Dynamic WEP Question
Jacques Caron
Jacques.Caron
Mon Apr 28 02:36:14 PDT 2003
Hi,
At 10:15 28/04/2003, =?utf-7?B?K3ZCWFhaY1gwLQ==?= wrote:
>Yes, It is not standard for EAP/MD5... but, are there any way to cheat STA
>in hostap to send Dynamic WEP key ??
>
>for example, If we can generate MS-MPPE-SEND/RECV-KEY in hostapd then we
>can send it to STA isn't it ?
I think you missed something important in the whole dynamic WEP key
concept... Before you can use it, you need to have a way (the EAP method)
to compute a secret key that is known only to the client (station) and the
RADIUS server, which will then send it to the AP in the RADIUS
MPPE-Send/Recv-Key attributes. If you just make up a key in the RADIUS
server and send it to the AP, the AP will be able to generate a dynamic WEP
key, encrypt it with the RADIUS key, and send it to the station, but the
station will not be able to decrypt it since it does not know the key!
This is one of the reasons why EAP-MD5 is *not* a good choice for WLAN
authentication: it does not provide any keys, so you cannot do dynamic WEP
keying. The other problem being that EAP-MD5 is inherently insecure, being
subject to a bunch of attacks that will reveal the user password.
For WLAN authentication, you should use a better EAP method, such as
EAP-TLS, EAP-SRP, EAP-SIM, EAP-AKA, or one of the "compound" methods, such
as EAP-TTLS+EAP-MSCHAPv2 or PEAP+EAP-MSCHAPv2.
Hope that helps,
Jacques.
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
http://lists.ipsector.com/listinfo/openroaming
More information about the Hostap
mailing list