DH-CHAP

["Yongge Wang" <ywang@karthika.com>]

POST to IP Storage working group
----------------------------------
Just had a look at DH-CHAP protocol.
Assume the following is the correct formulation of DH-CHAP.
Then I suspect it is not secure against active off-line dictionary
attacks.

My understanding of DH-CHAP protocol:

1. initiator->target: requesting for service
2. target->initiator: ID, g^x, r, (where r and x are random)
3. initiator->target: g^y, H(password, ID, H(ID, r, g^xy))

The attack:
When the attacker Carol intercepts the first message from the initiator
to the target: "requesting for service". Carol will impersonate
target and send her g^x and r to target (which she knows x and r).
(at the same time, Carol may mount a DoS attack to block target from
responding)
Now initiator will think that this g^x and r coming from the target
and will generate g^y and H(password, ID, H(r, ID, g^xy)) to target.
Carol will intercept this message and send
a device busy or other nice formated message to initiator (thus
initiator thinks a normal error has happened).

Obviously, from the data x, r, g^y and H(password, ID, H(ID, r, g^xy))
available
to Carol, she can mount an off-line dictionary attack.

Disclaimer: This attack is only based on my understanding of the DH-CHAP
protocol
as stated above in a simplified version.
If my understanding of the DH-CHAP is incorrect. The attack may not work..

If you have any interest in revising DH-CHAP to get a secure version,
I may spend some time to help you on this matter...

Best regards,
Yongge
(I am personally responsible for my post)

-------------------------
http://cs.uwm.edu/~wang/
-------------------------