New Encryption System Design that works with wireless drivers.

Sat Feb 19 13:11:56 EST 2005

On Sat, 2005-02-19 at 09:44 -0800, Jouni Malinen wrote:
> On Sat, Feb 19, 2005 at 11:13:17AM -0600, Robert Denier wrote:
> 
> > Let me know if you use this and areas where you would like improvements.
> > Actual work on it will depend on time available of course.  
> > 
> > As part of my PhD work at the University of Missouri Rolla I developed a
> > new encryption system and released it under the GPL.  It uses elliptic
> > curve cryptography to create a system for secure and private
> > communications at the network level.
> 
> Would you be willing to write something that compares this to IEEE
> 802.11i with CCMP (mainly from the security and privacy view point)?

Lets see very briefly.  From a security point of view in closed mode.
This is right off the top of my head.

1) Its impossible to fake any station.
2) In general, Its impossible even to determine who is sending packets
to whom.  (Note as soon as you add a mac address, even the fake ones
this uses, then this point is severly weakened, but it has to work on
real hardware that exists.)
3) Routers only need to know where the packet came from and where its
going, and not the entire route so again secrecy is maintained.
4) Entropy is added into packet creation to prevent even identical
packets from ever being identical once encrypted.  
5) It should be impossible to piece together a valid packet from
pieces of invalid packets.
6) Protection against replay attacks is included.

To be honest I haven't looked at 802.11i recently.  This is can work
with wired or wireless.  My main recall on 802.11i was it was based on
the earlier 802.11 with some improvements to make it somewhat more
secure.  This is different in that its implementation is completely
from scratch and attempts to solve every problem I could think of.

I will most likely release a approximately 10 page summary of the
technology behind the system in a few days.  I'm just debating what if
any license to release the documentation under.  Then there will of
course be my PhD dissertation in the library in a month or so.

Yes if there is sufficient interest, and perhaps some donations so
I can afford to pay bills I'm willing to work on it anyway people want
although the next thing is the documentation, which will hopefully
clarify some confusion.

>  If
> desired, you could pick random MAC addresses for IEEE 802.11i, too, to
> match the privacy component in the current implementation.
> 
> ECC key negotiation should fit the model that IEEE 802.11i has for
> adding new key management mechanisms. If done that way, this would have
> much better chance of interoperating with existing networks and would

The design right now only requires the packets to be in basic ethernet
form.  Since thats what the network layer provides it is already
compatible with 802.11i although it ignores its existence completely.
It is after all only a layer in processing the packets.  The only
potential problem is the packet will be longer once processed.

> get more interested at least from me. The current design looks
> prorietary and reminds me of WAPI and let me just say that that may not
> be the best way of getting people interested in using this..

See previous comment.  It is a filter on standard ethernet packets.
Personally I found 802.11 in general to be a complete mess which is
why I didn't use it at all.  Often if you want to do something right,
its best not to start on the to start from scratch and question
everything.  Sometimes compatibility comes at way too high a price
especially from a security prospective when the more complex something
is the harder it is to be sure its secure.

> 
> > were current.  I haven't decided how much documentation to put online or
> > under what license at this time.
> 
> See my comment about proprietary designs above..
> 