STA shared-key authentication support
Jacques Caron
Jacques.Caron at IPsector.com
Sun Nov 17 07:09:11 EST 2002
Hi,
I couldn't say if that's the reason Jouni didn't implement it, but shared
key authentication is a known security issue, since it allows attackers to
easily find the secret key. It is consider safer to use WEP without shared
key auth rather than with it. Hence the reason 802.11 TGi dropped 802.11
authentication completely (open auth is a null operation and shared key
auth is a security hole), in favour of 802.1X authentication and other fun
things.
Jacques.
At 03:09 17/11/2002, Amit Gurdasani wrote:
>Hi, all. I'm new to this list, and I've perused the mailing list archives
>and didn't see this addressed, so please be gentle. :)
>
>I wanted to use shared-key authentication with my (Host)AP, but found that
>hostap_cs currently doesn't support shared-key authentication, so I've
>prepared a hack that adds this functionality (based on what linux-wlan-ng
>does).
>
>This 'overloads' the ap_auth_algs IOCTL parameter, so that in non-Master
>mode, setting the parameter will cause the authentication system record to
>be changed. The effect is that by setting it to 2 using
>
>prism2_param wlan0 ap_auth_algs 2
>
>will enable client-side shared-key authentication.
>
>It seems to work well for me (secondary f/w 1.4.9 with firmware-based WEP
>encryption and decryption enabled). I haven't tested it with any other
>configurations, so YMMV.
>
>Changing it to 1 (open-system auth) and then using iwpriv on AP side to
>kickmac prevented association from occurring (the AP is set to accept
>shared-key auth only), and then changing it to 2, the STA was automatically
>able to associate. Applying the patch AP-side had no effect (and no
>regression).
>
>This patch is against the current CVS HEAD hostap_ioctl.c as obtained from
>CVSWeb, though I tested it with the 2002-10-12 tarball.
>
>Thanks for your excellent work, Jouni and others. (For the record, with
>firmware WEP encryption and decryption enabled, and with a 104-bit key,
>hostap_cs is able to get away with 30-40% of the CPU utilization of
>linux-wlan-ng, which pegs the 400 MHz CPU in this laptop at close to 100%
>while doing large transfers with 128-bit WEP enabled. Using host-based WEP
>encryption and decryption is not very much worse.)
>
>-8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----8<-
>--- hostap_ioctl.c.1.19 2002-11-16 20:38:01.000000000 -0500
>+++ hostap_ioctl.c 2002-11-16 20:38:13.000000000 -0500
>@@ -1990,6 +1990,33 @@
> case PRISM2_PARAM_AP_AUTH_ALGS:
> if (local->ap != NULL)
> local->ap->auth_algs = value;
>+
>+ if (local -> iw_mode != IW_MODE_MASTER) {
>+ /*
>+ * hack to enable STA-side shared key auth
>+ *
>+ * See if we've been passed a valid value. The only
>+ * values allowed are 1 (open system) and 2 (shared
>+ * key).
>+ */
>+ if (value < 1 || value > 2) {
>+ printk (KERN_WARNING "%s: Authentication "
>+ "system %d is unknown. (1 = open, "
>+ "2 = shared key)\n",
>+ local -> dev -> name, value);
>+ ret = -EINVAL;
>+ }
>+ /* set the auth record to requested */
>+ if (hostap_set_word (local -> dev,
>+ HFA384X_RID_CNFAUTHENTICATION,
>+ value)) {
>+ printk (KERN_WARNING "%s: Could not set "
>+ "authentication system to %s.\n",
>+ local -> dev -> name,
>+ (value ? "open" : "shared key"));
>+ ret = -EINVAL;
>+ }
>+ }
> break;
>
> case PRISM2_PARAM_MONITOR_ALLOW_FCSERR:
>-8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----8<-
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
http://lists.ipsector.com/listinfo/openroaming
More information about the HostAP
mailing list