Re: MITM attack against WPA2-Enterprise?
Perry, On Sun, Jul 25, 2010 at 9:23 PM, Perry E. Metzger pe...@piermont.comwrote: On Sun, 25 Jul 2010 18:48:56 -0400 Donald Eastlake d3e...@gmail.com wrote: It's always possible to make protocols more secure at higher cost. Should 802.11i have required one-time pads to be couriered to all mobile stations involved? Probably not, since it would kind of negate some of the benefits of Wi-Fi. For group keys, should it have added another layer of security where, say, a public was transmitted by the AP to each station using pairwise security and the AP signed and all stations verified every multicast/broadcast frame? Possible, but public key cryptography is a pretty big burden if you are, for example, streaming video to multiple stations using multicast. Seems like it would need significant hardware support. I think the fact that the protocol appears to allow people to impersonate the base station, order clients to use new keys, and then man in the middle all subsequent communications with little effort makes the per-endpoint keying largely moot. This does not seem like a minor defect. As far as I know, a new group key is delivered serially by the AP to each station using the pairwise security between them. Sure, you can impersonate the MAC address of the AP and, since it's all in the Ether, you can eavesdrop on the exchange between a station and the AP to generate a new pairwise key or to deliver a new group key to the station and inject messages into those conversations. But if you can break the security by such eavesdropping or injection, that would be a big deal, and have nothing to do with the fact that a shared key is used for group security. Donald
Re: MITM attack against WPA2-Enterprise?
* Donald Eastlake: It's always possible to make protocols more secure at higher cost. On the other hand, group key vulnerabilities are nothing new. It's just that many protocol designers seem to not understand them. Back when Cisco proposed XAUTH for IPsec, there was a heated discussion about password strength and other irrelevancies, but as far as I could later reconstruct the discussion, no one objected to the group key concept as such. It was only much later, when people used XAUTH in large deployments for providing general Internet access over insecure media, that the group key was recognized as a vulnerability. It's amazing that people still fail for this group key thing. There is quite a simple rule: If you choose the secret bits without constraints (except length and formatting), and proceed to share those bits, there can be no protection from those with whom you share, no matter what cryptographic algorithms you use. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even in enterprise mode, that would seem like a serious issue to me. Setting up the enterprise mode stuff to work is a lot of time and effort. If it provides essentially no security over WPA2 in shared key mode, one wonders what the point of doing that work is. This doesn't seem like a mere engineering compromise. If I understand the problem correctly, it doesn't strike me as particularly serious. Fundamentally, it's a way for people in the same enterprise and on the same LAN to see each other's traffic. A simple ARP-spoofing attack will do the same thing; no crypto needed. Yes, that's a more active attack, and in theory is somewhat more noticeable. In practice, I suspect the actual risk is about the same. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
On Mon, 26 Jul 2010 21:42:53 -0400 Steven Bellovin s...@cs.columbia.edu wrote: I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even in enterprise mode, that would seem like a serious issue to me. Setting up the enterprise mode stuff to work is a lot of time and effort. If it provides essentially no security over WPA2 in shared key mode, one wonders what the point of doing that work is. This doesn't seem like a mere engineering compromise. If I understand the problem correctly, it doesn't strike me as particularly serious. Fundamentally, it's a way for people in the same enterprise and on the same LAN to see each other's traffic. A simple ARP-spoofing attack will do the same thing; no crypto needed. Yes, that's a more active attack, and in theory is somewhat more noticeable. In practice, I suspect the actual risk is about the same. I think the issue is that people have been given the impression that WPA2 provides enough security that people can feel reasonably secure that others will not be reading their traffic over the air the way that they might in a pure shared key scenario, and that this justified the extra complexity of deployment. While what you say is perfectly true, it does lead one to ask if WPA2 enterprise has not been significantly oversold. -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
On Jul 26, 2010, at 10:30 19PM, Perry E. Metzger wrote: On Mon, 26 Jul 2010 21:42:53 -0400 Steven Bellovin s...@cs.columbia.edu wrote: I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even in enterprise mode, that would seem like a serious issue to me. Setting up the enterprise mode stuff to work is a lot of time and effort. If it provides essentially no security over WPA2 in shared key mode, one wonders what the point of doing that work is. This doesn't seem like a mere engineering compromise. If I understand the problem correctly, it doesn't strike me as particularly serious. Fundamentally, it's a way for people in the same enterprise and on the same LAN to see each other's traffic. A simple ARP-spoofing attack will do the same thing; no crypto needed. Yes, that's a more active attack, and in theory is somewhat more noticeable. In practice, I suspect the actual risk is about the same. I think the issue is that people have been given the impression that WPA2 provides enough security that people can feel reasonably secure that others will not be reading their traffic over the air the way that they might in a pure shared key scenario, and that this justified the extra complexity of deployment. While what you say is perfectly true, it does lead one to ask if WPA2 enterprise has not been significantly oversold. Probably... To me, access link crypto is about access control. WEP -- apart from the failings in RC4 and how it was used -- got that badly wrong, because it was impossible to change keys in any rational way. WPA2 was supposed to fix that; I'd have been happy if that were all it did. As others have noted, end-to-end crypto is the proper approach. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
