RE: DH-CHAP

To: Julian_Satran@il.ibm.com
Subject: RE: DH-CHAP
From: Paul Koning <ni1d@arrl.net>
Date: Fri, 12 Apr 2002 12:05:11 -0400
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <OF6A666C64.5EE6F09F-ONC2256B99.00436AB0@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 12 April 2002) by Julian Satran:
> I think that we will have to decide if MIM and any other active attacks 
> should be a major concern.
> IMHO they are for (at least) the following reasons:
> 
> wireless is be coming important and MIM attacks  are so much simpler in 
> this are
> bidirectional authentication is important as loading active content from 
> an unauthenticated target is a major risk (imagine that you load a 
> slightly modified OS from an impersonating target) and both target and 
> initiator should be concerned about impersonators
> 
>  DH-CHAP (or should I call it DB-CHAP?)  used for bilateral authentication 
> as 2 exchanges besides not "synchronizing" authentication is even more 
> exposed to active attack than CHAP.

I'm not sure I understand that last part.

For MIM in general, I would suggest that it is useful to have the
different parts of the system be somewhat similar in strength.

There are two cases to consider: IPsec in use for the iSCSI
connections, and IPsec not in use.

If IPsec is in use, then MIM attacks are ruled out by IPsec.  In that
setting, CHAP works fine.  The other two work too, of course, but they
repeat work that IPsec/IKE has already done.

If IPsec is NOT in use, then protecting the authentication handshake
from MIM attacks is not all that meaningful.  After all, the attacker
can transparently forward the authentication handshake (acting as a
wire, so it succeeds even in authentication scheme that are
MIM-proof).  Once authentication has finished, the attacker can then
take over the full feature mode connection, and manipulate the iSCSI
traffic at will.  The fact that the client was strongly authenticated
is no help.

A different way to look at it:

A customer decides to use or not use IPsec based on a threat analysis.
If the threat analysis says that active attack (MIM) is a significant
risk, then you conclude that you need to turn on IPsec, because that
is the only way to protect the storage traffic against active attack.

If you worry about passive attack (eavesdropping) you probably still
want IPsec.

If in your installation, network attacks are considered unlikely
(perhaps because of the physical partitioning of the various networks)
then you would conclude IPsec is not needed.  In that case, the very
same analysis says that the risks in CHAP aren't a concern either.

Bottom line: I do not see why active attack on authentication in a
setting where IPsec is not used is an interesting case.

	paul

References:
- RE: DH-CHAP
  - From: "Julian Satran" <Julian_Satran@il.ibm.com>

Prev by Date: RE: DH-CHAP
Next by Date: Re: iscsi : Rev 11-94
Prev by thread: RE: DH-CHAP
Next by thread: RE: DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Fri Apr 12 16:18:20 2002
9636 messages in chronological order