iSCSI: DH-CHAP and strong passwords

["Mark A. Carlson" <mark.carlson@sun.com>]

Since the effectiveness of any CHAP based method depends on the
strength of the password, I would think that any significant installation
of iSCSI storage devices would employ storage management software
to manage the various passwords used for that storage. In this case,
the administrator may not even know or care what the passwords are
for the devices as long as the management software keeps track;
generating, retaining and updating the passwords based on the
desired strength of security. 

-- mark


Ofer Biran wrote:
> 
> David,
> 
> The problem with Assumption 1 (as David Jablon hinted) is that
> obtaining a password can cause much more damage then a single
> connection hijack.
> 
> And it might be more then just freely reusing it on that target.
> I, for example, use the same password for all systems (shame
> on me... but otherwise I'd be lost)- when the first system
> complains on expiration I go into an overall renewal process.
> 
> Another related point - from iSCSI Security Considerations section:
> 
> "The CHAP authentication method (see Chapter 10) is vulnerable
> to an off-line dictionary attack. In environments where this
> attack is a concern, CHAP SHOULD NOT be used without additional
> protection. Underlying IPsec encryption provides protection against
> this attack."
> 
> So for DH-CHAP it would be fair to put the warning:
> 
> "The DH-CHAP authentication method (see Chapter 10) is vulnerable
> to an impersonation combined with off-line dictionary attack.
> In environments where this attack is a concern, DH-CHAP SHOULD NOT
> be used without additional protection. Underlying IPsec
> authentication provides protection against this attack."
> 
> If DH-CHAP is made the only MUST implement method, since IPsec is
> not mandatory to use - such a MUST NOT use for the only MUST implement
> method is a strange outcome.
> 
>   Regards,
>    Ofer
> 
> Ofer Biran
> Storage and Systems Technology
> IBM Research Lab in Haifa
> biran@il.ibm.com  972-4-8296253
> 
> Black_David@emc.com@ece.cmu.edu on 16/04/2002 00:39:33
> 
> Please respond to Black_David@emc.com
> 
> Sent by:    owner-ips@ece.cmu.edu
> 
> To:    ips@ece.cmu.edu
> cc:
> Subject:    iSCSI: possible DH-CHAP rationale
> 
> Reminder: This is NOT posted in my role as wg chair.
> 
> I thought I'd attempt to lay out a possible short
> rationale for why DH-CHAP may be interesting:
> 
> (1) Assumption: If one is concerned about active attacks
>  on session authentication, one should also be
>  concerned about active attacks on the TCP session
>  that       results after the authentication (e.g., TCP
>  hijack for which exploit code is readily available).
> (2) For iSCSI, the defense against active attacks
>  on the TCP session after authentication is
>  IPsec ESP.
> (3) Hence, if one is concerned about active attacks,
>  one should be running IPsec, and hence the
>  scenario of concern for CHAP/DH-CHAP/SRP is
>  passive attacks (e.g., packet sniffer).
> 
> DH-CHAP is clearly superior to CHAP in dealing with
> passive attacks.  I don't think SRP is significantly
> better in this regard.
> 
> Comments?
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
> black_david@emc.com         Cell: +1 (978) 394-7754
> ---------------------------------------------------