On Sat, 24 Jul 2010 20:38:07 -0400 Steven Bellovin s...@cs.columbia.edu wrote: There is a claim of a flaw in WPA2-Enterprise -- see http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html Not quite a MITM attack. It is quite clever, though as with most such things, it seems in retrospect to be obvious. If only we always had hindsight. Quoting from another article: The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key. http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html?page=1 All in all, this looks bad for anyone depending on WPA2 for high security. -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
Perry E. Metzger writes: All in all, this looks bad for anyone depending on WPA2 for high security. Luckily, that describes nobody, right? ;D I used to think that non-end-to-end security mechanisms were wastefully pointless, but adorably harmless. However, in my experience people keep using link-layer garbage (and network-layer trash, and support protocol junk) as a way to put off the hard work of real (i.e. E2E) security. Non-E2E stuff hurts usability, availability, and security (by creating a false sense). Of course, we E2E fans have to get our usable security ducks in a row first. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
It's always possible to make protocols more secure at higher cost. Should 802.11i have required one-time pads to be couriered to all mobile stations involved? Probably not, since it would kind of negate some of the benefits of Wi-Fi. For group keys, should it have added another layer of security where, say, a public was transmitted by the AP to each station using pairwise security and the AP signed and all stations verified every multicast/broadcast frame? Possible, but public key cryptography is a pretty big burden if you are, for example, streaming video to multiple stations using multicast. Seems like it would need significant hardware support. Anyway, if these people have found some clever way to use the fact that the group key is a shared secret key, that might be interesting. I don't see how it is clever or particularly interesting that they are able to read the standards document and understand one of the deliberate engineering compromises in 802.11i. (Actually, there 802 standards documents can be somewhat arcane... Maybe you do have to be clever to be able to understand them... :-) If you don't like Wi-Fi security, then also use IPSec or something for all the data you send through it. Thanks, Donald On Sun, Jul 25, 2010 at 6:08 PM, Perry E. Metzger pe...@piermont.comwrote: On Sat, 24 Jul 2010 20:38:07 -0400 Steven Bellovin s...@cs.columbia.edu wrote: There is a claim of a flaw in WPA2-Enterprise -- see http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html Not quite a MITM attack. It is quite clever, though as with most such things, it seems in retrospect to be obvious. If only we always had hindsight. Quoting from another article: The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key. http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html?page=1 All in all, this looks bad for anyone depending on WPA2 for high security. -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MITM attack against WPA2-Enterprise?
On Sun, 25 Jul 2010 18:48:56 -0400 Donald Eastlake d3e...@gmail.com wrote: It's always possible to make protocols more secure at higher cost. Should 802.11i have required one-time pads to be couriered to all mobile stations involved? Probably not, since it would kind of negate some of the benefits of Wi-Fi. For group keys, should it have added another layer of security where, say, a public was transmitted by the AP to each station using pairwise security and the AP signed and all stations verified every multicast/broadcast frame? Possible, but public key cryptography is a pretty big burden if you are, for example, streaming video to multiple stations using multicast. Seems like it would need significant hardware support. I think the fact that the protocol appears to allow people to impersonate the base station, order clients to use new keys, and then man in the middle all subsequent communications with little effort makes the per-endpoint keying largely moot. This does not seem like a minor defect. There is no need to use public key crypto to solve this, of course. A Needham-Schroeder protocol would seem to be sufficient, and would not require public key. Anyway, if these people have found some clever way to use the fact that the group key is a shared secret key, that might be interesting. I don't see how it is clever or particularly interesting that they are able to read the standards document and understand one of the deliberate engineering compromises in 802.11i. I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even in enterprise mode, that would seem like a serious issue to me. Setting up the enterprise mode stuff to work is a lot of time and effort. If it provides essentially no security over WPA2 in shared key mode, one wonders what the point of doing that work is. This doesn't seem like a mere engineering compromise. Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com