[PATCH] rsn_supp: Don't encrypt EAPOL-Key 4/4.

Andreas Hartmann andihartmann
Wed Sep 5 09:33:31 PDT 2012

Jouni Malinen wrote:
> On Sun, Sep 02, 2012 at 08:59:27AM +0200, Andreas Hartmann wrote:
>> Jouni Malinen wrote:
>>> For most use cases, CCMP is strong enough to be used for quite some time
>>> without any rekeying, so the easiest workaround for rekeying related
>>> issues is to increase the rekey interval.
>> The recommended value for the eap reauth period is 3600 seconds.
>> You wrote about increasing the period and "quite some time".
>> What would be the risk of the increase? Or better: which kinds of
>> (known) attacks are complicated by forcing a regularly reauth? Why are
>> 3600 seconds recommended and not, e.g., 1800? What would be a higher but
>> still risk less time of period when using eap-tls and ccmp (using
>> freeradius)?
>> If it was your own network, which higher value would you use?
> If EAP-TLS is used with a strong cipher and the network is configured to
> use only CCMP, I don't think I would need EAP reauthentication or PTK
> rekeying at all for practical purposes. Sure, you would need to stop
> using the key if the CCM nonce wraps around, so rekeying would be needed
> at that point, but that needs 2^48 frames to reach so until you get to
> 802.11ac or 802.11ad networks, it is a bit difficult to hit that in
> practice.

Thanks for your explanation! But: what's a strong cipher? If freeradius
cipher_list (-> openssl) is set to DEFAULT, the suite
TLS_DHE_RSA_WITH_AES_256_CBC_SHA is used. If set to high,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is used. According nmap, both suites
are considered strong :-). Which one is stronger or more safe? CPU
resources are not relevant at all.

I'm using now 12 hours for rekeying timeout. I think this is feasible
for me.

> That said, there may be other reasons for forcing EAP reauthentication,
> e.g., to enforce some session limits or to allow removal of a station
> from the network in reasonable amount of time even if the AP network
> does not support RADIUS server initiated disconnection requests. Anyway,
> I would consider CCMP strong enough to not require rekeying before CCM
> nonce wraparound based on what's known and what kind of CPU resources
> are available today, so the reason for setting rekeying based on some
> time limit is coming from some other need than maintaining secure
> encryption keys in the network.

Thanks again for your considerations! They helped me a lot!

Kind regards,
Andreas Hartmann

More information about the Hostap mailing list