[OpenWireless Tech] Eventual (long term) solutions
Davidfine
d at vidfine.com
Thu Nov 29 21:48:48 PST 2012
Exchanging keys over an untrusted channel is impossible without a
mutually trusted third party. WPA actually does give different keys to
each client, but the handshake is done with the PSK everyone knows. So
if an attacker with the PSK observes the handshake (or can trigger one),
the game is lost. It's not because the ieee is dumb, it's because
<intractable problem>.
I don't think that's a deal breaker here, because you can't trust the AP
not to snoop even if the phy layer is secured. You'd still want SSL for
everything. But it's a fun excercise, so let's do it:
The goal is something that facilitates key exchange, doesn't require an
account anywhere, and doesn't rely on new protocols.
It relies on a third party that both the Client and the AP trust, but
that third party can't know anything about the client or AP.
1. Client connects to open wifi, lands on a captive web portal operated
by the AP. The user clicks "I want to secure this WiFi connection".
(Clicking 'no' makes the AP fall back on unrestricted open WiFi).
2. AP talks to TPP over SSL (hence the Trusted part). TPP returns a new
SSID name, a 12 char PSK, and a random string ie. gBiX73AAuuB
3. The AP sets up a new SSID with the given SSID name and WAP PSK. Over
its web interface it tells the client "click on
https://trusted.com?session=gBiX73AAuuB to access the hotspot we made
for you".
4. The trusted website tells the client "a hotspot has been created for
you. SSID:(ssid) Password: (12 char PSK)
4a. Not so fast! Someone other than the client could intercept that URL!
4b. The TPP only gives the key out once. An attacker doesn't gain
anything by hijacking the key, they could get one legitimately. All
they've done is block the original person, who sees a notification from
the TPP. Pretty boring.
4c. You could try to mitigate this by paying attention to BSSIDs or
having an extra trust relationship between the AP and TTP, but meh.
5. If all goes well, the client connects to an SSID made just for them
using a PSK nobody else knows.
In summary, if you trust the SSL cert you can exchange keys without the
TPP knowing anything but the IP address of the AP. And the failure mode
is no access, not insecure access. And it pretty much requires the AP to
use OpenWRT. But the client needs nothing special. Also, captive portals
suck.
Well, that was fun.
--DF
On 11/29/12 7:44 PM, John Gilmore wrote:
>> I appreciate the improved security of WPA while lamenting
>> the disappearance of open WiFi. ...
>> The eventual solution is probably something like an OpenID service for
>> 802.1X with access points advertising their participation via 802.11u.
> Just because OpenID has "open" in its name does not mean it is good.
> It's a protocol for identifying yourself.
>
> If people (eventually) need to use OpenID to access an access point,
> then it isn't an open access point. There is no point in
> authenticating yourself to an open port -- it would be like
> authenticating the AC power plug you stick in the wall socket, or
> authenticating the Ethernet cable you plug into a switch port. We
> could build power sockets and Ethernet switches that way, but if we
> did, only niche markets would use them. Everybody else would just
> keep using the open ones that don't hassle you when you try to use
> 'em. (HDMI requires authentication every time it gets plugged in, due
> to its origins in Hollywood cartel DRM and the Intel monopoly, and
> it's caused endless hassle to consumers.)
>
> I think a better eventual solution is to provide a WPA-like protocol
> that doesn't assign the exact same key to everyone who supplies the
> same password (WPA does that, oops!). If the protocol did
> Diffie-Hellman, then each node that connects would get a unique key,
> that is shared only with the access point. This protocol could be
> used both on the WPA (restricted, personal) side of the access point,
> and on the open (unrestricted, public) side. Any WiFi node that used
> this protocol would protect itself from its traffic being sniffed by
> anyone except the access point itself. Doing this would require
> working in the 802.11 standards committees to define and find
> agreement on such a protocol, to be deployed in future WiFi hardware.
> WiFi keeps evolving quickly, with new generations every few years,
> so there is plenty of opportunity to improve the security protocols
> in subsequent generations.
>
> John
>
>
>
>
> _______________________________________________
> Tech mailing list
> Tech at srv1.openwireless.org
> https://srv1.openwireless.org/mailman/listinfo/tech
>
More information about the Tech
mailing list