IETF Logo Mail Archive

Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

Warren Kumari <warren@kumari.net> Mon, 09 November 2015 00:27 UTC

Return-Path: <warren@kumari.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408B81B53DC for <saag@ietfa.amsl.com>; Sun, 8 Nov 2015 16:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-CTkYUIvpFt for <saag@ietfa.amsl.com>; Sun, 8 Nov 2015 16:27:20 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A31B91B53DA for <saag@ietf.org>; Sun, 8 Nov 2015 16:27:20 -0800 (PST)
Received: by ykek133 with SMTP id k133so240864164yke.2 for <saag@ietf.org>; Sun, 08 Nov 2015 16:27:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari_net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=e4ehESaJTuPb5QwhR3sF0BYYC+XOPD7YGEuPo1O7Omg=; b=2RCPpsur1fEZJUhKkftroEGFuD/LbV4X1Lwy0JPLyxpANAVHX4n3azPdhx5qO04JRV 90HTlz3SBgBqqkuUO80cok0FiGKV/EdE6GOwnhqqHDRFTkKSZGhFQ/4lzDFfKsngyHWo ri+tLyzVgRUMT67xDW+o33Fyfq8YjushkKdK9bW9TyHM6LBZaeAGc1RL+oZhwrVIWfJS GsufRemmD1o4MY09jFGq+Be2D2uRIJkgtcz9SM7m7QoiMud0EspdiuF2B+MZSna/eggf rezsxnsX00F0YK5XFA2rFRyHFLB1SpqtE2DtrHNqifhsDTU508XycGG+Y+YGaJqydKLp f0AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=e4ehESaJTuPb5QwhR3sF0BYYC+XOPD7YGEuPo1O7Omg=; b=jPuFwkXVdNAyXPxbtmg94QbHNn5fmNE5Dy6eTZOIfoK9HKErwTvnsT8pjwFTTZXhP7 Oim1DQ2HrsZzkRt6q7LhJ1EoJ19pOx+6lFzBMZDyXjbi1BKP9I62EHX4Lco6Jl4fHhf0 nByhpehZ13/y80VbDWjM4rGLIMaJfCkh15QZtl77NFZzKG2YjNDdeZNWendpPPYUBUBD PLJYJkv7EKK8taVk6gXXQH6hBg3r6DjKgrUKDqnkjAv1bTsMkx744ha5gNFr2TcG3fnf seYoHSaT3byUjZue3D/TE8oMfyPSNBg46fT8Al/Szb6LozfM4Tvzobss0316yUugrF2a 7gjg==
X-Gm-Message-State: ALoCoQkrj1OZACNrtR8p/JaQ5nj6n6XtjacCuV32JC5x7ImRGvqt/oxA70hrOQxS+hN2OjGgBKXm
MIME-Version: 1.0
X-Received: by 10.129.57.133 with SMTP id g127mr20219883ywa.105.1447028839682; Sun, 08 Nov 2015 16:27:19 -0800 (PST)
Received: by 10.37.202.11 with HTTP; Sun, 8 Nov 2015 16:27:19 -0800 (PST)
In-Reply-To: <DM2PR0301MB06558A9A77453010C046A024A86E0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <20150826170138.GB9021@mournblade.imrryr.org> <CAHw9_iJsg3WLRBW-h3nW14aAHF0f1UTAATRBmy5eR3-hS1QDZw@mail.gmail.com> <DM2PR0301MB0655816443EC6146F639C7DFA8600@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iJ1BgYWgdEJHivZeabgPUJ9soOrZr1DdxBiH2k4dquoLg@mail.gmail.com> <55E028E0.6080803@restena.lu> <DM2PR0301MB06558A9A77453010C046A024A86E0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Mon, 09 Nov 2015 09:27:19 +0900
Message-ID: <CAHw9_iLonxgeWuFX6wkeN=uiaBsyb3TAm5SaNWuZ=4BjHd9Fhw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/m2HzzhiSExTO7TR_AMLKmYkOUX4>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2015 00:27:22 -0000

On Sat, Aug 29, 2015 at 4:13 AM, Christian Huitema
<huitema@microsoft.com> wrote:
> On Friday, August 28, 2015 2:25 AM, Stefan Winter wrote:
>> To: saag@ietf.org
>> Subject: Re: [saag] Would love some feedback on Opportunistic Wireless
>> Encryption
>>
>> Hi,
>>
>> > You are right that there will be some initial legacy issues -- but if
>> > we can convince Windows 10 Mobile, Apple iOS, and Android willing to
>> > include support (which seems likely, "support" is trivial - basically
>> > 1: try the SSID as the passphrase and 2: don't bother showing a lock
>> > icon)
>>
>> Or, for wireless sniffing kit of your choice:
>>
>> 1) try to decrypt with the SSID as the password
>> 2) win!
>
> It is a bit more complicated than that, but not much. With WPA2, the traffic is not directly encrypted with the password, but instead with a key derived from the password, the SSID, an Access Point nonce, and a Station nonce. Even if the password is shared, each client uses a different set of nonce, and thus a different key. However, the nonce are transmitted in clear-text during the initial exchange. That means the attack goes as:
>
> 1) Capture the initial exchange between Station and Access point, and remember the nonce.
> 2) Assume that the SSID is the password and try to derive the per station key using the nonce.
> 3) Win!
>
> This is in fact the main limitation to Warren's approach. The proposed OWE system will still be vulnerable to passive listener attacks, and is thus not much of an improvement over open networks.
>
> Note that this is also a limitation of the "public password" approach, as in "ask the password to the bartender." We can hypothesize that mass surveillance systems will quickly build a database linking networks, SSID and public passwords. After all, the initial WPA2 exchange carries authentication codes that are the hash of the nonce and the password, which trivially enables dictionary attacks. That means the procedure will be:
>
> 1) Capture the initial exchange between Station and Access point, and remember the nonce.
> 2) Retrieve the password associated to the SSID from the database.
> 3) Derive the per station key using the nonce.
> 4) Win!
>
> Thinks would be different if instead of just sending the nonce in clear text the WPA2 exchange used some variation of Diffie-Hellman or EKE. Attackers would need to move from "passive listening" to "actively implement MITM attack," and we believe that might curtail mass surveillance efforts. But that's not the case.



... and a quick update (which I thought I'd sent earlier, but
apparently not) - when we wrote the initial document, we were well
aware of the issues with the 4 way handshake, but decided to write the
document in the IETF context anyway. This was because I figured that a
better than nothing approach was, well, better than nothing. We were
aware that the IEEE was the correct layer to get this done, but, well,
I don't participate there much, and figured that it would be a hard /
very slow process.

Dan Harkins (who most of you know), is an IEEE regular, has nicely
rewritten this into IEEE language, and is getting strong interest /
making progress there. This basically does what everyone has been
suggesting (and I'd originally wanted to do, but couldn't) -- a public
key exchange between the AP and STAtion (think DH).

This is obviously much much less hacky than the "just pretend that the
user typed the SSID as the passphrase, and don't show any indications
(to avoid having the user believe that they have "security")".

W

>
> -- Christian Huitema
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email