Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Who am I ?
Franois Proulx Jack of all trade, master of none RFCs junkie Specialized in mobile development (iOS) Been into Wi-Fi (in)security for a while Founding member of le Sans Fil Started the WiFiDog captive portal Studied 802.11 specs in more depth while working on a Wi-Fi based location system - iFIND @ MIT
Wednesday, 9 November, 11
We need to x the insecurity of Wi-Fi hotspot We already have all the building blocks we need Theres a simple and elegant solution and it is entirely software based Its called Secure Open Wireless Access We, as security pundits, need to advocate so that the industry makes the necessary changes
Wednesday, 9 November, 11
Wednesday, 9 November, 11
Wednesday, 9 November, 11
What can we do about it? We want robust and yet usable security WPA2 + scan-click-and-connect usability
We have very strong building blocks available 802.11i brought us 802.1X over wireless (EAPoW) Most of us dont use 802.1X at home On the enterprise side, though... EAP is a way for deploying secure and robust setups Many EAP authentication methods exist (> 40) LEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA...
Wednesday, 9 November, 11
How can we leverage EAP for the good of public Wi-Fi hotspots?
Enter Secure Open Wireless Access (SOWA) A simple technique relying on WPA2 with EAP-TLS Typically, EAP-TLS requires server and client side certs. Efciently distributing certicates to clients can be a pain in the b*tt Good! Thats the part we throw aside for SOWA Works just like the good old Web (HTTPS) You type in an address (ex. https://www.paypal.com), establish an SSL connection (one-way auth.) With SOWA you pick the SSID and do anon. EAP-TLS
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
Actually, yes it is! RFC5216 (latest version of EAP-TLS) denes the certicate_request message as optional The auth. server (RADIUS) can skip that message
(most implementations already behave correctly)
The idea was that APs could be used anonymously for emergency services
http://tools.ietf.org/html/rfc5216 http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03
Wednesday, 9 November, 11
Note the secure.expensivecafe.com string in both the SSID and the certifcate common name (CN) They need to match to provide authentication Protecting the user against rogue access points
Wednesday, 9 November, 11
Wednesday, 9 November, 11
Wednesday, 9 November, 11
Wednesday, 9 November, 11
Wednesday, 9 November, 11
Thanks to Chris Byrd and IBM X-Force for inventing the technique and presenting it at BlackHat 2011
http://blogs.iss.net/archive/SownCode.html
Theres still a long way to go before SOWA can be used by actual users, but play with it and spread the word
Wednesday, 9 November, 11
Q&A + Demo
Wednesday, 9 November, 11
Q&A + Demo
Wednesday, 9 November, 11