Wireless network key management

[Perry E. Metzger]

(The topic has drifted to the management of keys in a wireless
network. Adam responds to Steve's notes about WEP...)

Adam Fields <fields at surgam.net> writes:
> Practically, what's the right way to do this? You could do it with a
> centralized server key that has the ability to broadcast a new shared
> key to all clients, but then if the server gets compromised you lose
> control of the entire network (possibly true anyway, for different
> reasons).
> 
> From my personal (limited) experience, key management is really
> hard. I'm curious about potential solutions to this.

Key management is hard, but there is good versus not so good versus
horrible. Unchanging fixed WEP keys for everything on a network are
bad. If, on the other hand, you use public key techniques or
Needham-Schroder KDC based techniques, you can do much better.

For example, the average wireless base station only has dozens to at
most hundreds of clients. (In practice, they average far fewer, but
never mind.) Also, 802.11 enforces that all communication goes through
the wireless base station -- there are no mobile-mobile communications
in the usual setup. It is thus perfectly reasonable to use different
on-air conventional keys with each client, authenticated with a
variety of techniques (shared key between base and client, public keys
on both sides, Needham-Schroder, etc.), and negotiated by any one of a
number of similar variety of techniques (Diffie-Hellman, randomly
generated nonce keys replaced at intervals encrypted in a known key,
etc.)

More to the point, almost all 802.11 traffic carries IP. Therefore,
using IPSec to protect traffic between the wireless node and the
base station or a router, or even end to end, would not be
unreasonable. In that case, key negotiation probably proceeds using
IKE or perhaps a successor protocol.

In any case, although none of these techniques are perfect, they all
eliminate the problem of "one key to rule them all", with theft of one
mobile handing over the entire net, both from a privacy and an
authentication viewpoint. Of course, since WEP is crap anyway, you can
break keys even if you don't steal a mobile, but even in principle the
mechanism was not particularly good.

It isn't any easier to configure than good methods, either. Sure, you
need to pre-configure some authentication information to use any of
the good methods, but you also need to pre-configure your super-secret
WEP key if you use WEP so there is no improvement in ease of
configuration by using WEP.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com