Re: DH-CHAP

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Fri, 12 Apr 2002, David Jablon wrote:

> Whether or not one likes SRP, I don't see the compelling
> argument for DH-CHAP.  Here's why.
>
> Regarding Yongge Wang's active attack on DH-CHAP ...
>
> At 10:47 AM 4/12/02 -0400, Theodore Tso wrote:
> >Um, how is this not a man-in-the-middle attack?  Intercepting a D-H
> >exchange (which is what you have to do in order to gain access to the
> >CHAP exchange) is pretty much the classic example of a MITM attack.
>
> Here's a difference:
>
> In Yongge's attack, the enemy listens and sends a packet,
> but doesn't really need to block other traffic.
>
> In an eavesdropper attacks (e.g on CHAP) the enemy only listens.
> In the classic DH MITM attack, the enemy completely controls
> the communication channel and intercepts, modifies, and forwards
> modified packets.  Yongge's attack falls between these extremes.
> For many scenarios, I'll argue that there's no big extra barrier
> for an eavesdropper to also be able to send.

There is one difference. The attack will get noticed.

Yongge's attack (as I understand it) is essentially a MITM attack, except
that MITM usually tries to continue the conversation while in this case
the rogue just leaves after it gets the response it needs.

This attack involves the rogue agent sending a response to the initiator
giving it a g^x mod n to use. That g^x mod n will not be the one the
target chose, so this attack will result in a login failure; a failure
with the same signature as a MitM attack.

So that is one difference between DH-CHAP and CHAP - you have to go to an
active attack to get at the password.

Take care,

Bill