From: [EMAIL PROTECTED] > > I understand. You're not saying anything regarding intercepting an > > existing > > session and accessing the data; it's akin to getting an Ethernet > > cable on a > > LAN (since you have the PSK for authentication) and > negotiating a new > > communication session (key, etc.) with the AP. > > So at that point, you're effectively on the LAN, so have access to > the traffic that runs across it anyway. However, if the > sessions are > individually keyed for each user, with a time-dependant > rotating key, > the person spoofing the MAC won't have the corresponding key, so > won't be able to decode the traffic properly?
No. In the scenario Stuart was describing, there's no decryption to occur. The originally encrypted traffic is still safe, but when you pop in and say "hi, I'm such-and-such IP, honest", the WAP happily negotiates a new session key with you and encrypts traffic to you (that everyone thinks is going to the real such-and-such IP.) So confidentiality is still sort of in place, but not truly authenticated. In other words, by virtue of the attacker knowing the PSK, he's just as authenticated to the WLAN as the real client is. It's really just a LAN arp-spoofing attack with the same problems; the only good way to do what you would need for the security you're thinking of is end to end encryption, not link encryption. SSL/TLS/etc. for the protocols in use over the WLAN, not cleartext stuff. > Yes, it requires a RADIUS client to connect. I have read a little > more about RADIUS (specifically FreeRADIUS) and I like the features > it has to offer, especially the accounting parts. It's a shame it's > not suitable, it takes care of a lot of the problems I have yet to > work out. Unfortunately, even WPA-enterprise doesn't cover this kind of issue. The same "problems" are prevalent (LAN technology can't ensure this kind of security.) DS
