MITM attack against WPA2-Enterprise?

Perry E. Metzger perry at piermont.com
Sun Jul 25 21:23:05 EDT 2010 

On Sun, 25 Jul 2010 18:48:56 -0400 Donald Eastlake <d3e3e3 at gmail.com>
wrote:
> It's always possible to make protocols more secure at higher cost.
> Should 802.11i have required one-time pads to be couriered to all
> mobile stations involved? Probably not, since it would kind of
> negate some of the benefits of Wi-Fi. For group keys, should it
> have added another layer of security where, say, a public was
> transmitted by the AP to each station using pairwise security and
> the AP signed and all stations verified every multicast/broadcast
> frame? Possible, but public key cryptography is a pretty big burden
> if you are, for example, streaming video to multiple stations using
> multicast. Seems like it would need significant hardware support.

I think the fact that the protocol appears to allow people to
impersonate the base station, order clients to use new keys, and then
man in the middle all subsequent communications with little effort
makes the per-endpoint keying largely moot. This does not seem like a
minor defect.

There is no need to use public key crypto to solve this, of course. A
Needham-Schroeder protocol would seem to be sufficient, and would not
require public key.

> Anyway, if these people have found some clever way to use the fact
> that the group key is a shared secret key, that might be
> interesting. I don't see how it is "clever" or particularly
> interesting that they are able to read the standards document and
> understand one of the deliberate engineering compromises in
> 802.11i.

I don't know, if it is truly only a ten line change to a common WPA2
driver to read, intercept and alter practically any traffic on the
network even in enterprise mode, that would seem like a serious issue
to me. Setting up the enterprise mode stuff to work is a lot of time
and effort. If it provides essentially no security over WPA2 in shared
key mode, one wonders what the point of doing that work is. This
doesn't seem like a mere engineering compromise.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list