IETF Logo Mail Archive

Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

Christian Huitema <huitema@microsoft.com> Fri, 28 August 2015 19:13 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 517A71A8928 for <saag@ietfa.amsl.com>; Fri, 28 Aug 2015 12:13:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvZosAxf8jBv for <saag@ietfa.amsl.com>; Fri, 28 Aug 2015 12:13:51 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0107.outbound.protection.outlook.com [65.55.169.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87CFB1A8863 for <saag@ietf.org>; Fri, 28 Aug 2015 12:13:51 -0700 (PDT)
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0653.namprd03.prod.outlook.com (10.160.96.15) with Microsoft SMTP Server (TLS) id 15.1.256.15; Fri, 28 Aug 2015 19:13:49 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0256.013; Fri, 28 Aug 2015 19:13:49 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Stefan Winter <stefan.winter@restena.lu>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Would love some feedback on Opportunistic Wireless Encryption
Thread-Index: AQHQ4SMAZFCDPTU0j0ar6+bHp05ul54hJH4AgACfYCA=
Date: Fri, 28 Aug 2015 19:13:49 +0000
Message-ID: <DM2PR0301MB06558A9A77453010C046A024A86E0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <20150826170138.GB9021@mournblade.imrryr.org> <CAHw9_iJsg3WLRBW-h3nW14aAHF0f1UTAATRBmy5eR3-hS1QDZw@mail.gmail.com> <DM2PR0301MB0655816443EC6146F639C7DFA8600@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iJ1BgYWgdEJHivZeabgPUJ9soOrZr1DdxBiH2k4dquoLg@mail.gmail.com> <55E028E0.6080803@restena.lu>
In-Reply-To: <55E028E0.6080803@restena.lu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.174.23]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0653; 5:J7R/SF2kSpxGFdAA4YM8N+g83zrezoMdmYN24qWqAU27kWM4aWZQF8xpP7Mfqr7ZuPjyFuGncJm3iVmxkO7Mg1JG544CR2IaMXfWvx9Gb1hJEjjihZhNmb8MmHO5EPz5PNpL+ZVvJmFljWJpGwBTGg==; 24:En5zqBwu9jP+1IYQtzf/M2ITRVHN7G0apYwYuCtxMGUL7COh72mTE61Q6iwX70zS7SqwEUn9DOH0rOhHaXeWby5AHDwA1j4+XfBCfSRDz7o=; 20:4KtKfQws096zlrW7UDomC3IIKk03oi3VxzDyhvoiFZrJhKDXpA5ULSBQWO2Y6CxoK8tH1krtI1u1X6kXi4qLjw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0653;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB06535DB2F09FBAA5F60CF74EA86E0@DM2PR0301MB0653.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653;
x-forefront-prvs: 0682FC00E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(15594002)(377454003)(189002)(24454002)(5001830100001)(74316001)(77156002)(50986999)(189998001)(77096005)(5001860100001)(107886002)(64706001)(2501003)(19580395003)(19580405001)(5001770100001)(87936001)(62966003)(2900100001)(2950100001)(54356999)(8990500004)(101416001)(81156007)(97736004)(4001540100001)(76176999)(92566002)(66066001)(86612001)(76576001)(10290500002)(5001960100002)(2656002)(86362001)(10400500002)(5003600100002)(10090500001)(105586002)(5005710100001)(5007970100001)(5002640100001)(5004730100002)(40100003)(122556002)(106356001)(99286002)(102836002)(33656002)(93886004)(106116001)(68736005)(551544002)(46102003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2015 19:13:49.5544 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/EHvw7kbCgbS2DiOw7pokhop0CQU>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 19:13:53 -0000

On Friday, August 28, 2015 2:25 AM, Stefan Winter wrote:
> To: saag@ietf.org
> Subject: Re: [saag] Would love some feedback on Opportunistic Wireless
> Encryption
> 
> Hi,
> 
> > You are right that there will be some initial legacy issues -- but if
> > we can convince Windows 10 Mobile, Apple iOS, and Android willing to
> > include support (which seems likely, "support" is trivial - basically
> > 1: try the SSID as the passphrase and 2: don't bother showing a lock
> > icon)
> 
> Or, for wireless sniffing kit of your choice:
> 
> 1) try to decrypt with the SSID as the password
> 2) win!

It is a bit more complicated than that, but not much. With WPA2, the traffic is not directly encrypted with the password, but instead with a key derived from the password, the SSID, an Access Point nonce, and a Station nonce. Even if the password is shared, each client uses a different set of nonce, and thus a different key. However, the nonce are transmitted in clear-text during the initial exchange. That means the attack goes as:

1) Capture the initial exchange between Station and Access point, and remember the nonce.
2) Assume that the SSID is the password and try to derive the per station key using the nonce.
3) Win!

This is in fact the main limitation to Warren's approach. The proposed OWE system will still be vulnerable to passive listener attacks, and is thus not much of an improvement over open networks. 

Note that this is also a limitation of the "public password" approach, as in "ask the password to the bartender." We can hypothesize that mass surveillance systems will quickly build a database linking networks, SSID and public passwords. After all, the initial WPA2 exchange carries authentication codes that are the hash of the nonce and the password, which trivially enables dictionary attacks. That means the procedure will be:

1) Capture the initial exchange between Station and Access point, and remember the nonce.
2) Retrieve the password associated to the SSID from the database.
3) Derive the per station key using the nonce.
4) Win!

Thinks would be different if instead of just sending the nonce in clear text the WPA2 exchange used some variation of Diffie-Hellman or EKE. Attackers would need to move from "passive listening" to "actively implement MITM attack," and we believe that might curtail mass surveillance efforts. But that's not the case.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email