MITM attack against WPA2-Enterprise?

[Donald Eastlake]

Perry,

On Sun, Jul 25, 2010 at 9:23 PM, Perry E. Metzger <perry at piermont.com>wrote:

> On Sun, 25 Jul 2010 18:48:56 -0400 Donald Eastlake <d3e3e3 at gmail.com>
> wrote:
> > It's always possible to make protocols more secure at higher cost.
> > Should 802.11i have required one-time pads to be couriered to all
> > mobile stations involved? Probably not, since it would kind of
> > negate some of the benefits of Wi-Fi. For group keys, should it
> > have added another layer of security where, say, a public was
> > transmitted by the AP to each station using pairwise security and
> > the AP signed and all stations verified every multicast/broadcast
> > frame? Possible, but public key cryptography is a pretty big burden
> > if you are, for example, streaming video to multiple stations using
> > multicast. Seems like it would need significant hardware support.
>
> I think the fact that the protocol appears to allow people to
> impersonate the base station, order clients to use new keys, and then
> man in the middle all subsequent communications with little effort
> makes the per-endpoint keying largely moot. This does not seem like a
> minor defect.
>

As far as I know, a new group key is delivered serially by the AP to each
station using the pairwise security between them. Sure, you can impersonate
the MAC address of the AP and, since it's all in the Ether, you can
eavesdrop on the exchange between a station and the AP to generate a new
pairwise key or to deliver a new group key to the station and inject
messages into those conversations. But if you can break the security by such
eavesdropping or injection, that would be a big deal, and have nothing to do
with the fact that a shared key is used for group security.

Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20100725/a0dc5769/attachment.html>