Re: don't bring your APs to HEL

To: debconf5-event@lists.debconf.org
Subject: Re: don't bring your APs to HEL
From: Erich Schubert <erich@debian.org>
Date: Wed, 29 Jun 2005 02:53:24 -0700
Message-id: <[🔎] 1120038804.19321.21.camel@wintermute.xmldesign.de>
In-reply-to: <[🔎] 20050629084650.GQ6963@mykerinos.kheops.frmug.org>
References: <[🔎] 200506290837.50238.debian@layer-acht.org> <[🔎] 1120032049.8584.71.camel@esme.liw.iki.fi> <[🔎] 20050629082500.GC3755@saruman.uio.no> <[🔎] 20050629084650.GQ6963@mykerinos.kheops.frmug.org>

Hi,

> OK, I'll be the dumb guy who is getting ridicule and asks: what the
> fu^W hell is WPA? I mean, in real life language..:-)

There are (at least) two flavours of WPA.
The first one tries to address some of the issues of WEP bei just
switching the key often enough. No additional computation power needed
in the card and only little in the AP.
The most common use is WPA PSK (Pre-Shared-Key), in which both the
client and the ap need to know a common secret not transmitted over the
air.

Think of the process as follows (I'm not sure about the real
implementation):
every few minutes (or mb or packets) a new key is calculated. For this,
the client and the server each send a 128 bit random. Each side
calculates the md5sum of both randoms and the pre-shared-key and uses
the result as new WEP key.
That way the tools for cracking WEP that rely on recieving enough
packets are defeated. Given enough CPU power you'll probably still be
able to decrypt the data afterwards, but you cannot hijack the
connection.

The other flavour uses AES instead of WEP, and uses smarter ways for
generating the keys, eventually even using smartcards or SSL
certificates.

Basically - and especially at universtities - it's not about encrypting
the data.
It's all about access control. Universities don't want to open their
bandwidth to mr.random-spammer walking into their building.
Both WPA-PSK as well as Cisco IPSec with xauth (which is common with
universities in germany) are vulnerable to man-in-the-middle and other
attacks when the shared secret it known - and this usually is the same
for all legitimate users.
In the case of WPA-PSK you can probably just decrypt the whole wireless
traffic, in the case of Cisco IPSec you need to emulate a full Cisco
IPSec server and a client (well, client is easy, but I don't know of a
software IPSec xauth server implementation) I believe.

So maybe it's okay for the university if someone sets up an open
wireless router IFF it is not directly connected to the universtities
network, but only to a VPN server or thelike. Using openvpn over
unencrypted wlan gives higher security IMHO than their solution (and
access control as well).

On a related note: I recently tried to pass through an "access
controlled" hotspot, and was surprised how easy it was... just run a VPN
over udp/53 and you often can just pass through. No need for real DNS or
ICMP tunnels.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
   A polar bear is a rectangular bear after a coordinate transform.  //\
  Es gibt wenig aufrichtige Freunde. Die Nachfrage ist auch gering.  V_/_
                    --- Marie von Ebner-Eschenbach


-- 
To unsubscribe, send mail to debconf5-event-unsubscribe@lists.debconf.org.

Reply to:

Follow-Ups:
- Re: don't bring your APs to HEL
  - From: Andreas Tille <tillea@rki.de>

References:
- don't bring your APs to HEL
  - From: Holger Levsen <debian@layer-acht.org>
- Re: don't bring your APs to HEL
  - From: Lars Wirzenius <liw@liw.iki.fi>
- Re: don't bring your APs to HEL
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: don't bring your APs to HEL
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Re: don't bring your APs to HEL
Next by Date: Re: Debian T-shirts
Previous by thread: Re: don't bring your APs to HEL
Next by thread: Re: don't bring your APs to HEL
Index(es):
- Date
- Thread