Security Issue: How secure is sending confidential credentials via wpa_cli type interface?
Bryan Kadzban
bryan
Sat Aug 5 12:24:35 PDT 2006
Jouni Malinen wrote:
> In many ways, this new mechanisms brings same level of support for
> Windows builds that was available with Linux and BSD builds. I will
> likely replace UDP-based mechanism with named pipe -based one as the
> default option in future releases after the new code has received
> some more testing.
A thought on the security of the pipe(s):
When you add support for securing them, it would probably be the easiest
from a code perspective to let the config file use an SDDL string to set
up the permissions. You can use [1] to convert that SDDL string into a
new security descriptor (which would become the lpSecurityDescriptor
member of the SECURITY_ATTRIBUTES structure passed to CreateNamedPipe).
See also [2], MSDN's page on the SDDL language.
[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/convertstringsecuritydescriptortosecuritydescriptor.asp
[2]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_descriptor_definition_language.asp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060805/6323aa80/attachment.pgp
More information about the Hostap
mailing list