[PATCH] rsn_supp: Don't encrypt EAPOL-Key 4/4.

Jouni Malinen j
Sun Sep 2 03:22:41 PDT 2012 

On Sun, Sep 02, 2012 at 08:59:27AM +0200, Andreas Hartmann wrote:
> Jouni Malinen wrote:
> > Not yet. Though, even if they were, you would also need to get a
> > wireless LAN driver/firmware that supports non-zero Key ID for pairwise
> > keys, so this this require some more work.
> 
> Would the firmware change be necessary, too, if nl80211 is used w/o
> hardware but software encryption (for both AP and supplicant)?

It may be needed depending on which WLAN hardware you are using, but
maybe not for most cases where software encryption is used.

> > For most use cases, CCMP is strong enough to be used for quite some time
> > without any rekeying, so the easiest workaround for rekeying related
> > issues is to increase the rekey interval.
> 
> The recommended value for the eap reauth period is 3600 seconds.
> 
> You wrote about increasing the period and "quite some time".
> 
> What would be the risk of the increase? Or better: which kinds of
> (known) attacks are complicated by forcing a regularly reauth? Why are
> 3600 seconds recommended and not, e.g., 1800? What would be a higher but
> still risk less time of period when using eap-tls and ccmp (using
> freeradius)?
> If it was your own network, which higher value would you use?

If EAP-TLS is used with a strong cipher and the network is configured to
use only CCMP, I don't think I would need EAP reauthentication or PTK
rekeying at all for practical purposes. Sure, you would need to stop
using the key if the CCM nonce wraps around, so rekeying would be needed
at that point, but that needs 2^48 frames to reach so until you get to
802.11ac or 802.11ad networks, it is a bit difficult to hit that in
practice.

That said, there may be other reasons for forcing EAP reauthentication,
e.g., to enforce some session limits or to allow removal of a station
from the network in reasonable amount of time even if the AP network
does not support RADIUS server initiated disconnection requests. Anyway,
I would consider CCMP strong enough to not require rekeying before CCM
nonce wraparound based on what's known and what kind of CPU resources
are available today, so the reason for setting rekeying based on some
time limit is coming from some other need than maintaining secure
encryption keys in the network.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list