Re: DH-CHAP

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Thu, 11 Apr 2002, Yongge Wang wrote:

> POST to IP Storage working group
> ----------------------------------
> Just had a look at DH-CHAP protocol.
> Assume the following is the correct formulation of DH-CHAP.
> Then I suspect it is not secure against active off-line dictionary
> attacks.
>
> My understanding of DH-CHAP protocol:
>
> 1. initiator->target: requesting for service
> 2. target->initiator: ID, g^x, r, (where r and x are random)
> 3. initiator->target: g^y, H(password, ID, H(ID, r, g^xy))
>
> The attack:
> When the attacker Carol intercepts the first message from the initiator
> to the target: "requesting for service". Carol will impersonate
> target and send her g^x and r to target (which she knows x and r).
> (at the same time, Carol may mount a DoS attack to block target from
> responding)
> Now initiator will think that this g^x and r coming from the target
> and will generate g^y and H(password, ID, H(r, ID, g^xy)) to target.
> Carol will intercept this message and send
> a device busy or other nice formated message to initiator (thus
> initiator thinks a normal error has happened).
>
> Obviously, from the data x, r, g^y and H(password, ID, H(ID, r, g^xy))
> available
> to Carol, she can mount an off-line dictionary attack.
>
> Disclaimer: This attack is only based on my understanding of the DH-CHAP
> protocol
> as stated above in a simplified version.
> If my understanding of the DH-CHAP is incorrect. The attack may not work..

I think you are correct, and that infact the draft mentions that it it is
susceptible to this attack. I think this is described in section 6.3, and
is why that section mentions that _any_ disconnects after one side has
authenticated before the other has should be treeted as potential security
issues (since we can't tell if it's a benign problem or a
man-in-the-middle problem.

Take care,

Bill