Taskforce Mobility Mailarchive

Subject	Re: WPA problem and eduroam
From	"Mark O'Leary" <mark.o'leary@xxxxxx>
Date	Thu, 4 Dec 2008 09:01:09 -0000

I agree that an advisory is the way to go. My understanding is that the shorter rekeying interval completely prevents this attack (unless the site is running firmware that allows reducing the 60s backoff interval and the admin has indeed reduced it - which is against the TKIP standard). *If* this is true, then a complete policy solution to the immediate alarm would be:
 
If you implement WPA-TKIP or WPA2-TKIP, you MUST reduce the rekeying interval to < 5 mins
 
However, my concern is that this exploit opens a new attack surface on TKIP-based wireless encryption, and that it will trigger publication of a number of more dangerous elaborations on the technique in the near future. So, if we are going to communicate with the community it would be appropriate to push the 'migration to WPA2/AES' message anyway (and not do too much 'calming'), even if a modest configuration change is enough to answer the current (small) threat that we know about.
 
As mentioned at the meeting, I'm working on a  short background paper on this attack with the JANET wireless advisory group. I'll notify the group when this is available.
 
M.
 
--
Mark O'Leary, JANET(UK) 

________________________________

From: owner-mobility@xxxxxxxxxx on behalf of Stefan Winter
Sent: Wed 12/3/2008 4:39 PM
To: Josh Howlett
Cc: Tomasz Wolniewicz; mobility@xxxxxxxxxx; gn2-sa5@xxxxxxxxxxxx
Subject: RE: [mobility] WPA problem and eduroam



Hi,

> So I think it is reasonable to say that our reaction needs to be
> proportionate to the limited impact.
>>
> Yes, it's fine in my opinion. I suggest adding it to the advisory. We
> need to be that the response is proportionate; we don't want
> Institutions to panic and pull their eduroam services! We don't need
> perfect security, it only needs to be Good Enough.

Yes, the advisory definitely needs proper word-smithing. It emerged 
ad-hoc during a TF-EMC2 presentation and needs to be more elaborate 
etc. The "calming" explanations will definitely be in there in the 
final version, and very close to the beginning. It will also contain 
the 5-min re-key interval advice for TKIP networks.

I'll keep working on it in the coming days.

Greetings,

Stefan




JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

Follow-Ups:
- Re: WPA problem and eduroam
  - From: Stefan Winter

References:
- WPA problem and eduroam
  - From: Tomasz Wolniewicz
- Re: WPA problem and eduroam
  - From: Miroslav Milinovic
- Re: WPA problem and eduroam
  - From: Tomasz Wolniewicz
- Re: WPA problem and eduroam
  - From: Miroslav Milinovic
- Re: WPA problem and eduroam
  - From: Miroslav Milinovic
- Re: WPA problem and eduroam
  - From: Tomasz Wolniewicz
- Re: WPA problem and eduroam
  - From: Mohacsi Janos
- Re: WPA problem and eduroam
  - From: Tomasz Wolniewicz
- Re: WPA problem and eduroam
  - From: Stefan Winter
- RE: WPA problem and eduroam
  - From: Josh Howlett
- RE: WPA problem and eduroam
  - From: Stefan Winter
- RE: WPA problem and eduroam
  - From: Josh Howlett
- RE: WPA problem and eduroam
  - From: Stefan Winter

Prev by Date: Re: WPA problem and eduroam
Next by Date: Re: WPA problem and eduroam
Previous by thread: RE: WPA problem and eduroam
Next by thread: Re: WPA problem and eduroam
Index(es):
- Date
- Thread