wpa_supplicant/NM fallback to WPA?

Johannes Berg johannes
Wed May 7 01:41:47 PDT 2008


> Well, yes, it could. However, this would add need for state in network
> blocks to remember whether the previous attempt failed with RSN and then
> try WPA the next time. This sequence is not exactly something one would
> expect to see either since the AP looks exactly like it would if it were
> under an active downgrade attack and the most prudent thing to do here
> would be to warn the user of possible attack and then refuse to connect
> (unless overridden by user decision)..

True.

> I can certainly add a specific ctrl_iface message to notify external
> programs of this type of error and give them an option to ask the user
> for an informed decision on trying to use the AP anyway even if it could
> potentially mean successful downgrade attack (e.g., attacker forcing
> TKIP to be used as the pairwise cipher when the AP could have used
> CCMP).

This is the part I'm still not sure about. If I analysed things
correctly this doesn't look like a downgrade attack at all since we
selected CCMP (the highest) and then got CCMP too. The only reason why
this is similar to a downgrade attack is that the IE was modified, but
not actually in a way that would constitute an attack.

johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20080507/7b703f51/attachment.pgp 



More information about the Hostap mailing list