consequences of turning on extra key_mgmt flags

Jouni Malinen j
Wed May 29 14:56:11 PDT 2013


On Wed, May 29, 2013 at 03:21:23PM +0200, Olsson, Ola wrote:
> I use an external connection manager to talk to the supplicant and when I add a PSK network I might not know if the AP supports 11R and PMF. What would the negative implications be if I add "FT-PSK WPA-PSK-SHA256" to the key_mgmt in supplicant.conf whenever I add a PSK network?

For most purposes, this should not have any negative effect. In theory,
this could open up some attacks _if_ an issue were to be found with any
of the enabled options. There are no known such issues with FT-PSK or
WPA-PSK-SHA256 as compared to WPA-PSK (i.e., those are actually
considered to be more secure than WPA-PSK rather than the opposite).

The main practical issue that could happen (but is not known to be
present today) is an interoperability issue with an AP that adds support
for one of the new options in the future and then turns out to be
behaving incorrectly with the newer options (or well, it would not need
to be even an incorrect behavior, but an interop issue of some sort). If
you only have WPA-PSK enabled, you would limit your risk of hitting such
issues. However, that would come at the price of not being able to
upgrade networks easily.

> To be clear, whenever I add a network, which is supposed to look like:
> network={
>                 ssid="test"
>                 psk="1234567890"
>                 key_mgmt=WPA-PSK
>                 priority=4000002
> }
> 
> Would it hurt to implicitly make it look like the following?
> network={
>                 ssid=" test "
>                 psk="1234567890"
>                 key_mgmt=WPA-PSK FT-PSK WPA-PSK-SHA256
>                 ieee80211w=1
>                 priority=4000002
> }

I think the latter would be a better default option. If there is a
mechanism for doing "advanced configuration" to select smaller subset of
options, that could be used to cover some possible, even if unlikely,
issues mentioned above.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list