iSCSI: DH-CHAP and impersonation

To: perry@wasabisystems.com
Subject: iSCSI: DH-CHAP and impersonation
From: Black_David@emc.com
Date: Mon, 15 Apr 2002 14:58:53 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Perry,

> > The attacker on DH-CHAP does not need to control the links.
> > A simple example is as follows:
> 
> > The initiator and the attacker sit on one local Ethernet-I(e.g., 
> > connected by a hub), the target sits on another Ethernet-II though
> > still in the same organization.  The Ethernet-I and Ethernet-II
> > are connected by a switch or a router. Now the attacker could easily
> > (almost trivially) launch the attack though neither the attacker
controls
> > the links between the initiator and the target nor the attacker 
> > sits between the initiator and the target.
> 
> I must admit that I completely fail to understand the difference
> between this and a normal "man in the middle" attack. In either, you
> insert yourself into the communications and play to each end.
> 
> I'm also very much unclear on why this attack, given the CHAP
> authentication layered on top of the Diffie-Hellman exchange, is of
> concern.

I don't think Yongge Wang has completely explained his example.
Consider the following sequence of events:
- The attacker crashes or disconnects the IP Storage Target, so
	that it can't respond to ARPs (e.g., pulls out an Ethernet cable).
- The attacker waits for the Initiator's ARP cache to time out.
- The attacker's system responds to the Initiator's re-ARP for
	the Target's IP with the attacker's Ethernet MAC instead of
	the Target's.
- The attacker runs DH-CHAP far enough to get a response from
	the Initiator.
The attacker is impersonating the (off-line and still
confused) target.  The attacker needs to be on the same
subnet as the Target (VLAN would do) in order to see and
respond to the ARP.  Depending on the IP address configuration,
being on the same subnet as the Initiator may work in some cases.
It's also the case that switched Ethernet infrastructures are
tending towards smaller subnets for reasons like poor scaling
of the Ethernet spanning-tree algorithm, which limits the
opportunity for this.

Note that the attacker relies on the Target being off-line or
otherwise unable to participate.  If the Initiator finds the
Target via a DNS lookup, a corruption attack on the DNS server
followed by a well-placed TCP RST achieves similar results
without taking the Target offline (nastier, and one more reason
why everyone should run DNSSEC even though almost nobody does).

These are the sorts of thing I had in mind for an Impersonation
attack in the DH-CHAP draft, and I don't think they qualify as
Man-in-the-Middle attacks.

Thanks,
--David
---------------------------------------------------
 David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: DH-CHAP
Next by Date: RE: DH-CHAP
Prev by thread: RE: iSCSI - Basic Question
Next by thread: iSCSI: possible DH-CHAP rationale
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 15 18:18:22 2002
9680 messages in chronological order