Security. WPA?/-TKIP /-CCMP

WLAN.

What encryption protocol (implicitly supported by hardware) offer
protection against others knowing the shared key? Does WPA-TKIP? What
about WPA2-CCMP?

On Dec 4, 11:46*pm, Mark McIntyre <markmcint...@TROUSERSspamcop.net>
wrote:
>
> If you mean "protection against people who know your key" then neither
> is remotely useful...

What would be useful? VLAN? Any more practical solution?
Why isn't this issue discussed more? Is WLAN basically meant for
lifeless people who don't mind others to look into their "private"
stuff? Is 802.11 still a immature technology?

On 5 Des, 05:09, Jeff Liebermann <je...@cruzio.com> wrote:
> On Thu, 4 Dec 2008 14:26:46 -0800 (PST), Chrisjoy
>
> <ultralibertaria...@gmail.com> wrote:
> >WLAN.
>
> >What encryption protocol (implicitly supported by hardware) offer
> >protection against others knowing the shared key? Does WPA-TKIP? What
> >about WPA2-CCMP?
>
> None of the above. *A shared key is ummm.... shared. *

Well, for all know, the share key priciple with WPA could be only a
way to stop intruders to get into the network while there is another
layer that offer protection against others with the same key. I don't
know the details. That's why I'm asking. Do you know a good link with
good info?

> I can extract
> the shared key from some computers, or a usable hash value from the
> Windoze registry.
> <http://wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
> Once the shared key is compromised from one computah, the entire
> network is open to use, attack, or sniffing.
>
> If you want encryption security, you should be looking at WPA-RADIUS
> or WPA2-RADIUS. *These are also sometimes known as WPA-Enterprise. *A
> RADIUS server delivers a unique, one time WPA encryption key to each
> wireless client that gets used only once. *Each client gets a
> different unique one-time key.

Does this mean all pay load go though this Radius server, or is it
only for key distribution and authentication? Will the average
portable computer equipped with 802.11b/g also have support for
Radius? If so, I think this would be the best solution because I don't
need clients to instal software.

> Incidentally, nothing is every "implicitly" supported in hardware.
> It's either supported or it's not, which is "explicitly" supported.
> It's kinda difficult to "imply" something in hardware.
>
> Now, what is it you're trying to accomplish, and what do you have to
> work with?

Bring about a network at work where everyone is welcome to connect
wirelessly, but protected against sniffing pay load. A linux solution
is welcome because load balancing and bandwidth control is already
done on such a box. I don't think I want to use more than $1000, and
the cost must be one time only.
The solution must be easy to deploy, at least for windows clients. A
tunnel between client and linux box would be fine. If Radius is
supported by most portables, I think this is the most realistic way to
go. What would I need either way?

On 5 Des, 05:14, Jeff Liebermann <je...@cruzio.com> wrote:
> On Thu, 4 Dec 2008 16:09:10 -0800 (PST), Chrisjoy
>
> <ultralibertaria...@gmail.com> wrote:
> >On Dec 4, 11:46*pm, Mark McIntyre <markmcint...@TROUSERSspamcop.net>
> >wrote:
>
> >> If you mean "protection against people who know your key" then neither
> >> is remotely useful...
>
> >What would be useful?
>
> WPA-RADIUS
>
> >VLAN?
>
> No. *That just isolates broadcast domains by MAC addresses. *MAC
> addresses are trivial to change or spoof, and therefore offer no
> security.

I thought vlan, using IPSEC, offered an end to end solution to protect
against both sniffing and middle man attacks. I don't care who gets
into my network. Only that they who do, are not able to sniff on each
other. Well, this is not perfectly true. It would be nice to have a
way to differentiate between guests so that we get rid of free loaders
in the neighborhood, but without the use of an account system. It's
not practically to have to give out keys for each guest. Sinse it's
not possible to differentiate by anything else but MAC, this means
free loaders are able to bypass my shaping profiles (which reduse a
MAC's bandwidth with bandwidth used, over time) by changing MAC. This
is still not a problem though, after three years of running our
hotspots, thanks to a shaper that give equally amount of bandwidth to
each MAC, egress and ingress.

> Incidentally, the IP addresses and data are encrypted by
> WPA and WPA2. *However the MAC addresses are easily sniffable, even
> without the encryption key.
>
> >Any more practical solution?
>
> Yes. *Proprietary schemes. *Your application is to vague to offer a
> specific recommendation.

Does it mean a guest have to install software or hardware, and Radius
do not, Radius is preferable, regardless of price, as long as it's one
time payment.

