[OpenWireless Tech] Some thougts

Dan Auerbach dtauerbach at eff.org
Wed Jul 27 16:41:55 PDT 2011 

Hi Natanael,

Thanks for joining and for your enthusiasm! Right now I'm still 
scrambling to reply to everyone who wrote in to openwireless at eff.org and 
encourage folks to get onto this list, but as soon as I get a chance, 
I'm planning to send out an introductory email laying out the technical 
challenges and the different sorts of solutions that we might be after, 
categorized roughly as short-term, medium-term, and long-term. Hopefully 
this will provide a good starting point for discussion, and so I will 
save my reply until after I've sent that out. But of course there's no 
need to wait for me and others should feel free to jump in.

Stay tuned,
Dan, EFF

On 07/27/2011 04:31 PM, Natanael wrote:
>
> Off topic, it looks like I'm the first to send a non-test mail to this 
> list.
>
> On topic: I'll post some of my previous comments here.
>
> What we're starting from is this post on EFF:
> http://www.eff.org/deeplinks/2011/04/open-wireless-movement
>
> FYI, Bruce Schneier (security expert) says he has his network open to 
> help others. Lets help him keep it open AND secure.
> http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
> Also, he supports you here.
> http://www.schneier.com/blog/archives/2011/04/security_risks_7.html
>
> So... my previous comments that I sent in when EFF posted that article;
>
> As EFF said, we have to use asymmetric encryption.
> How to authenticate the networks and avoid MITM is a difficult one 
> since it's almost impossible to tell a stranger that is honest from 
> one that is not (more so when dealing with electronics instead of humans).
>
> I have some suggestions. One is a central database (or several). Like 
> current wifi maps, with public keys added. Another is or WoT. A more 
> simple one to get right, IMHO/AFAIK, is this one:
>
> Qr codes or RFID/ NFC tags! They would include the network name/SSID, 
> public key and MAC (unless we'll skip that because we have unique keys 
> already).
> Router owners would place them where they can't be altered easily 
> (like inside of windows). Then it would be easier to link the network 
> to a trustable entity.
>
> Then, essentially, you'd just scan a code or swipe the phone against a 
> tag to establish a secure connection. (Open question: Can RFID signals 
> be "overridden" by stronger antennas?)
> The next time you don't even have to do that.
>
> Also, when a company own several routers they could have a master key 
> that all their router's keys are signed with (remember key 
> revocation!). Then you need only ONE scan per chain, not one per 
> individual Starbucks/McDonald's/[other] store.
>
> At minimum every router should have a static keypair.
> Clients could choose if they want to have one static keypair for every 
> network, random keys every time, or to have some static keys linked to 
> chosen networks (such as a dedicated keypair for your own home network 
> to authenticate to it).
> (Static keys for clients could have some privacy risks if they would 
> be broadcasted before the client know that the router they are 
> connecting to is the real one, so I think that random keys should be 
> used when connecting to networks before the client authenticates 
> itself. (Although people DO already mostly use the preset MAC on their 
> wifi cards.) The authentification model of TCPcrypt happens to be 
> similiar.)
> ---
> That's what I've already sent to EFF previously, edited a bit.
>
> Am I going in the right direction? Do you want to do something 
> different? Is this Bluetooth like WiFi Direct thing something that is 
> relevant to us? Should we go ahead and start adding protocols for 
> notifying users about bandwidth quotas and local services and stuff? 
> Etc...
>
> - Sent from my phone
>
>
> _______________________________________________
> Tech mailing list
> Tech at openwireless.org
> http://srv1.openwireless.org/mailman/listinfo/tech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20110727/6ee01b4e/attachment.html>

More information about the Tech mailing list