Re: CHAP and iscsi security

Fri, 14 Sep 2012 01:13:49 -0700 

On Sep 12, 2012, at 5:52 PM, Andy Grover wrote:

> On 09/12/2012 09:11 AM, paul_kon...@dell.com wrote:
>> On Sep 12, 2012, at 11:30 AM, Andy Grover wrote:
>>> CHAP is a weak authentication method, and all traffic is sent 
>>> unencrypted (unless using IPSec).
>>> 
>>> Do people use CHAP? Or does its weakness not matter because it's
>>> just used to ensure the wrong initiator doesn't accidentally
>>> connect to a target?
> 
>> I disagree with your blanket assertion that CHAP is a weak
>> authentication method.  It's strong if the password is a random
>> string, or otherwise strong enough to resist searching attacks.  Note
>> that the iSCSI standard requires the use of distinct CHAP secrets for
>> the two directions, if mutual authentication is used, so the
>> reflection attack that classic CHAP suffers from does not apply in
>> iSCSI and cannot work there.
> 
> Hi Paul,
> 
> Thanks for your lengthy response to my prior email :)
> 
> To the degree that good passwords are used, you'd say CHAP is fine for
> secure authentication? Does the MS-CHAPv2 vulnerability[1] apply to
> either the standard or mutual CHAP auth that the iSCSI rfc defines?

Yes, it does.  What's described there is in fact a not CHAP deficiency, but 
rather an obvious property of any protocol that does connect-time 
authentication but not full data phase cryptographic data origin 
authentication.  As I said before, if you send data in the clear, you are 
relying on the assumption that there is no connection hijacking and no 
eavesdropping in the network.  The  vulnerability that MS describes is an 
example of that: they state that an unencrypted data connection is vulnerable 
to connection hijacking (man in the middle).  Well, yes, of course it is.  The 
fact that the cleartext connection is authenticated with CHAP, or with 
something else, or not at all, has nothing to do with that fact.

If you believe that connection hijacking and/or man in the middle and/or 
eavesdropping on the data phase is something you have to defend against, then 
you need IPsec.  

        paul


-- 
You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To post to this group, send email to open-iscsi@googlegroups.com.
To unsubscribe from this group, send email to 
open-iscsi+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/open-iscsi?hl=en.

Reply via email to