IETF Logo Mail Archive

Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

Warren Kumari <warren@kumari.net> Fri, 28 August 2015 00:12 UTC

Return-Path: <warren@kumari.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30DBB1B2BFC for <saag@ietfa.amsl.com>; Thu, 27 Aug 2015 17:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtkDkwnH5MWu for <saag@ietfa.amsl.com>; Thu, 27 Aug 2015 17:12:28 -0700 (PDT)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58C9B1B3272 for <saag@ietf.org>; Thu, 27 Aug 2015 17:09:52 -0700 (PDT)
Received: by obkg7 with SMTP id g7so30059596obk.3 for <saag@ietf.org>; Thu, 27 Aug 2015 17:09:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dsktGlcg4AgP2MzHP4+Rn7TIKGNVGaiHvoOyd+R590Q=; b=J0E7dShHF4bWkN+FVsFZibxGMlds97233J/iXONt+CMLRRLKBvm8dsQDFbuUQjHCFx vrOoSCi9MknlFkRDphQInd+YZZt5rC29RujMIvf69wzVbEcTZHljr2rz0MzzzIjWuhye M+ky+yHmq/cY4cKKSm7lXXTKhrxwx2WOUyUfwmVXUBgg62xbX7MKG0AI7h6+0tK3Qvtf OkNhLlX4y9atMsmE6GiYLJJeEWqblUiOIXd6e7GQgSWBAeTFB1BAOpAunRSZj/1FcJt+ WbmBn2aSn0ZRsz7G4QQDlg+u38VKG5tPd5XqJ8aF0IYfbkKiGlB75m5+ApINy4BPD0Q7 lsvQ==
X-Gm-Message-State: ALoCoQlQszAg1gyAtpaWFU55Wa+X9QGGPl6euMu34TX4Wm36PkOPk9T2HQ9olBEvH1/OdRZi7+0R
MIME-Version: 1.0
X-Received: by 10.182.68.68 with SMTP id u4mr4472110obt.86.1440720591852; Thu, 27 Aug 2015 17:09:51 -0700 (PDT)
Received: by 10.202.174.144 with HTTP; Thu, 27 Aug 2015 17:09:51 -0700 (PDT)
In-Reply-To: <DCF8A0F7-180D-4843-AC31-179258768B9B@oxy.edu>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <DCF8A0F7-180D-4843-AC31-179258768B9B@oxy.edu>
Date: Thu, 27 Aug 2015 20:09:51 -0400
Message-ID: <CAHw9_iLfVi5b=a08_A+xagb7ssUDGUcqoS-Ha6SZwPLvfi9x7A@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/UEPXdha0Yp4uyBYz3X9uAO_QlGo>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 00:12:30 -0000

On Wed, Aug 26, 2015 at 2:30 PM, Henry B (Hank) Hotz, CISSP
<hbhotz@oxy.edu> wrote:
>
>> On Aug 26, 2015, at 7:53 AM, Warren Kumari <warren@kumari.net> wrote:
>>
>> I'd appreciate it if folk could have a look at this draft and provide
>> any feedback.
>
> I agree with the argument that the minimal effort makes it worth doing.
>
> OTOH, I also agree that something you can’t break passively would be better. How about a connection that’s negotiated with D-H key exchange, but you never verify identities? (Hmmm, is there an EAP mech that would effectively do that?)
>
> How hard will it be to get AP makers to adopt whatever is proposed? Is the additional difficulty of DH really a dealbreaker?

Unfortunately I believe that it probably is a deal breaker, or, at
least, would take so much time that it wouldn't be worth doing.

I believe that the right place to do this sort of work (adding public
key agreement) is in the IEEE, probably in the 802.11 group. I am not
participating in the IEEE at the moment, but am beginning to wonder if
I should participate and see if a public key agreement can be added to
WPA. Adhoc / mesh networks already have a solution to this
("Simultaneous Authentication of Equals" (SAE - 802.1s)). I'm guessing
that there is a good reason that is isn't also in normal wifi; I
believe that Dan Harkins was deeply involved in the development of SAE
- perhaps he can shed some light on this?

W

>
> Personal:  hbhotz@oxy.edu
> Business: hhotz@securechannels.com
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email