Ex Bibliotheca
The life and times of Zack Weinberg.
Monday, 16 June 2003
# 4:30 PM
cracks in the wall
Very interesting Washington Post profile today of a gentleman named Rand Beers who resigned from the National Security Council's counterterrorism division two months ago ... and is now working as national security adviser for Democratic presidential candidate John Kerry.
(From Talking Points Memo.)
# 1:50 AM
walking around
Went up to Telegraph for lunch today. There's a new place called Slurp Noodle House, which has yummy spicy noodle soup for cheap. In the restaurant was a six-year-old girl demanding to use the email function of her mother's cell phone. This Younger Generation is Hot Stuff, as a character in a P.G. Wodehouse story might say.
schwag
And then I went to Amoeba and got more music:
- Warren Zevon (self-titled). Adam turned me on to this guy last month. I don't think this particular album is quite as good as Mr. Bad Example which is the other one I have, but then, it's also a lot older.
- They Might Be Giants, Dial-A-Song; this is a two-CD collection from the past twenty years, including lots of stuff off their older albums that I don't have.
- Barenaked Ladies, Stunt. BNL are a Canadian humor-pop band after the fashion of Moxy Früvous. Haven't listened to this one yet.
- The Band, Jubilation. The Band dates to 1958, but is perhaps best known for the period 1968–1975. Unfortunately, Amoeba didn't have anything from then; this album was recorded just five years ago. Having just listened to it while writing this entry, it's good music anyway.
redesigning wep
So there's this thing called Wi-Fi that's all the rage right now in the high tech community. The basic concept is to run TCP/IP over short-range radio in the 2.4GHz band. It's popular for much the same reason cell phones are popular; you can take your laptop down to the local coffee shop and surf the 'net from there, assuming they've installed an "access point." Also, it's fast; the current tech (802.11b) runs at 5-10Mbps which is competitive with Ethernet and faster than your typical DSL or cable modem line.
Out of the box, a Wi-Fi access point will typically be happy to talk to anyone who brings a transceiver in range. Also, all transmissions are in cleartext. Neither of these things is ideal. There is a protocol called WEP (Wired Equivalent Privacy) that tries to rectify both. Unfortunately it doesn't work, for three reasons:
- It supports only one authentication scheme: knowledge of an 128-bit shared secret key. (The WEP key should not be confused with the "network name" or "community string", which is just to distinguish two different access points with overlapping ranges.) There are several incompatible schemes for converting a memorable passphrase into a secret key, which of course means that if a transceiver and an access point use different ones they can't talk to each other. Fortunately most systems allow you to enter the secret key directly, but now you're stuck trying to remember a thirty-two-digit hexadecimal number.
- It can't provide privacy or integrity guarantees without also restricting who can use an access point (nor can it do the converse, but that is rarely if ever desirable).
- The encryption scheme is internally flawed, such that an eavesdropper can recover the secret key by examining about 6,000,000 packets (which amounts to a few hours' traffic on a network in continuous use).
The 802.11 committee of the IEEE is working on revisions, but I can't resist having a go at it myself. Let Alice be an access point — that is, a relay between wired and wireless networks — and Bob a leaf node that wishes to establish a connection to the net via Alice. Alice periodically (probably about once a second) broadcasts an invitation packet, which carries a time stamp, Alice's community string, a list of all the ciphers Alice supports, and a list of all the authentication methods Alice will accept. This goes out in cleartext; Bob can pick it up with no special effort. Bob must at this point determine whether he supports one of the same ciphers as Alice, and whether he can authenticate himself to Alice. This may involve user interaction. Assume there is no problem meeting either hurdle.
Bob and Alice have previously agreed (which is to say, the number is part of the protocol specification) on the modulus g for a Diffie-Hellman exchange or a similar no-prior-knowledge key exchange algorithm. Bob sends an acceptance packet to Alice which echoes the time stamp of the most recent invitation packet he saw, and carries his half of the key exchange, plus an indication of which cipher and authenticator he would like to use (selected from the supported set). Bob does not transmit authentication information at this point. Alice responds to the acceptance with an acknowledgement which carries her half of the key exchange. Alice and Bob now have a shared secret.
If Alice is willing to talk to Bob without further authentication, Bob can now transmit a DHCP configuration request, encrypted using the chosen cipher and secret, and receive an IP address. Note that Alice will not respond to DHCP requests transmitted in cleartext, or, indeed, to any cleartext packet other than an acceptance. Link layer encryption is not optional. However, if Alice requires that Bob authenticate himself, the acknowledgement packet will also carry an encrypted authentication challenge. Bob must then respond to the challenge before he can request an IP address; this may require user interaction, so the timeout on this phase should be much longer than the timeouts for the other phases. Any mutually agreeable authentication algorithm can be used at this point.
This specification decouples authentication from integrity/privacy guarantees. An "internet cafe" can provide its customers with free network access safe from eavesdropping, but not have to tell them the secret WEP key. A corporate wireless LAN, by contrast, can use the same mechanism to authenticate network access that's already being used for computer access, and get strong integrity guarantees to boot.
I am assuming that, given the existence of a shared session key, there exists an algorithm for encrypting packets which isn't vulnerable to passive attacks the way WEP is. Allowing the cipher to be negotiated ensures that if a flaw is found, users can switch to a better cipher. I am also assuming that, because this is a broadcast communication channel, one does not need to worry about a "man in the middle" attack on Diffie-Hellman. A hypothetical eavesdropper can see all the traffic between Alice and Bob, but will not be able to modify packets in transit, so the attack should not succeed.
Authenticating Alice to Bob is a concern. A malicious access point could eavesdrop on, or modify, all the traffic passing through it. This is unavoidable; network routers by definition have this capability. It's easier to set up a malicious access point than a malicious wired router, though. The mechanism for authenticating Alice to Bob is easy — just have Bob transmit a challenge of his own along with the response to Alice's challenge — working out a sane policy is much harder. I don't have any good ideas. Use of end-to-end, session layer encryption wherever possible is of course recommended.
Photo by
David Dyer-Bennet.
Contact Me
zackw@panix.com
Links
electrolite
making light
cogito ergo sumana
vita nuova
talking points
red rock eater
spinsanity
the sideshow
this land is my land
electric sheep
what's going on
modern tales
Archives
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002
Valid
html 4.01
Some rights reserved
this work is licensed under a
Creative Commons License.