> >Why isn't this issue discussed more?
>
> It's been discussed to death. *Search Google groups or the web for
> "wireless security".

Can you give me a link to a link where I can find a discussion about
security where the main concern is to protect each WLAN client from
each other, and how this should be done without any extra needs than a
inbuilt 802.11g card on a portable?

> >Is WLAN basically meant for
> >lifeless people who don't mind others to look into their "private"
> >stuff?
>
> Right. *Wireless is for those that can't afford overpriced copper
> wires.

I fail to see an economic motivation for wireless other than P2(m)P
links between buildings where T1/3 is the only realistic alternative.
My motive for wireless is ONLY flecibility and practicallity. There
impossible to put up a TP stick at any place where one would want to
use a computer. Where this is possible, I would always chose cable.

> >Is 802.11 still a immature technology?
>
> Nope. *The surest sign of success and maturity is pollution. *You're
> doing your part to insure success.

I guess our definitions are not compatible. If it's important both to
connect and to do it secure, I fail to see success is accomplished.

> What is it you're trying to accomplish and what do you have to work
> with?

Ansered in my last message.

On 5 Des, 18:25, Jeff Liebermann <je...@cruzio.com> wrote:
>

Much good info, Jeff. Let me ask one question one more time.

I don't need authentification. I welcome everyone inside my field
strength to use my net. My primarly (/only) concern is that the guests
at my wireless lan are protected against each other. Protected from
sniffing. Will a Radius Server make sure every connection to the
access point will use a unique AES key?

On 5 Des, 18:53, Jeff Liebermann <je...@cruzio.com> wrote:
>
> Running an open access point is not exactly my idea of security,
> especially since you apparently don't care who uses it. *I guess you
> have to learn the implications the hard way. *

The only implication I need to be concern about is the bandwidth used.
I want to give away bandwidth for free, for visitors and those few
freeloaders in the neighbourhood. This means my security concern is
NOT to find an encryption/protocol to keep ppl out, but find an
encryption/protocol to keep people from sniffing each other's pay load
packets. You said WPA(1/2) alone does not offer a unique key for
every connection, but with RADIUS, I will get this.

(I already got a net of dedicated access points outside my firewall
only meant for visitors. I already got a time limit for the use of
this WLAN network. Are you able to misread me other time, Jeff? :-)

On 5 Des, 20:33, Jeff Liebermann <je...@cruzio.com> wrote:
> On Fri, 5 Dec 2008 10:09:36 -0800 (PST), Chrisjoy
>
> <ultralibertaria...@gmail.com> wrote:
> >On 5 Des, 18:25, Jeff Liebermann <je...@cruzio.com> wrote:
> >Much good info, Jeff. Let me ask one question one more time.
> >I don't need authentification. I welcome everyone inside my field
> >strength to use my net. My primarly (/only) concern is that the guests
> >at my wireless lan are protected against each other. Protected from
> >sniffing. Will a Radius Server make sure every connection to the
> >access point will use a unique AES key?
>
> Yes. *The RADIUS server delivers a one time unique WPA/WPA2 key for
> each user and for each session.

I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty
immature technology while not making it mandatory to support unique
key for each connection. Specially consider the fact that access
points already support RADIUS server, which means they already got CPU
power and enogh RAM to encrypt and decrypt connections using different
keys, and where they fail is at as ridiculous place as the simple
task to make a DB handling keys and communicate them over a asymetric
encryption methode. Only crazy ppl would do anything remotely
sensetive on such a connection, which makes straght 802.11 a toy for
kids. Not that I would dare to as much as remotely control a Markin
train using 802.11. I have to say, digging into 802.11 has been a
great disappointment. They who develope this line of products, are
they all kids finding communication without wire so fascinating they
forget to be serious, at all!?

Anyways, thanks for all your information and leads. I can now hurry
away to my conclucion. I will not use another dime supporting our
hotspot network, before there is an easy way to protect against
snffing. I do not consider setting up a RADIUS connection on the
client side to be easy. I will wait until the only information that
needs to be put into a client is a pass phrase after chosing an SSID
(with a signature fingerprint so that nobody can fake a trusty
network), and that's it. When this is done, everyone should be
protected from WLAN sniffing. If the 802.11 guys are not able to do
this, they are not worth my time. Ten years of developement, and not
even solving this straight forward problem/solution, I would be
ashamed!

