SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: DH-CHAP



    
    In your example, is this attack only possible in a HUBed environment?
    Would it still be as easy in a Switched only environment?
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136, Cell: (408) 499-9702
    Internet address: hufferd@us.ibm.com
    
    
    "Yongge Wang" <ywang@karthika.com>@ece.cmu.edu on 04/14/2002 09:33:40 AM
    
    Sent by:    owner-ips@ece.cmu.edu
    
    
    To:    "Bill Studenmund" <wrstuden@wasabisystems.com>
    cc:    <ips@ece.cmu.edu>
    Subject:    RE: DH-CHAP
    
    
    
    >There is one difference. The attack will get noticed.
    
    Yes, you are correct. If the initiator logs all failure login, then
    there is a failure log record.. but there may be many kinds of
    failure log reports and the log due to this kind of attacks is
    almost indistinguishable (for most concise log files)
    from other failures. Thus we are not sure this failure is due to
    a attack.
    
    >Yongge's attack (as I understand it) is essentially a MITM attack, except
    >that MITM usually tries to continue the conversation while in this case
    >the rogue just leaves after it gets the response it needs.
    
    You can say this is MITM if you define MITM in this way.
    However, in the literature, the man-in-the-middle attack is defined
    in the way David (Jablon) has pointed out: The attack controls the entire
    communication links between the two real entities. This is a subtle
    difference.
    
    The attacker on DH-CHAP does not need to control the links.
    A simple example is as follows:
    
    The initiator and the attacker sit on one local Ethernet-I(e.g.,
    connected by a hub), the target sits on another Ethernet-II though
    still in the same organization.  The Ethernet-I and Ethernet-II
    are connected by a switch or a router. Now the attacker could easily
    (almost trivially) launch the attack though neither the attacker controls
    the links between the initiator and the target nor the attacker
    sits between the initiator and the target.
    
    >This attack involves the rogue agent sending a response to the initiator
    >giving it a g^x mod n to use. That g^x mod n will not be the one the
    >target chose, so this attack will result in a login failure; a failure
    >with the same signature as a MitM attack.
    >
    >So that is one difference between DH-CHAP and CHAP - you have to go to an
    >active attack to get at the password.
    
    Agreed. The fact pointed out by David (Jablon) is: Is this attack
    essentially harder than the pure passive attack? In many situations,
    it is not.... In the scenario I descreibed above this attack is as easy
    as the pure passive attacks. (Note that a real Man-In-the-middle attack
    is generally hard to mount than a pure passive attack).
    
    I am just poiting out a vulverable situation for DH-CHAP.
    Whether DH-CHAP will be included in the iSCSI standard,
    it makes no difference to me.
    
    Thanks for your discussion in this matter.
    
    Best regards,
    Yongge
    
    
    
    

    • Follow-Ups:


Home

Last updated: Mon Apr 15 15:18:23 2002
9679 messages in chronological order