Sowa Hackfest2011 111109210300 Phpapp02

Wi-Fi: Open or Secure
Making the best out of both...
Presented by Franois Proulx At the HackFest 2011

Wednesday, 9 November, 11
Who am I ?

Franois Proulx Jack of all trade, master of none RFCs junkie Specialized in mobile development (iOS) Been into Wi-Fi (in)security for a while Founding member of le Sans Fil Started the WiFiDog captive portal Studied 802.11 specs in more depth while working on a Wi-Fi based location system - iFIND @ MIT
The take-away message for this talk
We need to x the insecurity of Wi-Fi hotspot We already have all the building blocks we need Theres a simple and elegant solution and it is entirely software based Its called Secure Open Wireless Access We, as security pundits, need to advocate so that the industry makes the necessary changes
But lets rewind for a moment

A brief recap of the state of 802.11 1999 - IEEE 802.11b (the one we know and love) Open System Authentication Shared Key Authentication (i.e. WEP) 2001 - 2005 WEP proved utterly insecure (WEP cracking as a sport) In the meantime... Starbucks sells outrageously expensive latts + Wi-Fi to poser kids surng the Interwebs on their shiny MacBook Pro
The state of 802.11 continued...

At home We tell everybody to secure their home router by using WPA2 with an unguessable passphrase In public Wi-Fi hotspots It is still the far west (MITM, Firesheep, SSLStrip, etc.) The majority of hotspots are Open Wi-Fi APs We know the dangers, so we behave accordingly Use SSL for all sensitive trafc Or VPN out to a safer place Meanwhile, the latt-sipping poser kids have lots of fun browsing the Interwebs ... at our expense ;-)
What can we do about it? We want robust and yet usable security WPA2 + scan-click-and-connect usability

We have very strong building blocks available 802.11i brought us 802.1X over wireless (EAPoW) Most of us dont use 802.1X at home On the enterprise side, though... EAP is a way for deploying secure and robust setups Many EAP authentication methods exist (> 40) LEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA...
How can we leverage EAP for the good of public Wi-Fi hotspots?
Enter Secure Open Wireless Access (SOWA) A simple technique relying on WPA2 with EAP-TLS Typically, EAP-TLS requires server and client side certs. Efciently distributing certicates to clients can be a pain in the b*tt Good! Thats the part we throw aside for SOWA Works just like the good old Web (HTTPS) You type in an address (ex. https://www.paypal.com), establish an SSL connection (one-way auth.) With SOWA you pick the SSID and do anon. EAP-TLS
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Brief recap of EAP-TLS
Wait! Is that compliant with the spec?
Actually, yes it is! RFC5216 (latest version of EAP-TLS) denes the certicate_request message as optional The auth. server (RADIUS) can skip that message
(most implementations already behave correctly)
The idea was that APs could be used anonymously for emergency services
http://tools.ietf.org/html/rfc5216 http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03
What do we need to deploy it?
Note the secure.expensivecafe.com string in both the SSID and the certifcate common name (CN) They need to match to provide authentication Protecting the user against rogue access points
But... its not that easy

1. Operating Systems patches Network selection GUI (to allow connection without a client cert.) Supplicant (so that is matches the SSID with the CN in the X.509 cert) 2. RADIUS server patches (FreeRadius patches exist) Allowing anonymous EAP-TLS 3. APs should use the RSN caps eld (802.11 beacon) to differentiate from other EAP-TLS SSID
(NOT mandatory for SOWA to work, but helps usability)
But... its not that easy

1. Operating Systems patches Network selection GUI (to allow connection without a client cert.) Supplicant (so that is matches the SSID with the CN in the X.509 cert) 2. RADIUS server patches (FreeRadius patches exist) Allowing anonymous EAP-TLS 3. APs should use the RSN caps eld (802.11 beacon) to differentiate from other EAP-TLS SSID
(NOT mandatory for SOWA to work, but helps usability)
Food for thought...

What kind of iconography should we use to differentiate Open Secure and Authenticated Secure Open
Food for thought...

What kind of iconography should we use to differentiate Open Secure and Authenticated Secure Open
Please, help us spread the word
Thanks to Chris Byrd and IBM X-Force for inventing the technique and presenting it at BlackHat 2011
http://blogs.iss.net/archive/SownCode.html
Theres still a long way to go before SOWA can be used by actual users, but play with it and spread the word
Q&A + Demo
Q&A + Demo

Sowa Hackfest2011 111109210300 Phpapp02

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Sowa Hackfest2011 111109210300 Phpapp02

Caricato da

Copyright:

Formati disponibili

Wi-Fi: Open or Secure

Making the best out of both...

Presented by Franois Proulx At the HackFest 2011

The take-away message for this talk

But lets rewind for a moment

The state of 802.11 continued...

Brief recap of EAP-TLS

Brief recap of EAP-TLS

Brief recap of EAP-TLS

Wait! Is that compliant with the spec?

What do we need to deploy it?

But... its not that easy

But... its not that easy

Food for thought...

Food for thought...

Please, help us spread the word

Potrebbero piacerti anche