On 6 Des, 00:37, Mark McIntyre <markmcint...@TROUSERSspamcop.net>
(snipp the worst psychotic rant)
> You don't set it up on the client side.

I understand you're a dumb fuck.

On 6 Des, 00:27, Mark McIntyre <markmcint...@TROUSERSspamcop.net>
wrote:
> > Does this mean all pay load go though this Radius server, or is it
> > only for key distribution and authentication?
>
> This may sound rude, but you're way over your head. Seems to me you're
> planning a fairly large scale public wifi hotspot without really
> understanding the basic principles of networking, the difference between
> authentication and encryption etc.

Nothing in my text support your claim. And no, you're not rude at all.
You're just a dumb fuck tapping on your keyboard without any intention
to support your lose claims.

The only thing you can read into my text when it comes to lack of
knowledge is what is in my first meassage where I ask how to protect
clients from eachother. I didn't know this, and that's why I asked.

> I'd suggest stepping right back and learning about how network security
> works.

I suggest you show us a valid deduction that leads on to a conclusion
that I lack knowledge about wireless security besides what is unveiled
in my first question, or shut tha fuck up.

On 6 Des, 00:37, Mark McIntyre <markmcint...@TROUSERSspamcop.net>
wrote:
> Chrisjoy wrote:
> > I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty
> > immature technology while not making it mandatory to support unique
> > key for each connection.
>
> Authentication and privacy wasn't a significant part of the 802.11b,g or
> n parts of the standard.

Which is why I call it immature crap or toys for kids at best.

READ THIS CLOSELY, AND READ IT UNTIL YOU UNDERSTAND IT.

A wireless standard, whether it's called 802.11 a, b or g, is crap if
it cannot do as simple and obviously reasonable task, to protect each
user connected from all the other connected users. Developers and
standard makers who actually set a standard or make a box that lack
this property, these developers and these standard makers are fuckin'
retards. It's not good enough that one can add another box, RADIUS
server, or something, to get this functionality. It's like selling a
car without a motor, but still calling it a car. The whole 802.11
thing is a fuckin' joke.

Security against other users on the same access point is important,
but this is only one of those things that should be mandatory in a
standard made by reasonable people. Another thing they "forget" to put
in, is a complete solution of the so called, hidden node problem.
Until this very day, hidden node is only solved by polling proticol,
but all these protocols are NOT part of the standard, but
proprietor. Another problem is the lack of fair share. One client can
provoke a situation where he takes control of the whole bandwidth at
the access point. I could go on and on for weeks pointing out how
immature and stupid the ppl behind 802.11 in fact are.

> Incidentally, 802.11 is an umbrella for dozens of individual standards
> governing different parts of the wireless data comms process.

I have not written anything that show I didn't know this, dumb fuck.

> > Specially consider the fact that access
> > points already support RADIUS server,
>
> Huh? Some APs have builtin radius servers, others don't. Its easy enough
> to run your own - freeRadius for one thing - but its not a limitation of
> the standard.

Didn't you understand my point, dumb fuck? Let me help you. I have
learnt today that RADIUS does no encryption nor decryption of the
payload, even when each client got his own key. This means the access
point that support RADIUS, only lack the simplest part (symetric key
handling though asymetric key system) to deliver protection between
clients connected to the same access point. If you don't get how
stupid this is, you are simply too dumb to contribute in this debate
in any meaningfulk way.

> > Anyways, thanks for all your information and leads. I can now hurry
> > away to my conclucion.
>
> Seems to me you formed your decision before asking for information, but
> I could be wrong.

Yes, indeed you could. You have shown nothing in my text that my
decision is based on immature information, and still you push forward
this claim. You must totally lack honour.

> *>I do not consider setting up a RADIUS connection on the
>
> > client side to be easy.
>
> You don't set it up on the client side. You merely stick the client into
> WPA-Enterprise mode and set up your radius server on your network.

You need to tell the IP:PORT to the RADIUS server. Your account name
and password, and this is after you have desided what SSID on a long
list you want to connect to. THEN you may get connected. If you
mistyped your password, you would be very happy if you got an error
message that remotely help you to find what is the problem. The whole
thing is a fuckin' joke. Where it would be perfectly possible to
simplify the login by asking the client user for, line by line, SSID,
account and password, they rather made it completly useless for they
who use wireless as a tool, and not as a value by itself.

> > I will wait until the only information that
> > needs to be put into a client is a pass phrase after chosing an SSID
>
> Why not read up on how Radius works?

Why would I need to? DId Jeff teach something wrong about how it
works?