RE: DH-CHAP

To: "Theodore Tso" <tytso@mit.edu>
Subject: RE: DH-CHAP
From: "Yongge Wang" <ywang@karthika.com>
Date: Fri, 12 Apr 2002 11:30:52 -0400
Cc: <ips@ece.cmu.edu>, "Daniel Thanos" <dthanos@karthika.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <20020412104749.N26278@thunk.org>
Sender: owner-ips@ece.cmu.edu

On Fri, Apr 12, 2002 at 09:01:12AM -0400, Yongge Wang wrote:
>> Thanks for all of your responses.
>> 1. First a small clarification: this kind of attack is easy to mount
>> than man-in-the-middle attack and is not a man-in-the-middle attack.
>
>Um, how is this not a man-in-the-middle attack?  Intercepting a D-H
>exchange (which is what you have to do in order to gain access to the
>CHAP exchange) is pretty much the classic example of a MITM attack.

A classical Man-in-the-middle attacks involves three party: two end
entities and a middle attacker.
this attack does not involve the target.. thus only the initiator
and the attacker is exchaning messages.

>> 2. Secondly, this attack is not only easy to mount in wireless
>> environment, but also easy to mount in the Internet environment.
>> Assume that the traffic from initiator to target passes through
>> 2 or 3 routers. Then the firt router from initiator to target or
>> any computer in the LAN of initiator can easily mount this attack.
>
>Um, that's not realistic.  In order to carry out such an attack at a
>router, the attacker would have to take over the router, and the
>router would have to have the facilities to allow this sort of MITM
>attack to occur.  With most routers being specialized hardware devices
>(read: i.e., Cisco's), assuming that an attacker would be able to
>subvert a router so that it could carry out this attack is stretching
>the bounds of credibility.

As I have mentioned, any computer sitting on the same LAN of the initiator
can mount this attack. of course, if the attacker can control the router,
then the attack is trivial. Even any computer sitting on the same LAN can
mount the
attack trivially. After the attacker sees the requesting service message
from the
initiator, it just impersonates the target and sends a message to the
initiator
claiming from the target (broadcast it) and that is it...
(the real target message will arrive later--if the target is not on the same
LAN--and the initiator will discard the real target message).

>Also, I'd argue that in a wireless environment, protection of the data
>stream is going to be so important that you *really* want to be using
>IPSEC, or some kind of layer 2 encryption to protect your data
>packets.  This is true especially if the client is going to be
>executing programs which are fetched over a iSCSI-over-wireless
>connection.  <<<Shudder>>>  In that kind of usage environment, trust
>me, an active attack leading to the possibility of a dictionary attack
>is the **least** of your problems.  This will make the gaping
>vulnerabilities in Microsoft Outlook look like minor annoyances in
>comparison.  So, this is really a red herring.

If point-to-point IPSec is guaranteed to be used,
then it is not necessary to use DH-CHAP. I think iSCSI does not
mandate that the point-to-point IPSec will be used.

>> 3. lastly, it is relatively easy to make some modifications
>> of DH-CHAP (in the same line of DH-CHAP... and if some one does not like
>> the patent issues of SPEKE, SRP or EKE, then we can make the enhanced
>> DH-CHAP at least as similar to DH-CHAP..
>
>What sort of changes would you propose?

You have suggested a way to do this... though it requires RSA... which
makes things complicated (one kind of crypto is much better than using two
in practice). variant (to avoid dic attack again)
of ElGamal based signature (using password as the private key)
could be potential choices also..
It needs some time to desing and check whether it is OK..
If I got some time, I can try and post it (if some one has interest)

>In contrast, the techniques we're talking about here have plenty of
>prior art.  And while prior art hasn't necessarily stopped the patent

Some one may claim a patent on the use of password and DH at the same time
to defeat off-line dictionary attacks? I am not a patent expert..
but this seems to be a patentable idea some years ago.

Note that generally people think that the following paper
is the first paper to use public-key encryption to guard against
off-line password-guessing attacks. Thus it is not as old as DH.

L.~Gong, M.~Lomas, R.~Needham, and J.~Saltzer.
Protecting poorly chosen secrets from guessing attacks.
{\em IEEE J. on Selected Areas in Communications},
{\bf 11}(5):648--656, 1993.

The disclosure time of the above result should be around 1991 (or 1990?).

Regards,
Yongge

References:
- Re: DH-CHAP
  - From: Theodore Tso <tytso@mit.edu>

Prev by Date: RE: DH-CHAP
Next by Date: iscsi : Rev 11-94
Prev by thread: Re: DH-CHAP
Next by thread: RE: DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Fri Apr 12 12:18:19 2002
9631 messages in chronological order