iSCSI: Authentication thoughts

To: ips@ece.cmu.edu
Subject: iSCSI: Authentication thoughts
From: Black_David@emc.com
Date: Mon, 29 Apr 2002 09:36:55 -0400
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

In the hopes of kicking off some useful discussion, I
thought I'd post my current views on CHAP, DH-CHAP, and SRP.
These are posted as an individual and author of the DH-CHAP
draft, *not* as a WG co-chair.  This post follows a thought
path through these issues.  While it's by no means the only
such path, I think this sort of approach is better than
starting with sets of MUST/SHOULD/MAY words, and comparing/
contrasting the sets.  IMHO, the fundamental issue is what
the first/only protocol is that "MUST implement" needs to be
applied to.

To begin with, simplicity is a virtue, and the simplest
solution I've seen to iSCSI's authentication requirements
is to require CHAP with machine-generated keys of sufficient
length (probably 128 bits), which are a bit unwieldy for
people to handle (but fit just fine on floppies :-) ).

ISSUE (1): Can we live with machine-generated keys
	of a sufficient size?

If the answer is "yes", that's it - CHAP with
machine-generated keys solves the problem.  This would
be a nice place to wind up.

If human generated/usable keys are required to make
authentication easier to use, the next question becomes
the class of attacks against which the protocol should
defend.

ISSUE (2): Should the authentication protocol be required
	to defend against active attacks?

A "yes" answer to this issue lands us in the space of
possible IPR claims that got us to where we are, and
leads to SRP as the mandatory protocol to implement.
My current view of this is "no, that's IKE's job",
although this level of defense is a nice plus.

If one answers this with some form of "no", the next
question becomes what should be defended against.

ISSUE (3): Should the authentication protocol be
	required to defend against passive eavesdroppers?

Among the other ways to view this issue is whether there's
a significant difference between the threat posed by
an eavesdropper vs. an active attacker.  Unlike David
Jablon who's arguing that essentially all eavesdroppers
are capable of mounting arbitrary active attacks with
results similar to the passive ones, I think that there
is a significant difference.  I'll post more on this
topic under separate cover.

In any case, a "no" answer to this issue leads to CHAP,
and a "yes" answer leads to DH-CHAP.  If human-generated/
usable keys are required, I find myself in the latter
place, but with a preference to use SRP if possible (e.g.,
I like the fact that the SRP password verifier does not
have to be kept secret when only doing one-way authentication).
The practical result of this is probably DH-CHAP, though. 

Please comment.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Follow-Ups:
- Re: iSCSI: Authentication thoughts
  - From: Steve Senum <ssenum@cisco.com>
- Re: iSCSI: Authentication thoughts
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: iSCSI: IKE groups and DH-CHAP
Next by Date: RE: FCIP Last Call, comment 109 - Special Frame
Prev by thread: iSCSI: IKE groups and DH-CHAP
Next by thread: Re: iSCSI: Authentication thoughts
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 29 19:18:25 2002
9864 messages in chronological order