Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

To: philmac@research.bell-labs.com
Subject: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
From: Paul Koning <ni1d@arrl.net>
Date: Tue, 30 Apr 2002 12:58:08 -0400
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <3CCD3A92.9050603@research.bell-labs.com><20020429112331.B65828@homegate.strahm.net><3CCDC90B.6010905@research.bell-labs.com><20020429161800.D65828@homegate.strahm.net><3CCE9D0E.2050702@research.bell-labs.com>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 30 April 2002) by Philip MacKenzie:
> > Funny, iSCSI all ready has excellent protection from active attackers 
> > in the fact that IPsec has protection from active attackers.  If you 
> > need the protection, turn on the MUST implement IPsec and be done with
> > it.  If you don't need the protection, and want some extra performance
> > just turn off IPsec and go through your dedicated switched network that
> > doesn't have the ability for an unknown attacker to sit in the middle...
> > 
> > Why are we still wasting time on this ???
> > 
> > Bill
> > 
> 
> 
> Good question.  I did find the following reason
> in <draft-ietf-ips-security-11.txt>, Section 5.8.2:
> 
> > Thus when pre-shared key authentication is used in Main Mode  along with
> > entities whose address is dynamically assigned, the same pre-shared key
> > is shared by a group and is no longer able to function as an effective
> > shared secret.  In this situation, neither the Initiator nor Responder
> > identifies itself during IKE Phase 1; it is only known that both parties
> > are a member of the group with knowledge of the pre-shared key....
> > However, where IP addresses are dynamically assigned and Main Mode is
> > used along with pre-shared keys, the Responder is not authenticated
> > unless application-layer mutual authentication is performed (e.g. iSCSI
> > Login with SRP). This enables an attacker in possession of the group
> > pre-shared key to masquerade as the Responder. In addition to enabling
> > the attacker to present false data, the attacker would also be able to
> > mount a dictionary attack on legacy authentication methods such as CHAP
> > [RFC1994], potentially compromising many passwords at a time.  This
> > vulnerability is widely present in existing IPsec implementations.

I feel that this is a red herring.

It's been quite clearly stated that group secrets in IKE main mode are
a Bad Idea.  There are several solutions within IKE for this.

For one thing, if your threat environment is such that you need IPsec,
then you need IPsec done right.  It makes no sense to do it wrong
(group keying) and then pretend you're fixing the problem by layering
SRP or the like on top.  That may protect your initial login
handshake, but it does nothing to protect the rest of your traffic
from your assumed rogue group member.

(Conversely, if you trust group members to behave properly, then group
keying is in fact ok and its existence doesn't justify maximally
strong application layer authentication either.)

       paul

References:
- iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Philip MacKenzie <philmac@research.bell-labs.com>
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Bill Strahm <bill@strahm.net>
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Philip MacKenzie <philmac@research.bell-labs.com>
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Bill Strahm <bill@strahm.net>
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Philip MacKenzie <philmac@research.bell-labs.com>

Prev by Date: Re: iSCSI: RE: iSCSI 4.1 & 4.2
Next by Date: Re: iSCSI 4.1 & 4.2
Prev by thread: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by thread: iSCSI: IKE groups and DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Tue Apr 30 13:18:30 2002
9887 messages in chronological order