802.11i support in IBSS mode

Nicolas Pichon nicolas.pichon at luceor.com
Wed Nov 28 09:26:16 EST 2007


Ambedkar R a écrit :
> Hi Nicholas,
> 

Hi,

> It was very nice to see that you are trying to bring up high security in 
> IBSS mode.In your mail you mentioned that we have only WEP 
> authentication in IBSS mode,but many companies already implemented 
> WPA-Personal in IBSS[Jouni if i am wrong please correct me regarding 
> WPA-Personal in IBSS implementation]
> 

WPA has no specification for IBSS mode, only IEEE802.11i (WPA2) defines 
a standard for robust security in IBSS mode.

There is a non-standard encryption mechanism called WPA-NONE, which is 
supported by wpa_supplicant, but has many design problems, and a lack of 
support on the driver side (it seems a few people managed to establish a 
link between two STAs running wpa_supplicant, but not three or more). 
I've read that Microsoft Windows XP used to support WPA-NONE, but that 
it has been removed by the update that added WPA2 support (but without 
IBSS mode). I've also just read that Microsoft Windows Vista supports 
WPA2-PSK in IBSS mode, so I'll try to find 2 PC running Vista to have a 
look at this.

> And my concern is that WPA-Enterprise with IEEE802.1X implementation is 
> possible in IBSS mode,but do you think is it needed? while two computers 
> are talking each other in IBSS mode.There may be users sharing their 
> working directory or some files and they never going access https 
> site,such as ONLINE BANKING,SHARE TRADING etc.
 >
 > If we implement WPA-Enterprise in IBSS mode,all STA's should act as
 > SERVER,Authenticator,STA.
 >

I think there can be a use of WPA2-Enterprise in IBSS mode, by 
integrating an authentication server in every STA, for example to use 
certificates to establish secured links, instead of a common pre-shared key.

But this would need more work, and I think implementing WPA2-PSK 
(WPA2-Personal) is a first step that would give an already pretty good 
security enhancement for IBSS networks. More work can be done later to 
add WPA2-Enterprise support.

The only security issue in WPA2-PSK in IBSS mode is that a STA can 
listen to traffic between two STA if it knows the shared key and have 
caught the first two messages of the 4-Way handshake between the two 
STAs it wants to spy on. Otherwise, if a STA doesn't know the shared 
key, WPA2-PSK gives a reasonable confidentiality .

> Any how if you start working on WPA-Enterprise in IBSS mode,i join my 
> hands with you guys.
> 

While writing this mail, I've done some searches to confirms several 
things, and found a thread I missed in the archives of this mailing 
list. Jouli has already done some work to integrate needed parts of 
hostapd into wpa_supplicant (but more work needs to be done). To make a 
compilation of this code, man need to build "make test_wpa".
I tried to test code in current git repository, but I have several 
compilation problems. I will also take a look at this to try to make it 
compile successfully.

Here is Jouli's mail about this test code :
http://lists.shmoo.com/pipermail/hostap/2006-December/014818.html

Thanks,


Nicolas Pichon.



More information about the HostAP mailing list