Questions about mesh SAE authentication merge

Javier Cardona javier at cozybit.com
Fri Mar 18 18:17:45 EDT 2011


Jouni et al.,

We've extended wpa_supplicant to support mesh SAE authentication.  Our
fork is currently available here:
https://github.com/cozybit/hostap-sae

SAE is the new pre-shared secret authentication mechanism introduced
by the (soon-to-be-ratified) 802.11s amendment.  SAE was designed for
mesh because of its symmetry: there are no fixed
authenticator/supplicant roles and either party can initiate the
authentication.  That said, SAE is not limited to mesh and could also
be used for infrastructure or IBSS authentication.  Our changes so far
are limited to mesh authentication, but they should be easy to extend
if one wishes to do so.  An important benefit is that SAE is resistant
to offline dictionary attacks.  This is quite relevant now that
WPA2-PSK passwords can be cracked for $5 using Amazon EC2 services¹.

We really would like to contribute our changes back to hostap and with
that goal in mind would like to ask a few questions:

1. When to integrate.  In its current state, our forked wpa_supplicant
can discover and authenticate other mesh peers and create peers
(stations) in the kernel.  After that happens, peer link establishment
continues in the kernel.  There is still more work to be done, but the
authentication is usable and useful as it is.  One can now use
wpa_supplicant to ensure that peer links are only established with
authenticated peers.  And authentication takes place without leaking
password information over the air.
So the question is, would you be willing to integrate our patches at
this point or you'd rather wait until AMPE and encryption are also
implemented?

2. Feedback on implementation.  Regardless on when and whether we
integrate, we would really appreciate your feedback on our
implementation approach.  What would be the best way for you to review
our patches?  Submit as RFC's to this list?

3. License.  The reference SAE implementation from Dan Harkins is
distributed under the original BSD license ( see
https://github.com/cozybit/hostap-sae/blob/master/src/sae/sae.c ).
Would you accept that code into your repository as-is (maybe with a
warning on the COPYING file stating that some files in the project
cannot be licensed as GPL)?  Or would you require that those files are
downloaded from his project at compile time if SAE is enabled?  Other
ideas?

Thanks!

Javier

[1] http://uk.reuters.com/article/2011/01/07/us-amazon-hacking-idUKTRE70641M20110107

-- 
Javier Cardona
cozybit Inc.
http://www.cozybit.com


More information about the HostAP mailing list