On Jul 26, 2010, at 10:30 19PM, Perry E. Metzger wrote: > On Mon, 26 Jul 2010 21:42:53 -0400 Steven Bellovin > <s...@cs.columbia.edu> wrote: >>> >>> I don't know, if it is truly only a ten line change to a common >>> WPA2 driver to read, intercept and alter practically any traffic >>> on the network even in enterprise mode, that would seem like a >>> serious issue to me. Setting up the enterprise mode stuff to work >>> is a lot of time and effort. If it provides essentially no >>> security over WPA2 in shared key mode, one wonders what the point >>> of doing that work is. This doesn't seem like a mere engineering >>> compromise. >> >> If I understand the problem correctly, it doesn't strike me as >> particularly serious. Fundamentally, it's a way for people in the >> same enterprise and on the same LAN to see each other's traffic. A >> simple ARP-spoofing attack will do the same thing; no crypto >> needed. Yes, that's a more active attack, and in theory is >> somewhat more noticeable. In practice, I suspect the actual risk >> is about the same. > > I think the issue is that people have been given the impression that > WPA2 provides enough security that people can feel reasonably secure > that others will not be reading their traffic over the air the way > that they might in a pure shared key scenario, and that this justified > the extra complexity of deployment. While what you say is perfectly > true, it does lead one to ask if WPA2 enterprise has not been > significantly oversold. > Probably... To me, access link crypto is about access control. WEP -- apart from the failings in RC4 and how it was used -- got that badly wrong, because it was impossible to change keys in any rational way. WPA2 was supposed to fix that; I'd have been happy if that were all it did. As others have noted, end-to-end crypto is the proper approach.
--Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com