[PATCH] rsn_supp: Don't encrypt EAPOL-Key 4/4.

Andreas Hartmann andihartmann at 01019freenet.de
Sun Sep 2 02:59:27 EDT 2012


Jouni Malinen wrote:
> On Sat, Sep 01, 2012 at 03:18:08PM +0200, Andreas Hartmann wrote:
>> Jouni Malinen schrieb:
>>> https://mentor.ieee.org/802.11/dcn/10/11-10-0313-01-000m-rekeying-protocol-fix.ppt
> 
>> May I kindly ask if these protocol changes have already been implemented
>> in wpa_supplicant / hostapd? The actual situation is really annoying :-(.
> 
> Not yet. Though, even if they were, you would also need to get a
> wireless LAN driver/firmware that supports non-zero Key ID for pairwise
> keys, so this this require some more work.

Would the firmware change be necessary, too, if nl80211 is used w/o
hardware but software encryption (for both AP and supplicant)?

> For most use cases, CCMP is strong enough to be used for quite some time
> without any rekeying, so the easiest workaround for rekeying related
> issues is to increase the rekey interval.

The recommended value for the eap reauth period is 3600 seconds.

You wrote about increasing the period and "quite some time".

What would be the risk of the increase? Or better: which kinds of
(known) attacks are complicated by forcing a regularly reauth? Why are
3600 seconds recommended and not, e.g., 1800? What would be a higher but
still risk less time of period when using eap-tls and ccmp (using
freeradius)?
If it was your own network, which higher value would you use?

I would be glad to get some basic points to be able to estimate the
potential risk. A link would be fine, too.


Thanks,
kind regards,
Andreas


More information about the HostAP mailing list