Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

Warren Kumari <warren@kumari.net> Wed, 26 August 2015 17:36 UTC

Return-Path: <warren@kumari.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409BA1B2D26 for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 10:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QwDsAPoNqK27 for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 10:36:22 -0700 (PDT)
Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B5F61B2C98 for <saag@ietf.org>; Wed, 26 Aug 2015 10:36:22 -0700 (PDT)
Received: by obbfr1 with SMTP id fr1so177589085obb.1 for <saag@ietf.org>; Wed, 26 Aug 2015 10:36:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=YF0gaMj37Q/0A7VpEGQf5DqxHWsyybwvcYh17npWjNU=; b=iFkOtHD3RFdyjYvSviqTCqkUa/uStrsWlp8b0hhIhN7OXoRhFHggEpYoskJAuV5k6y rlwK3CvkRLc2DC/5YNcjkX7D0LJ8Vi7bJ5g84g8Jhj8wETjiy9t01RAPTwEJxPlii6iX 9Qo2jBZtd0q1tjgoqaQ5fFkggTimLB+k+SdshjlB942IZtnWPjmFsv5XokO1x8RLA+z5 k4P4XNcuX+0zOU8ldJTRkOuaJPyak5SP1FRa4j1AMUe9WFQ94Zox88Ok8eXXNSV/lrAo GwqJDorJxNA1T086nIb79puCNeqdafUFr4zcBEbrbYMvXbXda0GtzX3qPjhW8K/ma/4c DhYQ==
X-Gm-Message-State: ALoCoQl/jaZqHzuXrWP1ruRLP4Zqji6U2Kno2oAgwgnduJ3qrwAlA+WJpKCgIM+NmDjb5gR7tDi8
MIME-Version: 1.0
X-Received: by 10.182.20.15 with SMTP id j15mr34525726obe.52.1440610581772; Wed, 26 Aug 2015 10:36:21 -0700 (PDT)
Received: by 10.202.174.144 with HTTP; Wed, 26 Aug 2015 10:36:21 -0700 (PDT)
In-Reply-To: <20150826170138.GB9021@mournblade.imrryr.org>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com> <20150826170138.GB9021@mournblade.imrryr.org>
Date: Wed, 26 Aug 2015 13:36:21 -0400
Message-ID: <CAHw9_iJsg3WLRBW-h3nW14aAHF0f1UTAATRBmy5eR3-hS1QDZw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary=001a11330536fc96a6051e3a4967
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/vyA_Z5aPvYYwDhuFLa4USax2TqU>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 17:36:24 -0000

On Wednesday, August 26, 2015, Viktor Dukhovni <ietf-dane@dukhovni.org>;
wrote:

> On Wed, Aug 26, 2015 at 10:53:07AM -0400, Warren Kumari wrote:
>
> > I'm not sure that SAAG is the right place for it, but I couldn't think
> > of anywhere better.
> >
> > https://tools.ietf.org/html/draft-wkumari-owe-01
>
> I'm concerned that the proposal still leaves even purely passive
> adversaries able to decrypt all traffic that begin during the
> passive traffic collection interval.  This is considerably weaker
> than many other opportunistic security protocols.  With no protection
> against a passive adversary who started monitoring before the victim
> joins the network, is this still worth doing?


I believe that it is -- I think that the cost to implement this is really
really low (I added PoC "support" to OpenWRT in less than an hour, and
almost all of that was finding a suitable access point in my basement :-)).

I fully acknowledge that this doesn't solve all issues, and doesn't claim
to - but I think that for the negligible cost, the incremental security win
is worth it.

W


>
> --
>         Viktor.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org <javascript:;>
> https://www.ietf.org/mailman/listinfo/saag
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf