IETF Logo Mail Archive

Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

David Bird <dbird@google.com> Wed, 11 November 2015 20:02 UTC

Return-Path: <dbird@google.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E5001B398F for <saag@ietfa.amsl.com>; Wed, 11 Nov 2015 12:02:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0L8o6ZzEhC8 for <saag@ietfa.amsl.com>; Wed, 11 Nov 2015 12:02:26 -0800 (PST)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35B921B3994 for <saag@ietf.org>; Wed, 11 Nov 2015 12:01:59 -0800 (PST)
Received: by oies6 with SMTP id s6so21651444oie.1 for <saag@ietf.org>; Wed, 11 Nov 2015 12:01:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QBBvF/d0zAVRHrReLmrDpqtEC7wM/kwrcUZ+uZA5mpY=; b=a6xIYu0VpgD1sUP4sLBxoKneroHpoBslnDnSHWI9m0lL0JeHDM5QfQtnltY85wDCby Ng3v0JfvfTQLijBuKOwUdYjgv0gajbEui/Lx8ZvwyGlNT66ScW3N/czGJlnOOVltKHrU qFO5NMZth9c03xtUvfaJZDGXsPy93xxcjIhn/3Nn9IsWPyFqUxtlfnHxrsQ3UICRnI7m xAKqmPM98At6Ovrmn/4o4Y2GPLZ+H0Q7T2AQAq4ykn4vo6Evgw5kNXYFt/vzw4mcTMe0 SFqmE8BEUgBXBldcf4RTUy72GS5fEOy5X36UZVwAfqEryUz+bRolDpQ4mS0Ms0H48D19 GyNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QBBvF/d0zAVRHrReLmrDpqtEC7wM/kwrcUZ+uZA5mpY=; b=bICLfp8N3AI2neijnhZyEE7sABZOukVo/kn3RMYh8GIXSy5CIgdI2uDNNJkpJ7b2lg leI9w8ar/PpcqS/9Fbw/98ByuireexKVKfbqQ8CMTptvKIOa1fmSihn3RE1dfQ+ExC72 nUyD6x1h9FxGL+x++23+TLzmCRfg+9kYBIKR27NInlA3x1fd1rjZLMVOYIV97PVTfvl5 8EKGZCy0hkRjB3yp9zl7L50IQiT0/6wpH77Ha129aK4f930O9ogO+xh+gXz3npyAmYv/ fZk3EnhPZa48DTs/1+WsS/swoBs9IJh3eaQLxChPEG44yM7UMpkxolmzNrOUey82dEg2 cdAw==
X-Gm-Message-State: ALoCoQmZtDFQbfKRioO4Vt9suFdE/EDnTvvjmcu5Fp+QpJsxhhBunz0jF081ZNaI5Haos0kYNz1G
MIME-Version: 1.0
X-Received: by 10.202.192.67 with SMTP id q64mr6279229oif.60.1447272118409; Wed, 11 Nov 2015 12:01:58 -0800 (PST)
Received: by 10.76.168.97 with HTTP; Wed, 11 Nov 2015 12:01:58 -0800 (PST)
In-Reply-To: <CAHw9_iLonxgeWuFX6wkeN=uiaBsyb3TAm5SaNWuZ=4BjHd9Fhw@mail.gmail.com>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <20150826170138.GB9021@mournblade.imrryr.org> <CAHw9_iJsg3WLRBW-h3nW14aAHF0f1UTAATRBmy5eR3-hS1QDZw@mail.gmail.com> <DM2PR0301MB0655816443EC6146F639C7DFA8600@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iJ1BgYWgdEJHivZeabgPUJ9soOrZr1DdxBiH2k4dquoLg@mail.gmail.com> <55E028E0.6080803@restena.lu> <DM2PR0301MB06558A9A77453010C046A024A86E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iLonxgeWuFX6wkeN=uiaBsyb3TAm5SaNWuZ=4BjHd9Fhw@mail.gmail.com>
Date: Thu, 12 Nov 2015 05:01:58 +0900
Message-ID: <CADo9JyVJbdVg1zq1ZewJfTLQ2Ct_YMHBhUWnw08SL96KDdb2rA@mail.gmail.com>
From: David Bird <dbird@google.com>
To: Warren Kumari <warren@kumari.net>
Content-Type: multipart/alternative; boundary="001a1135b6c88333970524494cdd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/6CWMzikF4GDydskG0eeLJTkjQU0>
Cc: Christian Huitema <huitema@microsoft.com>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 20:02:28 -0000

I believe hostapd already has support for an EAP "UNAUTH-TLS" method
whereby the client station doesn't authenticate itself, but can
"authenticate" the server (much like your typical HTTPS connection). The
keying material, like any EAP-TLS based method, comes from the TLS layer.
This method could be used with or without a RADIUS server (assuming the
authenticator has an EAP engine, like hostapd optionally does).

