Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
Stefan Winter <stefan.winter@restena.lu> Fri, 28 August 2015 09:24 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5549C1B386E for <saag@ietfa.amsl.com>; Fri, 28 Aug 2015 02:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOo-VHZr4ff7 for <saag@ietfa.amsl.com>; Fri, 28 Aug 2015 02:24:50 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C81D1B3855 for <saag@ietf.org>; Fri, 28 Aug 2015 02:24:49 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 2DBA843A65 for <saag@ietf.org>; Fri, 28 Aug 2015 11:24:48 +0200 (CEST)
To: saag@ietf.org
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <20150826170138.GB9021@mournblade.imrryr.org> <CAHw9_iJsg3WLRBW-h3nW14aAHF0f1UTAATRBmy5eR3-hS1QDZw@mail.gmail.com> <DM2PR0301MB0655816443EC6146F639C7DFA8600@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iJ1BgYWgdEJHivZeabgPUJ9soOrZr1DdxBiH2k4dquoLg@mail.gmail.com>
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
X-Enigmail-Draft-Status: N1111
Message-ID: <55E028E0.6080803@restena.lu>
Date: Fri, 28 Aug 2015 11:24:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iJ1BgYWgdEJHivZeabgPUJ9soOrZr1DdxBiH2k4dquoLg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="5VMnuHXNJ4qcChpRJo0PqrkBiBWg31PPK"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/bKj6wWVB-bn6b3eKeXkEn8O_xIo>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 09:24:52 -0000
Hi, > You are right that there will be some initial legacy issues -- but if > we can convince Windows 10 Mobile, Apple iOS, and Android willing to > include support (which seems likely, "support" is trivial - basically > 1: try the SSID as the passphrase and 2: don't bother showing a lock > icon) Or, for wireless sniffing kit of your choice: 1) try to decrypt with the SSID as the password 2) win! Seriously, this way of encrypting traffic stops only one attacker group: people with a Wi-Fi card in promiscuous mode who use Wireshark to look at packets ("us" :-) ). Everyone with only a /slightly/ serious attitude just continues to do what they do with their upgraded sniffing gear. I don't see how this improves security in a significant enough way. And the cost for it *is* high - convince all OS manufacturers to do something && convince AP admins to do something. > we could get the *huge* majority of devices doing this before > the document is published, and way before CPE starts including the > button. > Even for devices that don't get support added -- after I've asked at 3 > coffeeshops what the password is, and they all say "It's the same as > the network name..." I'm likely to start trying the network name if > the SSID name sounds like it may be open (e.g is the name of the > establishment, contains -guest, -public, or better yet, -owe). Funny: right now, an attacker would need to go to the shop to get that same information. In your future deployment, the binding of SSID to passphrase comes automatically. (Besides, my guess is that sniffing gear today probably tries the SSID as a passphrase anyway - simply because it is rather common). So, what exactly are we winning with this approach? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [saag] Would love some feedback on Opportunistic … Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Viktor Dukhovni
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Henry B (Hank) Hotz, CISSP
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Dan Harkins
- Re: [saag] Would love some feedback on Opportunis… Dan Harkins
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Stefan Winter
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Michael Richardson
- Re: [saag] Would love some feedback on Opportunis… Josh Howlett
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… David Bird