Encryption without authentication?

Brian Bender bbender at vocollect.com
Mon Feb 20 18:55:34 EST 2006


On Feb 20, 2006, at 6:23 PM, Philip M. White wrote:

> I want to prevent people from seeing each other's traffic.  With
> EAP/PEAP if two people know the same username and password, the AP  
> still
> assigns them different unicast keys so that they cannot snoop on the
> network.  With an open network, this is not the case.
>
> Individual encryption is I am trying to obtain; I just don't want  
> the AP
> to provide this only to "authorized" users.
>
> -- 
> Philip

It's not _completely_ secure, but you could use WPA-PSK and use that  
same trivial house number as the passphrase, couldn't you? The  
temporal keys that are used for unicast traffic are different for  
each association, but knowing the passphrase and having captured the  
session setup, someone could derive the temporal keys and then  
decrypt that session. I haven't read of any real-time attacks of this  
sort yet, but it's certainly possible offline... Must it be more  
secure than that for this application?

  - Brian

-- 
Brian Bender
Vocollect, Inc.
Pittsburgh, PA, USA
[Apologies for the following "disclaimer" -- it's corporate policy.]

-CONFIDENTIAL, PRIVILEGED COMMUNICATION-
This e-mail transmission is private and intended for the addressee(s)  
only.  It may contain information that is privileged and/or  
confidential.  If you have received this transmission in error, you  
are not authorized to read, copy, disclose or disseminate it in any  
manner. If you have received it in error, please delete it and all  
copies (including backup copies) that have been made, and transmit a  
reply message informing the sender that it was misdirected.






More information about the HostAP mailing list