A limitation, however, is that the client can't distinguish between
UNAUTH-TLS and other more secure EAP methods until it tries to connect -
and will show the network as being secure. And, having a certificate
warning/acceptance dialog perhaps with a "You are really joining a public
access network, not a 'secure' network" warning might be scary for users.

Maybe if the beacon (RSN IE) could indicate 802.1X -and- 'public access'...


On Mon, Nov 9, 2015 at 9:27 AM, Warren Kumari <warren@kumari.net> wrote:

> On Sat, Aug 29, 2015 at 4:13 AM, Christian Huitema
> <huitema@microsoft.com> wrote:
> > On Friday, August 28, 2015 2:25 AM, Stefan Winter wrote:
> >> To: saag@ietf.org
> >> Subject: Re: [saag] Would love some feedback on Opportunistic Wireless
> >> Encryption
> >>
> >> Hi,
> >>
> >> > You are right that there will be some initial legacy issues -- but if
> >> > we can convince Windows 10 Mobile, Apple iOS, and Android willing to
> >> > include support (which seems likely, "support" is trivial - basically
> >> > 1: try the SSID as the passphrase and 2: don't bother showing a lock
> >> > icon)
> >>
> >> Or, for wireless sniffing kit of your choice:
> >>
> >> 1) try to decrypt with the SSID as the password
> >> 2) win!
> >
> > It is a bit more complicated than that, but not much. With WPA2, the
> traffic is not directly encrypted with the password, but instead with a key
> derived from the password, the SSID, an Access Point nonce, and a Station
> nonce. Even if the password is shared, each client uses a different set of
> nonce, and thus a different key. However, the nonce are transmitted in
> clear-text during the initial exchange. That means the attack goes as:
> >
> > 1) Capture the initial exchange between Station and Access point, and
> remember the nonce.
> > 2) Assume that the SSID is the password and try to derive the per
> station key using the nonce.
> > 3) Win!
> >
> > This is in fact the main limitation to Warren's approach. The proposed
> OWE system will still be vulnerable to passive listener attacks, and is
> thus not much of an improvement over open networks.
> >
> > Note that this is also a limitation of the "public password" approach,
> as in "ask the password to the bartender." We can hypothesize that mass
> surveillance systems will quickly build a database linking networks, SSID
> and public passwords. After all, the initial WPA2 exchange carries
> authentication codes that are the hash of the nonce and the password, which
> trivially enables dictionary attacks. That means the procedure will be:
> >
> > 1) Capture the initial exchange between Station and Access point, and
> remember the nonce.
> > 2) Retrieve the password associated to the SSID from the database.
> > 3) Derive the per station key using the nonce.
> > 4) Win!
> >
> > Thinks would be different if instead of just sending the nonce in clear
> text the WPA2 exchange used some variation of Diffie-Hellman or EKE.
> Attackers would need to move from "passive listening" to "actively
> implement MITM attack," and we believe that might curtail mass surveillance
> efforts. But that's not the case.
>
>
>
> ... and a quick update (which I thought I'd sent earlier, but
> apparently not) - when we wrote the initial document, we were well
> aware of the issues with the 4 way handshake, but decided to write the
> document in the IETF context anyway. This was because I figured that a
> better than nothing approach was, well, better than nothing. We were
> aware that the IEEE was the correct layer to get this done, but, well,
> I don't participate there much, and figured that it would be a hard /
> very slow process.
>
> Dan Harkins (who most of you know), is an IEEE regular, has nicely
> rewritten this into IEEE language, and is getting strong interest /
> making progress there. This basically does what everyone has been
> suggesting (and I'd originally wanted to do, but couldn't) -- a public
> key exchange between the AP and STAtion (think DH).
>
> This is obviously much much less hacky than the "just pretend that the
> user typed the SSID as the passphrase, and don't show any indications
> (to avoid having the user believe that they have "security")".
>
> W
>
> >
> > -- Christian Huitema
> >
> >
> >
> >
> >
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://www.ietf.org/mailman/listinfo/saag
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email