Re: WPA problem and eduroam

[Stefan Winter <stefan.winter@xxxxxxxxxx>]

Hi Mark,

the draft of the advisory in its current form on my disk says sth  
like: We *advise* you to upgrade, but if you don't: at least consider  
the re-key interval change. I'm hesitant to use words like MUST in the  
advisory though. It's an advice, people will take it or leave it -  
MUST is, as you say, a word to use in a policy; and we can certainly  
think and discuss about the re-key becoming mandatory for TKIP  
networks during the policy overhaul. Waiting for a new version of the  
policy to be ready is not something to consider as an "immediate"  
countermeasure though, considering our remarkable speed in policy  
delivery ;-)

Greetings,

Stefan Winter

--

Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale  
et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


----- Nachricht von mark.o'leary@xxxxxx ---------
     Datum: Thu, 4 Dec 2008 09:01:09 -0000
       Von: Mark O'Leary <mark.o'leary@xxxxxx>
Antwort an: Mark O'Leary <mark.o'leary@xxxxxx>
   Betreff: Re: [mobility] WPA problem and eduroam
        An: mobility@xxxxxxxxxx


> I agree that an advisory is the way to go. My understanding is that  
> the shorter rekeying interval completely prevents this attack  
> (unless the site is running firmware that allows reducing the 60s  
> backoff interval and the admin has indeed reduced it - which is  
> against the TKIP standard). *If* this is true, then a complete  
> policy solution to the immediate alarm would be:
>
> If you implement WPA-TKIP or WPA2-TKIP, you MUST reduce the rekeying  
> interval to < 5 mins
>
> However, my concern is that this exploit opens a new attack surface  
> on TKIP-based wireless encryption, and that it will trigger  
> publication of a number of more dangerous elaborations on the  
> technique in the near future. So, if we are going to communicate  
> with the community it would be appropriate to push the 'migration to  
> WPA2/AES' message anyway (and not do too much 'calming'), even if a  
> modest configuration change is enough to answer the current (small)  
> threat that we know about.
>
> As mentioned at the meeting, I'm working on a  short background  
> paper on this attack with the JANET wireless advisory group. I'll  
> notify the group when this is available.
>
> M.
>
> --
> Mark O'Leary, JANET(UK)
>
> ________________________________
>
> From: owner-mobility@xxxxxxxxxx on behalf of Stefan Winter
> Sent: Wed 12/3/2008 4:39 PM
> To: Josh Howlett
> Cc: Tomasz Wolniewicz; mobility@xxxxxxxxxx; gn2-sa5@xxxxxxxxxxxx
> Subject: RE: [mobility] WPA problem and eduroam
>
>
>
> Hi,
>
> > So I think it is reasonable to say that our reaction needs to be
> > proportionate to the limited impact.
> > >
> > Yes, it's fine in my opinion. I suggest adding it to the advisory. We
> > need to be that the response is proportionate; we don't want
> > Institutions to panic and pull their eduroam services! We don't need
> > perfect security, it only needs to be Good Enough.
>
> Yes, the advisory definitely needs proper word-smithing. It emerged
> ad-hoc during a TF-EMC2 presentation and needs to be more elaborate
> etc. The "calming" explanations will definitely be in there in the
> final version, and very close to the beginning. It will also contain
> the 5-min re-key interval advice for TKIP networks.
>
> I'll keep working on it in the coming days.
>
> Greetings,
>
> Stefan
>
>
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


----- Ende der Nachricht von mark.o'leary@xxxxxx -----