RE: iSCSI Inband authentication (SRP/CHAP) - proposed resolution

[Black_David@emc.com]

John,

> Do you also mean that we can tell if a group preshared key 
> was used?  How do we do that?

Preshared key, yes, via the same sort of secured management
interface that reports the IKE identity that authenticated and
how it authenticated.  OTOH, one can't tell in general whether
it's a group or pairwise pre-shared key, because that falls
into the area you've identified as "customer actions" - I'd
use the phrase "good security policy and practices", but it's
the same issue.

There are instances in which it's possible to tell that a key
is pre-shared among a group (e.g., if the same pre-shared key is
bound to multiple IKE identities, and those IKE identities
are in use simultaneously with the same counterparty), but
in full generality determining whether a pre-shared key is
only pairwise shared or shared among a larger group is the
same sort of problem as determining whether Alice kept her
password secret from Bob - if Bob knows Alice's password
and logs in as Alice, it's very hard to figure out that this
happened, especially if he does so from a system Alice uses
regularly.

Thanks,
--David

> -----Original Message-----
> From: John Hufferd [mailto:hufferd@us.ibm.com]
> Sent: Wednesday, May 22, 2002 8:29 PM
> To: Black_David@emc.com
> Cc: ips@ece.cmu.edu
> Subject: RE: iSCSI Inband authentication (SRP/CHAP) - proposed
> resolution
> 
> 
> 
> David,

> 
> .
> .
> .
> John L. Hufferd
> Senior Technical Staff Member (STSM)
> IBM/SSG San Jose Ca
> Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
> Home Office (408) 997-6136, Cell: (408) 499-9702
> Internet address: hufferd@us.ibm.com
> 
> 
> Black_David@emc.com@ece.cmu.edu on 05/22/2002 02:06:37 PM
> 
> Sent by:    owner-ips@ece.cmu.edu
> 
> 
> To:    John Hufferd/San Jose/IBM@IBMUS
> cc:    ips@ece.cmu.edu
> Subject:    RE: iSCSI Inband authentication (SRP/CHAP) - proposed
>        resolution
> 
> 
> 
> John,
> 
> > The problem I am having with the proposal is, that I think we are
> mandating
> > customer actions not just implementation.
> 
> To some extent, this is unavoidable, and we're already there
> implicitly, as use of a low-entropy pre-shared key with IKE will
> doubtless make IKE vulnerable in all sorts of undesirable ways.
> For that matter, even SRP is only secure if the customer uses
> it correctly (e.g., if Alice doesn't keep her password secret,
> and Bob knows it, SRP will not protect Alice from Bob).
> 
> > We are saying that if Chap passwords are used then they must
> > do or must not do something else which is legal with IPsec.
> >
> > Since the IPsec process is really disjoint from the iSCSI 
> Login, there is
> > no real way that we can tell what the customer did with 
> IPsec, and IKE.
> 
> I don't think so.  One can expect an IPsec implementation to
> report the security policy and mechanisms (contents of the SPD,
> and probably the SAD) that it is currently enforcing through
> a suitably secured management interface.  How to get access to
> and use that interface would be up to the implementer combining
> IPsec and iSCSI.
> 
> > So some how I think the wordage needs to be adjusted to reflect this
> > implementation vrs customer interaction, since I think the 
> only thing we
> > can do is document on the packaging/directions, what should 
> or should not
> > be done.
> 
> Please propose new wording.
> 
> Thanks,
> --David
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
> black_david@emc.com         Cell: +1 (978) 394-7754
> ---------------------------------------------------
> 
> 
>