[OpenWrt-Devel] EAP-TLS / EAP-TTLS PAP

Bernd Naumann bernd at kr217.de
Thu Mar 26 09:33:08 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Maybe you have been at the Chaos Communication Congress in Germany the
last years. Then may you saw the WPA2 802.1X encrypted /public open
wireless access points/, where a user/client can choose their own
(random) name/password credentials.

https://events.ccc.de/congress/2014/wiki/Static:Network#WPA2_802.1X.2C_e
ncryption
(CA-CERT, sha-1 fingerprint:
4C:11:E8:BA:DE:12:79:08:45:4F:53:33:1F:E9:B9:60:56:1D:63:9F)
"""
Due to popular demand (and with security in mind) we provide WPA2
802.1X. This will encrypt your traffic, preventing attackers from
sniffing your data. Keep in mind that this won't protect you from
other network attacks and you should still be aware that you are at a
hacker conference! Your link layer should be secure if you do
certificate checking (see below).
"""

Back in 2010 and 2012 one paper and some emails claim, that it is
possible to patch hostapd to not have the need for client certificates.
/* Mails from californiajack at tormail.org via [OpenWireless Tech]) */



So what now? There is a project (
https://github.com/OpenSecurityResearch/hostapd-wpe ) where people
have patched and open sourced hostapd to do not request client
certificates (and other things). So far so good, there are patches.
But I'm not a C/C++ hacker and I will not touch TLS  and other
critical encryption and fuck it up to compile my version of hostapd.
If I want to use it, I want to use a well maintained version, it there
is any. (?!)

However, I saw that all this stuff is specified:
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS
and
there is "FreeRadius" which will do similar stuff, I heard about.


  I was curious in that technology cause it would be a nice thing for
our wireless community network. The sad fact today is, that we do not
have wireless security because in a flat organised community you will
not have central credentials (that is stupid and not open) and you
will not have a central comity which verifies user client
certificates, which is even more a closed system and can restrict user
access (realy realy bad!).

But if a user could choose his own (fake) credentials we have some
security against passive network sniffing. As you may know that there
are hunderds of shitty mobile apps with broken api-calls and poor
tls/ssl quality. We don't have to put our users at unnecessary risks.
We can not expect that every user can use end-to-end vpn connections.
Further, if we had an active network scanner within our infrastructure
we had an other problem. ...


K back to the plot:
Know you any hostapd configurations or other software in openwrt which
can achieve that goal? Are there any issues which might can lead to
problems or other downsides I may have missed? Reasons against?

Thanks for comments and pointers!

Greetings,
Bernd

- -- 
Bernd Naumann <bernd at kr217.de>

PGP:   0xA150A04F via pool.sks-keyservers.net
XMPP:  bn at weimarnetz.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJVFAqUAAoJEEYW3OihUKBPOLkQAIHn8ovj3qEIjKnQ5YGLQr/Z
rttoYAeC1uZePbVTCe5c/DOZVvDp0tn174Eu8itKA5E+NUOJ4RjQ/Xr9tWdtQme/
kXnJoYS15+m2tivRbpYvHGTV47bWYYEBMg+P0Wg0XOHsy580CT88ZuBZDL1FlTcr
VjwibSwoNT7ZVO7UemrBmt8LNaItgNVwyhID6Eo//JyTWft2idPA9X4DPiMYndJG
cE3UwBcq5nqTh0whZXsUCmcjWzZ91hV+D2BfDf6rsWCIzdoFA+42HqwX4RSgJaQn
TCQeQYZpYgeysqBoAuetJc2AEGHRA3Vt+pxuX2HCerfk+pWU1F4ZCKRQ1q1u7XQk
p3ZD8tSofLZjmyXxAMrWJnNk74T1qLF/YuS2g5ms9kKIWzre6xOQ7Exe5yn0W+Mq
uKLexEI6BAJtDEiGKRMtn7tw70v6G0lhNtrbebgIULbHpaY+ToxozksGxUtyfbQ7
PnTnGqk2HS0XHn7noZgzqbLh6X9MniGrAEU3zJkhdcbAVTF//0lC/YUcrQKlOX5u
dpvcFu6FzvLUzncRXIJVjovuYzGpkP054fY379spSGyZo7/MDuUkKwT3bOYbf7oL
gOs0OA4e9RfIEvy0avR9SgR02n+w/QTSiqz3bl6UdZ5TTO810LXK8FpJMZV2gJcz
WdUg2cAuqsEC+7vp27v8
=8QL5
-----END PGP SIGNATURE-----
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list