Wi-Fi: Open or Secure                            Making the best out of both...    Presented by François Proulx    At the ...
Who am I ?      •       François Proulx            •   Jack of all trade, master of none            •   RFCs junkie       ...
The take-away message for this talk      •       We need to fix the insecurity of Wi-Fi hotspot      •       We already hav...
But let’s rewind for a moment      •       A brief recap of the state of 802.11            •   1999 - IEEE 802.11b (the on...
The state of 802.11 continued...      •       At home            •   We tell everybody to secure their home router by     ...
What can we do about it?   • We want robust and yet usable security     • WPA2 + scan-click-and-connect usability      •  ...
How can we leverage EAP   for the good of public Wi-Fi hotspots?      •       Enter “Secure Open Wireless Access” (SOWA)  ...
Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
Wait! Is that compliant with the spec?      •       Actually, yes it is!      •       RFC5216 (latest version of EAP-TLS) ...
What do we need to deploy it?                       Note the secure.expensivecafe.com string                 in both the S...
But... it’s not that easy      1. Operating Systems patches        • Network selection GUI (to allow connection without a ...
But... it’s not that easy      1. Operating Systems patches        • Network selection GUI (to allow connection without a ...
Food for thought...      •       What kind of iconography should we use to differentiate            •  “Open”            •...
Food for thought...      •       What kind of iconography should we use to differentiate            •  “Open”            •...
Please, help us spread the word      •       Thanks to Chris Byrd and IBM X-Force for inventing the              technique...
Q&A                 +               DemoWednesday, 9 November, 11
Q&A                 +               DemoWednesday, 9 November, 11
Upcoming SlideShare
Loading in …5
×

Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011

2,311 views

Published on

A presentation I did for the HackFest 2011 in Quebec City about Secure Open Wireless Access, a technique for securing open Wi-Fi hotspots.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,311
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011

  1. 1. Wi-Fi: Open or Secure Making the best out of both... Presented by François Proulx At the HackFest 2011Wednesday, 9 November, 11
  2. 2. Who am I ? • François Proulx • Jack of all trade, master of none • RFCs junkie • Specialized in mobile development (iOS) • Been into Wi-Fi (in)security for a while • Founding member of Île Sans Fil • Started the WiFiDog captive portal • Studied 802.11 specs in more depth while working on a Wi-Fi based location system - iFIND @ MITWednesday, 9 November, 11
  3. 3. The take-away message for this talk • We need to fix the insecurity of Wi-Fi hotspot • We already have all the building blocks we need • There’s a simple and elegant solution and it is entirely software based • It’s called “Secure Open Wireless Access” • We, as security pundits, need to advocate so that the industry makes the necessary changesWednesday, 9 November, 11
  4. 4. But let’s rewind for a moment • A brief recap of the state of 802.11 • 1999 - IEEE 802.11b (the one we know and love) •Open System Authentication •Shared Key Authentication (i.e. WEP) • 2001 - 2005 •WEP proved utterly insecure (WEP cracking as a sport) • In the meantime... •Starbucks sells outrageously expensive lattés + Wi-Fi to poser kids surfing the Interwebs on their shiny MacBook ProWednesday, 9 November, 11
  5. 5. The state of 802.11 continued... • At home • We tell everybody to secure their home router by using WPA2 with an unguessable passphrase • In public Wi-Fi hotspots • It is still the far west (MITM, Firesheep, SSLStrip, etc.) • The majority of hotspots are Open Wi-Fi APs • We know the dangers, so we behave accordingly • Use SSL for all sensitive traffic • Or VPN out to a safer place • Meanwhile, the latté-sipping poser kids have lots of fun browsing the Interwebs ... at our expense ;-)Wednesday, 9 November, 11
  6. 6. What can we do about it? • We want robust and yet usable security • WPA2 + scan-click-and-connect usability • We have very strong building blocks available • 802.11i brought us 802.1X over wireless (EAPoW) • Most of us don’t use 802.1X at home • On the enterprise side, though... • EAP is a way for deploying secure and robust setups • Many EAP authentication methods exist (> 40) • LEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA...Wednesday, 9 November, 11
  7. 7. How can we leverage EAP for the good of public Wi-Fi hotspots? • Enter “Secure Open Wireless Access” (SOWA) • A simple technique relying on WPA2 with EAP-TLS • Typically, EAP-TLS requires server and client side certs. • Efficiently distributing certificates to clients can be a pain in the b*tt • Good! That’s the part we throw aside for SOWA • Works just like the good old Web (HTTPS) • You type in an address (ex. https://www.paypal.com), establish an SSL connection (one-way auth.) • With SOWA you pick the SSID and do anon. EAP-TLSWednesday, 9 November, 11
  8. 8. Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
  9. 9. Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
  10. 10. Brief recap of EAP-TLS http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pngWednesday, 9 November, 11
  11. 11. Wait! Is that compliant with the spec? • Actually, yes it is! • RFC5216 (latest version of EAP-TLS) defines the certificate_request message as optional • The auth. server (RADIUS) can skip that message (most implementations already behave correctly) • The idea was that APs could be used anonymously for emergency services http://tools.ietf.org/html/rfc5216 http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03Wednesday, 9 November, 11
  12. 12. What do we need to deploy it? Note the secure.expensivecafe.com string in both the SSID and the certifcate common name (CN) They need to match to provide authentication Protecting the user against rogue access pointsWednesday, 9 November, 11
  13. 13. But... it’s not that easy 1. Operating Systems patches • Network selection GUI (to allow connection without a client cert.) • Supplicant (so that is matches the SSID with the CN in the X.509 cert) 2. RADIUS server patches (FreeRadius patches exist) • Allowing anonymous EAP-TLS 3. APs should use the RSN caps field (802.11 beacon) to differentiate from other EAP-TLS SSID (NOT mandatory for SOWA to work, but helps usability)Wednesday, 9 November, 11
  14. 14. But... it’s not that easy 1. Operating Systems patches • Network selection GUI (to allow connection without a client cert.) • Supplicant (so that is matches the SSID with the CN in the X.509 cert) 2. RADIUS server patches (FreeRadius patches exist) • Allowing anonymous EAP-TLS 3. APs should use the RSN caps field (802.11 beacon) to differentiate from other EAP-TLS SSID (NOT mandatory for SOWA to work, but helps usability)Wednesday, 9 November, 11
  15. 15. Food for thought... • What kind of iconography should we use to differentiate • “Open” • “Secure and Authenticated” • “Secure Open”Wednesday, 9 November, 11
  16. 16. Food for thought... • What kind of iconography should we use to differentiate • “Open” • “Secure and Authenticated” • “Secure Open”Wednesday, 9 November, 11
  17. 17. Please, help us spread the word • Thanks to Chris Byrd and IBM X-Force for inventing the technique and presenting it at BlackHat 2011 http://blogs.iss.net/archive/SownCode.html • There’s still a long way to go before SOWA can be used by actual users, but play with it and spread the wordWednesday, 9 November, 11
  18. 18. Q&A + DemoWednesday, 9 November, 11
  19. 19. Q&A + DemoWednesday, 9 November, 11

×