Authentication – How do I know you are who you say you are?
by Hu Yoshida on Mar 24, 2006
Let’s say you are in a strange city, Like San Diego, and some one knocks on your hotel room door. Instead of throwing the door wide open, in this day and age, we issue a challenge. “who’s there?”
If the answer comes back “Room Service”, we validate that response by recalling if we had ordered room service, and by peering through the peephole to see if the person outside is dressed like some one who works in the hotel. We go through a process of authentication before we grant access.
How do you do authentication in a networked world? One way is through a process called CHAP, Challenge Handshake Authentication Protocol. CHAP is a way in which two parties demonstrate to each other that each party knows a common “shared secret”, without exposing the secret to a third party “listener”. Sticking with the analogy of knocking on doors, the shared secret may be to add 3 knocks to a challenge. The requester knocks on the door. You challenge by responding with some number of random knocks, let’s say 3. The requester will then respond with 6 knocks to demonstrate that he knows the “shared secret”. For mutual authentication, the process would continue with the requester initiating a challenge to the responder.
CHAP has been available for some time in the IP world and an equivalent capability will soon be available for FC. INCITS/T11 is expected to ratify this as part of the FC-SP, Fibre Channel Security Protocol, by third quarter. 2006.
While the accumulating reports of data loss, have captured the headlines and focused attention on encryption, there is much more to storage security than encryption. Data does not have to be lost to be exposed. A hacker can access storage and steal information, without leaving any trace. Other areas of concern are authentication, authorization, immutability, non repudiation, integrity, privacy, logging, and auditing.
SNIA, in their Storage Security Technical Working Group, has been working hard to educate the storage community on the requirements and solutions for best security practices, and leading the charge for security standards like FC-SP. If you want to learn more about storage security I recommend attending the SNIA tutorials on April 3 and 4 at Storage Networking World In San Diego.
Knock, Knock. Who’s there?
CHAP. CHAP who?
Diffie Hellman CHAP – with a Null Diffie Hellman Group.
If you want to know what this means and why you should care, attend Larry Hoffer’s tutorial on FC-SP, at 2:50pm at SNW San Diego, April 3. While you are there, attend other sessions by Eric Hibbard – Security Beyond the Introduction, LeRoy Budnik – How to Avoid Becoming a Headline, Eric Shafer – Data Disposal-Gone for Good, and Richard Austin – Digital Forensics in the Storage Network.
Comments (2 )
Ah! That’s quiet an innovative way of presenting the topic…much better than most “dry” certification and other books that I have come across.
If you like computer problem cartoons, come visit my space sometime at http://spaces.msn.com/sillygloop/
Have a nice weekend!
Thanks Hu, Apparently Vincent is going to be at SNW he left some details here