STA shared-key authentication support

Amit Gurdasani gurdasani
Sun Nov 17 04:41:24 PST 2002


:I couldn't say if that's the reason Jouni didn't implement it, but shared
:key authentication is a known security issue, since it allows attackers to
:easily find the secret key. It is consider safer to use WEP without shared
:key auth rather than with it. Hence the reason 802.11 TGi dropped 802.11
:authentication completely (open auth is a null operation and shared key
:auth is a security hole), in favour of 802.1X authentication and other fun
:things.

As far as I can tell, the security issue stems primarily from having large
numbers of IVs and encrypted versions (from frequent associations) available
to an intruder, so that it's possible to (a) associate with the AP and then
(b) brute-force the encrypted IV to figure out the key. But it seems to me
that this wouldn't be as much of a problem on a network where stations are
expected to stay associated with the AP (as is my case) and dessociation and
(successful) reassociation is relatively uncommon.

Actually, now that I think about it, you might be right -- is there any
advantage to using a shared key authentication system if the AP is
configured to drop unencrypted frames?

Here's a message by Jouni around April that goes over this, for background:

:On Thu, Apr 11, 2002 at 06:28:38PM +0100, ben_at_netservers.co.uk wrote:
:
:> WEP itself seems to work fine with 40 and 104 bit keys. However, the
:> driver does not appear to have any implimentation of shared key
:> authentication, so we were getting 'unknown authentication algorithm (1)'
:> in the linux syslogs. Sure enough, a quick look at the code seems to
:> indicate that only open system is currently implimented - changing the
:> clients to use open system makes it all work.
:
:Yes, that's true. There was not much point in implementing shared key
:authentication before WEP was supported, but now that WEP seems to work, it
:would be possible to implement also it. I could consider implementing it for
:the completeness sake, but it should be noted that it does not help much
:with security..
:
:> However, I'm rather puzzled by the reference in the change log saying 'use
:> restricted as default WEP mode instead of open'. Why was the default set
:> to restricted if restricted does not do anything? (It apparently ignores
:> this setting and works in open mode regardless.)
:
:These are two completely different things. Restricted WEP mode refers to
:mode that is configured with 'iwconfig wlan0 mode restricted' (as an
:alternative for 'iwconfig wlan0 mode open'). Restricted mode drops
:unencrypted frames, whereas open mode accepts them, but encrypts send
:frames.
:
:--
:Jouni Malinen                                            PGP id EFC895FA





More information about the Hostap mailing list