SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Question on iSCSI security



    This is not be possible if A uses different secret/ticket
    for B and C in the in-band authentication (for Kerberos ticket
    it's always different).  Also it's not a classic man-in-middle since
    A attempts to log into B (and authenticates B on the IPsec level)
    and not into C, so this attack can actually  happen only after a previous
    attack of compromising a legitimate server B.
    
      Regards,
        Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    
                                                                                                                  
                          "Williams, Jim"                                                                         
                          <Jim.Williams@Emu        To:       "'ips@ece.cmu.edu'" <ips@ece.cmu.edu>                
                          lex.com>                 cc:                                                            
                          Sent by:                 Subject:  Question on iSCSI security                           
                          owner-ips@ece.cmu                                                                       
                          .edu                                                                                    
                                                                                                                  
                                                                                                                  
                          12/06/03 21:50                                                                          
                                                                                                                  
                                                                                                                  
    
    
    
    
    
    I am not up to speed on security and IPSec, so
    there is probably a simple answer to this.  I
    would be curious to know what it is.
    
    
    Scenario:
    
    A is an unwitting initiator, B is a malicious
    target, and C is a victim target.
    
    A attempts to log into B using IPSec.  B establishes
    IPSec SA with C.  B is honest to IKE about its identity.
    After establishing SA, B attempts to log into C, but
    lies to the iSCSI layer and claims to be A.
    B uses classic man-in-the-middle technique to get
    A to respond to C's login challenge.  If this
    works, then B has successfully logged into C
    as A.
    
    There are a number of similar scenarios with the
    common thread that the attacker is truthful about
    his identity to the IPSec layer, but lies about
    his identity to the iSCSI layer.
    
    These attacks are easily defeated if the iSCSI
    layer cross checks remote end's identity with the
    IPSec layer.  But it is not clear how this is done
    and whether it will be done or is required to
    be done.
    
    If the IPSec layer verifies that the IP address
    INSIDE the tunnel really belongs to B, and iSCSI
    verifies that the IP address it sees really belongs
    to A, and the data consulted for the verification
    is secure, then one of these checks should fail,
    but this seems like a stretch.
    
    But perhaps I am missing something simple.
    
    
    
    
    
    


Home

Last updated: Thu Jun 12 19:19:21 2003
12636 messages in chronological order