Re: iSCSI: CHAP and SRP comparison

To: Black_David@emc.com
Subject: Re: iSCSI: CHAP and SRP comparison
From: Mark Bakke <mbakke@cisco.com>
Date: Tue, 04 Sep 2001 09:00:28 -0500
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71ECAD6A9@CORPMX14>
Sender: owner-ips@ece.cmu.edu

David-

Thanks.  Those were the details that I'd seen somewhere but
forgotten.

The way to help with the second issue is to store the passwords
on a RADIUS server instead of on the target itself.  This is
what most users of CHAP would do; if passwords are stored directly
on the target, SRP would be a better choice.

--
Mark

Black_David@emc.com wrote:
> 
> Quick CHAP comparison to SRP:
> 
> - CHAP is vulnerable to an off-line dictionary attack in which
>         the attacker captures the traffic and tries passwords
>         from a dictionary.  SRP is not.
> - CHAP requires that the password be available as a password
>         on the Target.  SRP requires only a password verifier
>         from which the password is not readily recoverable.
> - CHAP is one-way authentication, SRP is bidirectional
>         because the Target demonstrates that it knows the verifier.
> 
> IPsec can take care of the first issue by providing an
> encrypted channel (attacker has to break the IPsec encryption
> key before mounting the dictionary attack against CHAP), and
> the third issue by having IKE handle the authentication
> in the other direction.  It doesn't help with the second issue,
> which is more of an administration issue than a protocol
> vulnerability.
> 
> --David
> 
> > -----Original Message-----
> > From: Mark Bakke [mailto:mbakke@cisco.com]
> > Sent: Friday, August 31, 2001 1:49 PM
> > To: John Hufferd
> > Cc: Bill Strahm; Ips@Ece. Cmu. Edu
> > Subject: Re: ISCSI: User authentication vs. Machine Authentication for
> > iSCSI
> >
> >
> > John-
> >
> > Just wanted to point out that CHAP does not send passwords
> > in the clear; it hashes them.  The reason that SRP was chosen
> > as the MUST over CHAP is that in a non-IPsec environment,
> > the CHAP exchange is not as robust as SRP's exchange, and is
> > more vulnerable to some types of attacks (I can't remember
> > which ones off-hand).  IPsec provides an authenticated
> > environment in which to do the CHAP exchange, which takes
> > care of these potential problems.
> >
> > --
> > Mark
> >
> > John Hufferd wrote:
> > > 3. Chap can  be used in this environment since the Link is
> > already secure
> > > and encrypted, and sending the password in what otherwise
> > would have been
> > > in the clear, is protected by the link encryption.
> >
> > --
> > Mark A. Bakke
> > Cisco Systems
> > mbakke@cisco.com
> > 763.398.1054
> >

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

References:
- iSCSI: CHAP and SRP comparison
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI - bookmarks change
Next by Date: ! IPS Attention - worm - read carefully and DON'T open attachements
Prev by thread: iSCSI: CHAP and SRP comparison
Next by thread: RE: iSCSI: CHAP and SRP comparison
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 19:17:08 2001
6339 messages in chronological order