Re: DH-CHAP

To: Theodore Tso <tytso@mit.edu>
Subject: Re: DH-CHAP
From: David Jablon <dpj@theworld.com>
Date: Fri, 12 Apr 2002 23:33:05 -0400
Cc: Yongge Wang <ywang@karthika.com>, ips@ece.cmu.edu, black_david@emc.com, hvenkatacharya@karthika.com, Daniel Thanos <dthanos@karthika.com>, "Ian F. Blake" <ifblake@comm.utoronto.ca>, Kumar Murty <kmurty@karthika.com>
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ips@ece.cmu.edu

Whether or not one likes SRP, I don't see the compelling
argument for DH-CHAP.  Here's why.

Regarding Yongge Wang's active attack on DH-CHAP ...

At 10:47 AM 4/12/02 -0400, Theodore Tso wrote:
>Um, how is this not a man-in-the-middle attack?  Intercepting a D-H
>exchange (which is what you have to do in order to gain access to the
>CHAP exchange) is pretty much the classic example of a MITM attack.

Here's a difference:

In Yongge's attack, the enemy listens and sends a packet,
but doesn't really need to block other traffic.

In an eavesdropper attacks (e.g on CHAP) the enemy only listens.
In the classic DH MITM attack, the enemy completely controls
the communication channel and intercepts, modifies, and forwards
modified packets.  Yongge's attack falls between these extremes.
For many scenarios, I'll argue that there's no big extra barrier
for an eavesdropper to also be able to send.

So if CHAP is insufficient, then so is DH-CHAP.

>> 2. Secondly, this attack is not only easy to mount in wireless
>> environment, but also easy to mount in the Internet environment.
>> Assume that the traffic from initiator to target passes through
>> 2 or 3 routers. Then the firt router from initiator to target or
>> any computer in the LAN of initiator can easily mount this attack.
>
>Um, that's not realistic.  In order to carry out such an attack at a
>router, the attacker would have to take over the router, and the
>router would have to have the facilities to allow this sort of MITM
>attack to occur.  With most routers being specialized hardware devices
>(read: i.e., Cisco's), assuming that an attacker would be able to
>subvert a router so that it could carry out this attack is stretching
>the bounds of credibility.  

Be fair.  The attack can be mounted from any compromised node,
wire, or "ether" between the two legitimate end points.
If enemy access to the network media and all intervening nodes is
not realistic, then there's a simpler point that can be made:

In a trustworthy network, SRP is unnecessary, and so is DH-CHAP,
and so is CHAP.  In this case, a clear-text password works OK.

I think it's a contrivance to draw a big distinction between
eavesdroppers and enemies that can also send.
And, to be fair to the other side, it seems contrived to draw
a huge distinction between one who can sniff data from the
network, and one who can hijack an unencrypted authenticated
session.

So if you're not using IPsec to encrypt session data,
why protect the authentication password at all?
A simple argument (which I presume is a motivation for requiring
even CHAP) is that the password itself may be more valuable than
the data obtained in a given password-authenticated session.

-- David

Follow-Ups:
- Re: DH-CHAP
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: iSCSI: TSID -> TSIH -> TISH -> ... ?
Next by Date: Re: iSCSI: TSIH clarifications
Prev by thread: RE: DH-CHAP
Next by thread: Re: DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Sun Apr 14 00:18:24 2002
9656 messages in chronological order