[OpenWireless Tech] Unauthenticated EAP-TLS

John Gilmore gnu at toad.com
Sat Jan 5 16:36:35 PST 2013 

> I think this is the first main disagreement between us here. The
> EAP-TLS standard, RFC 5216, is pretty clear: """While the EAP server
> SHOULD require peer authentication, this is not mandatory, since
> there are circumstances in which peer authentication will not be
> needed (e.g., emergency services, as described in [UNAUTH]), or
> where the peer will authenticate via some other means."""  I think
> OpenWireless is a perfect example of the latter, where "peer
> authentication will not be needed", and is completely within the
> standard and not a hack.  ... I was and still am amazed. (Does
> "there are circumstances" mean something else?? Is OpenWireless
> *not* such a circumstance?? I feel like I'm going crazy being 1 of 2
> people in the entire world who think so.  Someone please tell me I'm
> not crazy! Someone agree with me! This is my MAIN point!)

I think I agree with you.  You aren't crazy.

I think most people on the list have not expressed agreement or
disagreement, mostly because they don't understand the technologies
that you are describing the details of.  Myself, I did not know the
802.11 authentication protocols before now (beyond recalling that the
original WEP was useless).  I am only poking at them a bit now, as I
try to understand your suggestion.

For openwireless readers who don't understand the protocols or the
suggestion that californiajack is making, I recommend reading this
2010 document by Christopher Byrd:

  http://riosec.com/files/Open-Secure-Wireless.pdf

This describes the issue in a relatively nontechnical way, and also
describes the proposed solution in an only slightly more technical
way.

As I understand it, the basic suggestion is to use WPA-Enterprise but
without any client certificate.  This provides a unique key to each
user of the access point, which means that another clients of the same
access point (or a third party listening to the airwaves) can't read
your TCP/IP traffic.  (The classic WPA-PreSharedKey access points that
are now commonly deployed allow other users to read the traffic of
your node.  The same is true of unsecured WiFi access points.)  Also,
WPA-Enterprise without a client certificate avoids the need for users
to know a "password" (as in WPA-PreSharedKey) and avoids the need for
users to receive a "client certificate" (as in traditional
WPA-Enterprise).  The result is the higher security of WPA-Enterprise
without the user hassle.

This requires changes in both access points and in clients, which is a
downside.  It does not violate the protocol specs, but the existing
implementations have not allowed this possible way to use the specs,
so they would need to be changed, if we agreed that this is the right
way to go.

One caveat: There may be viable attacks on this variant of the
protocol, since any node can impersonate the now-unidentified client.
For example, can a third party do a "deauthentication attack", as they
can do on WPA-PreSharedKey?  I don't know, but I want a security
expert to figure out the security implications.

Californiajack, I recommend that since Unauthenticated EAP-TLS is your
main point, you should stick to it, and not get distracted into legal
issues and such.  Educate the mailing list on just how WiFi
authentication works today, what's wrong with that, and how your
proposal would change that for the better.  See if you can build
some consensus.  We already have running code, so rough consensus, plus
some document writing and committee politicking, is all that's required
to make this an IETF standard.

	John Gilmore
	Electronic Frontier Foundation

More information about the Tech mailing list