802.11i support in IBSS mode
nicolas.pichon at luceor.com
Wed Nov 28 09:26:16 EST 2007
Ambedkar R a écrit :
> Hi Nicholas,
> It was very nice to see that you are trying to bring up high security in
> IBSS mode.In your mail you mentioned that we have only WEP
> authentication in IBSS mode,but many companies already implemented
> WPA-Personal in IBSS[Jouni if i am wrong please correct me regarding
> WPA-Personal in IBSS implementation]
WPA has no specification for IBSS mode, only IEEE802.11i (WPA2) defines
a standard for robust security in IBSS mode.
There is a non-standard encryption mechanism called WPA-NONE, which is
supported by wpa_supplicant, but has many design problems, and a lack of
support on the driver side (it seems a few people managed to establish a
link between two STAs running wpa_supplicant, but not three or more).
I've read that Microsoft Windows XP used to support WPA-NONE, but that
it has been removed by the update that added WPA2 support (but without
IBSS mode). I've also just read that Microsoft Windows Vista supports
WPA2-PSK in IBSS mode, so I'll try to find 2 PC running Vista to have a
look at this.
> And my concern is that WPA-Enterprise with IEEE802.1X implementation is
> possible in IBSS mode,but do you think is it needed? while two computers
> are talking each other in IBSS mode.There may be users sharing their
> working directory or some files and they never going access https
> site,such as ONLINE BANKING,SHARE TRADING etc.
> If we implement WPA-Enterprise in IBSS mode,all STA's should act as
I think there can be a use of WPA2-Enterprise in IBSS mode, by
integrating an authentication server in every STA, for example to use
certificates to establish secured links, instead of a common pre-shared key.
But this would need more work, and I think implementing WPA2-PSK
(WPA2-Personal) is a first step that would give an already pretty good
security enhancement for IBSS networks. More work can be done later to
add WPA2-Enterprise support.
The only security issue in WPA2-PSK in IBSS mode is that a STA can
listen to traffic between two STA if it knows the shared key and have
caught the first two messages of the 4-Way handshake between the two
STAs it wants to spy on. Otherwise, if a STA doesn't know the shared
key, WPA2-PSK gives a reasonable confidentiality .
> Any how if you start working on WPA-Enterprise in IBSS mode,i join my
> hands with you guys.
While writing this mail, I've done some searches to confirms several
things, and found a thread I missed in the archives of this mailing
list. Jouli has already done some work to integrate needed parts of
hostapd into wpa_supplicant (but more work needs to be done). To make a
compilation of this code, man need to build "make test_wpa".
I tried to test code in current git repository, but I have several
compilation problems. I will also take a look at this to try to make it
Here is Jouli's mail about this test code :
More information about the HostAP