Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: John Navas on 7 Dec 2008 14:12 On Sat, 06 Dec 2008 20:48:12 -0800, Jeff Liebermann <jeffl(a)cruzio.com> wrote in <0hkmj4td9blea6d32ng0ofmpr32jh1gs9b(a)4ax.com>: >On Sun, 07 Dec 2008 00:06:09 +0000, Mark McIntyre ><markmcintyre(a)TROUSERSspamcop.net> wrote: >>Typical problems would seem to be too many false negatives, > >Agreed. The software requires that you train the reader with 3 >successful reads in a row. That turns out to be amazingly difficult >to do. After using one for a day, my batting average was only about >75%. It seemed like every other scan had to be done twice. Have you tried ThinkPads? My success rate is much higher than that with current machines. They also have the advantage of built-in security chips. >Incidentally, the generally acknowledged best biometric practice is >currently retinal eye recognition. One that I saw, but haven't played >with, is thermal imaging of the blood vessels in the hand. Expensive, >but quite unique, reliable, and probably impossible to spoof. Nothing like that is impossible. The best we can say is that we don't know how to do it today, and that we think it will be hard to do for a long time to come. Many things thought to be impossible have turned out to be possible, sometimes even easy. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: msg on 7 Dec 2008 14:18 I've been following this thread with interest because it really does address an important feature lacking in most secure wireless scenarios, viz. a circuit-switched secure paradigm... John Navas wrote: > On Sat, 06 Dec 2008 20:32:10 -0800, Jeff Liebermann <jeffl(a)cruzio.com> > wrote in <fjjmj4t96u64er82u5qvsd4k50tjf2hthf(a)4ax.com>: > > >>On Sat, 6 Dec 2008 12:12:26 -0800 (PST), Chrisjoy >><ultralibertarianer(a)gmail.com> wrote: >> >> >>>I don't need accounts. I don't want accounts. I only want different >>>key for each session, and this is ONLY motivated by protecting guests, >>>that is our custommers, from being sniffed at. >> >>Setup the RADIUS server to accept a "guest" login with no password. I >>think a blank password will do the trick, but I have to try it to be >>sure. I don't think you can use a blank login, but maybe that's >>possible. Even though everyone has the same login and blank password, >>they will get different WPA encryption keys from the RADIUS server. >>Since you were able to setup a RADIUS server with MySQL in 1 hour, I >>would think you could try a blank login or password in a few seconds. > > > I suggest using (hashing) the MAC address of the client as a login ID to > provide an audit trail of sorts, although the other tricky bit would be > creating RADIUS accounts invisibly and dynamically. But you're correct > that even a single RADIUS account will still ensure unique encryption of > different wireless connections (by generating a different Master Key for > each session even for the same login ID). > > But snooping of WPA-PSK traffic is non-trivial. I think the much bigger > risk is allowing wireless clients to connect to each other. (Think > accidentally open shares.) Unless there were unusual requirements, I'd > probably just publish a simple WPA-PSK key (in the SSID as well), turn > on wireless-to-wireless isolation, and be done with it. I think it's > unfortunate that most public hotspots don't do this. But intra-user collaboration is part of what is expected in such hotspots; the O.P.'s requirements for unique key encryption with minimal hassle that permits intra-user communication seems to me a significant area to develop. I imagine a parallel model for this environment is a hotel with RJ45 bulkhead jacks in guest rooms; each port is connected to a switch, and without physical access to wiring closets, is considered secure, but user-to-user communications is permitted. Michael
From: John Navas on 7 Dec 2008 14:36 On Sun, 07 Dec 2008 13:18:08 -0600, msg <msg@_cybertheque.org_> wrote in <m5mdnZLAX4jIvKHUnZ2dnUVZ_qninZ2d(a)posted.cpinternet>: >> But snooping of WPA-PSK traffic is non-trivial. I think the much bigger >> risk is allowing wireless clients to connect to each other. (Think >> accidentally open shares.) Unless there were unusual requirements, I'd >> probably just publish a simple WPA-PSK key (in the SSID as well), turn >> on wireless-to-wireless isolation, and be done with it. I think it's >> unfortunate that most public hotspots don't do this. > >But intra-user collaboration is part of what is expected in such >hotspots; the O.P.'s requirements for unique key encryption with minimal >hassle that permits intra-user communication seems to me a significant >area to develop. I imagine a parallel model for this environment is >a hotel with RJ45 bulkhead jacks in guest rooms; each port is connected >to a switch, and without physical access to wiring closets, is considered >secure, but user-to-user communications is permitted. I personally don't think that intra-user collaboration is part of what is expected in such hotspots -- my experience is that it's pretty rare. When intra-user (intra-computer) collaboration is needed I think it's much better done with instant messaging, remote connection, or with a secure non-WiFi method like Ethernet cable or Bluetooth PAN. Plus there are always secure indirect sharing methods like a secure server. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Jeff Liebermann on 7 Dec 2008 23:38 On Sun, 07 Dec 2008 11:12:51 -0800, John Navas <spamfilter1(a)navasgroup.com> wrote: >Have you tried ThinkPads? Yep. Same exact scanner/reader as Dell and Toshiba, made by SGS Thomson. Software is by UPEK (owned by SGS Thomson): <http://www.upek.com> <http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader> <http://www.pc.ibm.com/us/security/fingerprintreader.html> <http://www.upek.com/solutions/physical/chipsets_sensors.asp> >My success rate is much higher than that with >current machines. They also have the advantage of built-in security >chips. Which scanner? The narrow slot, where you have to swipe your finger across the window, or the large reader with the full size window? As I mentioned, the narrow slot is awful, while the full size window works every time: <http://www.upek.com/support/customersupport/swiping_technique.asp> -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: John Navas on 8 Dec 2008 12:15
On Sun, 07 Dec 2008 20:38:27 -0800, Jeff Liebermann <jeffl(a)cruzio.com> wrote in <508pj4h5nesv79gcb3uftfa1hjdkk25rvs(a)4ax.com>: >On Sun, 07 Dec 2008 11:12:51 -0800, John Navas ><spamfilter1(a)navasgroup.com> wrote: > >>Have you tried ThinkPads? >... >>My success rate is much higher than that with >>current machines. They also have the advantage of built-in security >>chips. > >Which scanner? The narrow slot, where you have to swipe your finger >across the window, or the large reader with the full size window? Swipe: <http://www.pc.ibm.com/us/security/fingerprintreader.html> <http://www.pc.ibm.com/us/thinkpad/3dtours/fingerprint/56/index.html> >As >I mentioned, the narrow slot is awful, while the full size window >works every time: ><http://www.upek.com/support/customersupport/swiping_technique.asp> ThinkPad swipe works well for me. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes> |