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Wed Apr 17 14:18:24 2002
9701 messages in chronological order