Re: F12 EEEPC 1000H WLAN with hidden SSID no go

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Wolfgang S. Rupprecht wrote:

Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> writes:

Actually WPA2 with 802.1X authentication is REALLY tight.  No MITM
will crack EAP TLS (EAP TLS is a little different than the TLS used in
the most recent attack).  Then use AES CCMP (not TKIP).


And there we have the real way in protecting a wifi access point: turn
off WEP, WPA (v1), and TKIP (under WPA2).  Leave only WPA2 and CCMP.
Then let the computer choose a 64-bit hex number for the shared key.

Too bad the good advice is always drowned out by the hordes that claim
hiding SID's and changing port number on ssh are the way to get
security.  (For ssh turn off everything but RSA and DSA -- this way the
computer chooses a strong "password" (really a secret key) for you.)


Of course your management frames are not protected.  That is 802.11w
that will soon be in products....

BTW, I worked on the 802.11 standards.  I use past tense, as in June
my management had me move over to work on 802.15 standards. (I was in
Atlanta last week for the 802 meeting).


Thank you for speaking up!  Will the new protocols require any HW
support or are they drop-in replacements on current wifi nodes?
802.11w will 'just' be a firmware upgrade. It was approved by RevComm back in September, so it is up to the vendors to decide which shipping products will support it. 


Will all the packets now be cryptographically protected?
Well, you can't protect BEACONs, PROBEs, ASSOCIATIONs, AUTHENTICATIONs, as there are no keys yet!
But DISASSOCIATE, the one I used in my attack against hidden SSIDs, can be authenticated, thus stopping this particular attack. But there are other ways, like flooding attacks to force a client to PROBE, thus exposing the SSID; just a little harder.
802.11s has a way to establish keying in the AUTHENTICATE exchange. There is talk about how to 'retrofit' that to non-mesh authentication. It seems that no one wants to open Pandora's box and shortcut this change, and it will have to go the PAR route and take a couple years. Sigh. 


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux