Hostap configuration - internet resoucres ?

Jouni Malinen jkmaline at cc.hut.fi
Fri Feb 6 22:32:16 EST 2004


On Fri, Feb 06, 2004 at 10:36:45PM +0100, Andreas Jellinghaus wrote:

> can I use CCMP/AES in a static configuration? 
> i.e. use some ad-hoc net with a static configured
> shared secret? will that be secure, or is some
> key changing protocol required for real security?

Yes, you can. The packet numbers in CCMP are 48-bits, so as long as you
don't send over 2^48 packets with the same keys, you avoid sending
packets with duplicate sequence number (which would be bad). I don't
remember whether there are any issues with CCMP that would require more
frequent rekeying, but I would assume that you should be able to use the
same keys for quite a long while. Of course, it would be nice to change
the keys every now and then, but in simple cases of couple of hosts this
might be doable manually.

Then again, lot depends on how you define "real security" ;-). Using
the same CCMP key for long time does not give you backward secrecy, so
if someone happens to be able to find out the key, all the packets you
have sent using it will be easy to decrypt.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list