Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
"Dan Harkins" <dharkins@lounge.org> Wed, 26 August 2015 22:11 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F69F1B346B for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 15:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIlnxbcs6SEu for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 15:11:17 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 9C8B81B3469 for <saag@ietf.org>; Wed, 26 Aug 2015 15:11:17 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 3921C1022404A; Wed, 26 Aug 2015 15:11:17 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 26 Aug 2015 15:11:17 -0700 (PDT)
Message-ID: <511ec4fef968dcf87bb42912360e37f1.squirrel@www.trepanning.net>
In-Reply-To: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com>
Date: Wed, 26 Aug 2015 15:11:17 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Warren Kumari <warren@kumari.net>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/h0GYy8rZFzTiziBrA3nk8ZaepWc>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 22:11:19 -0000
Hi Warren, On Wed, August 26, 2015 7:53 am, Warren Kumari wrote: > Hi there all, > > I'd appreciate it if folk could have a look at this draft and provide > any feedback. > I'm not sure that SAAG is the right place for it, but I couldn't think > of anywhere better. > > https://tools.ietf.org/html/draft-wkumari-owe-01 > > > Note that this is NOT intended to be the be all and end all of secure > wireless, it is simply intended to make open wifi suck somewhat less. > We are not claiming great security (the WPA2 4-way handshake > significantly limits what can be achieved), and so much of the draft / > idea is making sure that users do not get a false (or any) sense of > security - this should be transparent to them. It might suck less but it still kind of sucks. You could make it suck even less by using SAE (an 802.11 authentication protocol that uses a PAKE to establish pairwise keys). This would address the limitations you mention in your draft that have to do with WPA2-PSK. > We also want it to be *really* simple, so that commodity CPE vendors > will include "support" (basically a flag in the beacon) - this removes > other solutions like .1X, etc. Another option might be to define another vendor-specific Element to carry DH exponentials. Just tag one on the end of the first two messages of the 4-way handshake and have each side derive a "pairwise master key" (PMK, the thing used with the nonces in the 4-way handshake to derive the data encryption keys) from the DH shared secret. Instead of having everyone use the SSID as the password, just get rid of the password! regards, Dan. > Appreciate your time, > W > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [saag] Would love some feedback on Opportunistic … Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Viktor Dukhovni
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Henry B (Hank) Hotz, CISSP
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Dan Harkins
- Re: [saag] Would love some feedback on Opportunis… Dan Harkins
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… Stefan Winter
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Christian Huitema
- Re: [saag] Would love some feedback on Opportunis… Michael Richardson
- Re: [saag] Would love some feedback on Opportunis… Josh Howlett
- Re: [saag] Would love some feedback on Opportunis… Warren Kumari
- Re: [saag] Would love some feedback on Opportunis… David Bird