WEP help

Jacques Caron Jacques.Caron
Thu Dec 5 10:03:46 PST 2002


Hi,

I know the driver supports per-client keys, but I don't know offhand how 
you would be able to change those keys from userland, probably some form of 
ioctl (I'm not sure there is a command or iwconfig param that does this), 
you might want to look into the hostapd source code, since that program is 
actually doing the 802.1x bit and the WEP key setting. Probably not very 
difficult to write a very short program that would take a MAC address and 
WEP key and give that information to the driver, if there isn't one already.

Note however that if using nocatauth rather than 802.1x, you end up with 
the problem that the user must switch from unencrypted to encrypted right 
after the authentication is done (you have to start without encryption 
because the AP does not know who it is at first). Also it would not give 
you the advantages of dynamic keying and automatic configuration (the user 
actually needs to enter the key, and will keep the same key for a while, 
which leaves WEP open to its known weaknesses). 802.1x on the other hand 
would give you automatic configuration and dynamic re-keying.

Do I sound like a big 802.1x advocate? :-)

Jacques.

At 17:58 05/12/2002, Doug Yeager wrote:
>This is very informative Jacques...hope others can benefit also.
>
>
>I'm using nocatauth for these nodes.  It would be very easy for me to
>allow the user to enter their wep password into their member profile in
>the authserver website...this of course would be the same one they enter
>for their wifi card setup.  At that point when they login it would be
>easy for me to send that password to the ap through the nocat gateway.
>At that point would I be able to use a command to let the hostap know to
>use that key?
>
>Something like:
>Iwconfig wlan0 key s:users_password on
>?
>
>if so, what about multiple users on that node?  Will the AP remember the
>different keys and associate them to the correct clients?  Also, if
>there is an open mode, can those users also be able to communicate?
>
>Thx in advance,
>doug
>
>-----Original Message-----
>From: hostap-admin at shmoo.com [mailto:hostap-admin at shmoo.com] On Behalf
>Of Jacques Caron
>Sent: Thursday, December 05, 2002 11:38 AM
>To: doug at ycomsystems.com
>Cc: hostap at shmoo.com
>Subject: Re: WEP help
>
>Hi,
>
>The goal of WEP is (in theory) to make sure that only people who have
>the
>key can decrypt packets sent with that key. In the general case, this
>means
>you have to use so-called "pre-shared keys", i.e. keys that both ends
>(the
>client and the AP) know in advance. And since most APs have only a
>limited
>number of keys they can use, that also means that everybody is using the
>
>same key, and hence that everybody you give the key to will be able to
>decrypt the trafic from anyone else using the AP.
>
>In the case of a public WLAN, the only way to use WEP is together with
>802.1x. This means:
>- the client must support 802.1x, the appropriate EAP method chosen, and
>
>dynamic keys
>- the AP must support 802.1x and dynamic keys
>- you must have a RADIUS server with support for EAP and the appropriate
>
>EAP method chosen and the generation of dynamic keys.
>
>In that case, when a user connects, it authenticates using the relevant
>EAP
>method, and a dynamic WEP key is generated and used just for that client
>
>(i.e. the AP handles one WEP key for each client). And no-one but the
>client and the AP can decrypt the trafic sent between them using that
>key.
>
>Now, depending on what your exact security goals are, there are quite a
>number of alternatives:
>- do not use WEP at all, and rely on the users having appropriate VPN
>software and/or SSL/TLS-enabled software (and servers to talk to)
>- do not use WEP at all, and provide some other form of encryption for
>the
>customers (PPPoE, PPTP, L2TP, IPsec)
>
>I would personally recommend using WEP with 802.1x, since:
>- 802.1x is built into Windows XP
>- there is now a free 802.1x add-on from MS for W2K
>- versions for other Windows platforms are coming
>- there is a free 802.1x client for Unix systems (open1x aka
>xsupplicant)
>- hostap supports 802.1x
>- there are free (freeRADIUS) and commercial (many) RADIUS servers that
>support 802.1x
>- this will give you security and accounting
>- this scheme is the only one that will enable WLAN roaming in a secure,
>
>open and transparent fashion
>
>Obviously, you still need a way to allow users with 802.1x or a
>subscription to connect (without WEP) to a limited set of pages to know
>what they need, subscribe, download the necessary software, etc.
>
>Let me know if I can be of any help :-)
>
>Jacques.
>
>At 17:19 05/12/2002, Doug Yeager wrote:
>
> >Im looking for some kind of help guild to explain to me the basic
>concepts
> >of WEP.
> >
> >
> >
> >Right now I have a few wireless nodes serving various coffee shops.  I
> >have not experimented with WEP.
> >
> >
> >
> >What I think it does is this:  allow any client to select to use WEP
>and
> >pick their own key.
> >
> >Then they can talk w/ the AP using that encryption key that they
>picked.
> >
> >
> >
> >But those who just want to talk w/ the AP w/o WEP can do so also.
> >
> >
> >
> >I may be wrong on how WEP is used but that is what I thought it should
>do.
> >
> >
> >
> >Ive experimented w/ setting my AP in open mode w/ some random key using
>
> >iwconfig util.
> >
> >
> >
> >Iwconfig wlan0 s:aircom open
> >
> >
> >
> >This doesnt seem to do what I want.  Actually it cuts off communication
>to
> >my clients.
> >
> >
> >
> >
> >
> >If someone could clear up how wep is used, it may help a bit along with
>
> >what commands to enable it how it want to use it would be helpful.
> >
> >Or if a document tells me somewhere, that reference would be great.
> >
> >
> >
> >Thx much,
> >
> >doug
>
>
>-- Jacques Caron, IP Sector Technologies
>     Join the discussion on public WLAN open global roaming:
>     http://lists.ipsector.com/listinfo/openroaming
>
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming






More information about the Hostap mailing list