Hi Jacques, Kevin, and others,
Thank you all for the comments. I have done a little more research
since my last posting. The PKI that Kevin mentioned in his email about
authentication should not be an issue as Jacques had raised. This is
especially true since this is a one-time deal during the
AA"A" process.
Rekeying is an important improved security feature. I got students
to do some analysis and they confirmed that half a day is the worst case
to have over 50% chance to get a key collision, thus providing a basis to
crack the RC4 as described in the afamous UMD and UC Berkeley
articles. Unless it will significantly degrade the service, this may be
reasonable to ask users to bear with it. Traffic collision, in comparison
to rekeying, may be a more real issue to address when it comes to
connection degradation. I will also think that the rekeying process should
be transparent to a user anyway unless one notice connection degradation.
I hope to know more as we finish a "test" project here.
In any event, it seems to me that how to set up the PKI to issue
certificates for mutual authentication is the heart of the issue. For an
enterprise environment, it is tedious but workable if security is
paramount. For a model like NYCwireless that we may not even know the user
of an AP node, this seems to be a real challenge when it comes to issuing
a certificate to a causal user. So the question for a model like
NYCwireless is: will such improved security (as proposed in
802.1X) produce a net gain on encouraging one (who may otherwise not) to
open a node for public access?
Bon
On Sat, 16 Nov 2002, Jacques Caron wrote:
> At 17:26 14/11/2002, Kevin Arima wrote:
> >On Thu, 14 Nov 2002, Jacques Caron wrote:
> >
> > > This being said, I believe that even if most platforms have one or more
> > > supplicants available (Windows, Mac OS, Linux, *BSD...), I have quite some
> > > doubts about the "smaller" platforms, e.g. Pocket PC and Palms, but there
> > > is no reason this cannot be added at some point, someone just needs to do
> > > it. It might be interesting to see how a Palm with a 16 MHz processor will
> > > handle public-key cryptography, though...
> > >
> >
> >The only time PKI or similar is involved is during the authentication
> >process and the rekeying process.
>
> Indeed, but if it takes several seconds each time re-auth is done and that
> happens every 5 minutes, it might be slightly annoying. I have no idea how
> long it will take, though, I just imagine it to be a bit long given the low
> performance of the processor is some of those devices... I don't see it
> won't work, I just think it might be not very convenient...
>
> Jacques.
>
>
> -- Jacques Caron, IP Sector Technologies
> Join the discussion on public WLAN open global roaming:
> http://lists.ipsector.com/listinfo/openroaming
>
>
> --
> NYCwireless - http://www.nycwireless.net/
> Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
> Archives: http://lists.nycwireless.net/pipermail/nycwireless/
>
--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/
