Getting support for SAE for WiFi
Robert Moskowitz
rgm at htt-consult.com
Fri Dec 16 16:43:06 UTC 2011
I requested this on the Network Manager list, but probably it has to be
implemented a bit deeper than there....
This list is probably the closest I am to developers of Fedora.
The 802.11s standard is now published. Boy did that take long enough! :)
There is a new password authentication method in 11s that the way it was
defined will work just fine between an AP and STA, or in adhoc between
two STAs. This method is called "Secure Authentication of Equals" or
SAE. It is a zero-based knowledge authenticaiton method that is immune
to offline attacks and an active attack gets only one guess per attack.
SAE is defined in Section 8.2a of 802.11s-2011. It is already in the
OpenAP code (or so its author, Dan Harkins of Aruba told me).
We finally have a strong password authentication method for WiFi. BTW,
I am the author of the first paper on how to attack WPA-PSK, so I am
directly involved in 802.11 security issues.
I would hope to see SAE in APs in the near future.
BTW, I am chairing a new workgroup, 802.15.9, that will provide a
pathway for key establishment for 802.15.4 and 802.15.7 devices. Right
now it is a mess. Zigbee IP has defined PANA; argh.
More information about the test
mailing list