RE: iSCSI: possible DH-CHAP rationale

[Black_David@emc.com]

Ofer,

> The problem with Assumption 1 (as David Jablon hinted) is that
> obtaining a password can cause much more damage then a single
> connection hijack.
> 
> And it might be more then just freely reusing it on that target.
> I, for example, use the same password for all systems (shame
> on me... but otherwise I'd be lost)- when the first system
> complains on expiration I go into an overall renewal process.

That's correct, but I worry that it misses the forest for the trees.
The upshot of this rationale seems to be that it's a reasonable
security policy to not be worried about an attacker having one-at-a-time
access to iSCSI systems, even if the attack providing that access
can be replicated at will but to be sufficiently concerned about
password compromise that provides similar access to justify deploying
a very strong algorithm to prevent it.  I'm having trouble justifying
that as a reasonable security policy in practice, although I'll spare
everyone from yet another gratuitous home security analogy.

I'll join you in trying to infer what David Jablon meant by his
somewhat cryptic comments.  I thought he was headed in the direction
of classifying threats based on the attacker's abilities.  I can
see a valid distinction among:
- (1) a passive eavesdropper (ability to monitor traffic),
- (2) an active impersonator (ability to communicate with Initiator,
	probably coupled with ability to disable the Target or access
	to it), and
- (3) an active man-in-the-middle attacker (ability to see and
	respond to Initiator-Target communications faster than
	at least one of the communicating entities, may also be
	able to insert him/herself as a communication intermediary).
CHAP is vulnerable to a passive eavesdropper via an offline dictionary
attack, DH-CHAP is vulnerable to an impersonator via an offline dictionary
attack, but TCP hijack requires man-in-the-middle (have to see the TCP
sequence numbers in real time for the hijack to work), and succeeds
immediately without an offline dictionary attack.

If David Jablon is correct in his assertion that "For many scenarios,
... there's no big extra barrier for an eavesdropper to also be able
to send", one of the implications may be that the distinction between
(2) and (3) [the impersonator does not need to eavesdrop, the hijacker
does] may be rather slim [although in the quote I've lifted, David
was suggesting that there was no significant difference between (1)
and (2)].
 
> Another related point - from iSCSI Security Considerations section:
> 
> "The CHAP authentication method (see Chapter 10) is vulnerable
> to an off-line dictionary attack. In environments where this
> attack is a concern, CHAP SHOULD NOT be used without additional
> protection. Underlying IPsec encryption provides protection against
> this attack."
> 
> So for DH-CHAP it would be fair to put the warning:
> 
> "The DH-CHAP authentication method (see Chapter 10) is vulnerable
> to an impersonation combined with off-line dictionary attack.
> In environments where this attack is a concern, DH-CHAP SHOULD NOT
> be used without additional protection. Underlying IPsec
> authentication provides protection against this attack."

I'll add the second sentence to the -01 version of the DH-CHAP draft,
which'll probably be submitted today.

> If DH-CHAP is made the only MUST implement method, since IPsec is
> not mandatory to use - such a MUST NOT use for the only MUST implement
> method is a strange outcome.

That seems backwards.  If one rephrases it as "in some environments,
this 'MUST implement' method [CHAP or DH-CHAP] SHOULD only be used
with this other 'MUST implement' method [IPsec]", the result sounds
more reasonable to me.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------