F12 EEEPC 1000H WLAN with hidden SSID no go
Robert Moskowitz
rgm at htt-consult.com
Sun Nov 29 03:34:39 UTC 2009
Wolfgang S. Rupprecht wrote:
> Robert Moskowitz <rgm at htt-consult.com> writes:
>
>> Actually WPA2 with 802.1X authentication is REALLY tight. No MITM
>> will crack EAP TLS (EAP TLS is a little different than the TLS used in
>> the most recent attack). Then use AES CCMP (not TKIP).
>>
>
> And there we have the real way in protecting a wifi access point: turn
> off WEP, WPA (v1), and TKIP (under WPA2). Leave only WPA2 and CCMP.
> Then let the computer choose a 64-bit hex number for the shared key.
>
> Too bad the good advice is always drowned out by the hordes that claim
> hiding SID's and changing port number on ssh are the way to get
> security. (For ssh turn off everything but RSA and DSA -- this way the
> computer chooses a strong "password" (really a secret key) for you.)
>
>
>> Of course your management frames are not protected. That is 802.11w
>> that will soon be in products....
>>
>> BTW, I worked on the 802.11 standards. I use past tense, as in June
>> my management had me move over to work on 802.15 standards. (I was in
>> Atlanta last week for the 802 meeting).
>>
>
> Thank you for speaking up! Will the new protocols require any HW
> support or are they drop-in replacements on current wifi nodes?
802.11w will 'just' be a firmware upgrade. It was approved by RevComm
back in September, so it is up to the vendors to decide which shipping
products will support it.
> Will all the packets now be cryptographically protected?
Well, you can't protect BEACONs, PROBEs, ASSOCIATIONs, AUTHENTICATIONs,
as there are no keys yet!
But DISASSOCIATE, the one I used in my attack against hidden SSIDs, can
be authenticated, thus stopping this particular attack. But there are
other ways, like flooding attacks to force a client to PROBE, thus
exposing the SSID; just a little harder.
802.11s has a way to establish keying in the AUTHENTICATE exchange.
There is talk about how to 'retrofit' that to non-mesh authentication.
It seems that no one wants to open Pandora's box and shortcut this
change, and it will have to go the PAR route and take a couple years. Sigh.
More information about the fedora-list
mailing list