Re: Security. WPA?/-TKIP /-CCMP

On 6 Des, 18:45, Jeff Liebermann <je...@xxxxxxxxxx> wrote:
On Sat, 6 Dec 2008 05:42:55 -0800 (PST), Chrisjoy

<ultralibertaria...@xxxxxxxxx> wrote:
Logging on to windows need users to know this:

1) Knowing the name of your own account.
2) Knowing the spelling of your own account password, and where the
keys are at the keyborard.

A fingerprint reader can be used in place of the login and password.
I've had rather bad luck at getting users to consistently use the
reader, but it does work.  The ones where you swipe the finger over a
narrow reader window seem to be a problem.  The ones where you just
press your finger onto a larger window, work much better (but cost
more).

Even if all laptops were equipped with a fingerprint reader this would
not solve my problem. You see, I don't need to identify guests on my
WLAN, and more important, I cannot ask my guests to put their
fingerprints into my system. You see, this is a serious company and
all the custommers are also serious people.

When I used the word "fingerprint" I was refering to a hash made from
a asymetric key system using the secret key, so that the public can
use the public key to check if the AP is the one they want to join.
Then I can put up on the notice board, the fingerprint of our
hotspots. This is to protect agaist same SSID attack.

The most common is where the user has an X.509 certificate
either saves on their machine or saved on a USB dongle (as used by my
HIPAA clients).  With the certificate, they only get a password
prompt, which could be eliminated except that it slows down the
problem of stolen certificates.

We can agree to the fact that it's many ways to do this, but if the
information needs to be on the client prior to connection, you're only
confirming my point that RADIUS is totally impractical. I don't need
to identify clients, remember? I only want to make sure packets cannot
be sniffed. Your USB idea is even worse than the picture I paited for
you. Not only would I need to put up info about server info, account
and password on a notice board, I also would need to communicate a
file to a flash, which means we need an employee that do nothing but
hands out USB memory flash.

At the other extreme, a coffee shop environment displays a splash
screen with the terms of use, warnings about DMCA, and a box to sign
in.  Control is then passed to the RADIUS server which issues whateve
permissions are authorized for that login.  For inside users, a
password is usually required to continue.  For guests, no password.

I'm not sure what you're writing here. It can be interpretted as if
there exist a RADIUS server that is able to serve my needs, namely to
make my guests being able to connect to the hotspots without doing
anything but hit the "Go Online" buttom on their laptop, and chose a
SSID from popup window, and then get connected, and still being
protected against sniffing, or wasn't this what you meant by "for
guests, no password"?

There's a wide variety of combinations of how the login will be
presented, but NONE of them involve any knowledge of IP addresses,
port numbers, or server settings.

Ok then, assume you're right. What is the least of information a
client need to connect to a hotspot running RADIUS beside SSID, when
the only need is to protect against sniffers, and where there is NO
NEED what so ever to identify users, no need for account system, where
everybody is welcome, but ehere I want every single client to use a
different key for every session?

Note:  Most large system have single-signon features, which simplify
things even more, but usually require an X.509 certificate, smart
card, or other means of authentication (because it's too easy):
<http://en.wikipedia.org/wiki/Single_sign-on>

With other words, useless piece of ***.

Incidentally, T-Mobile and iPass (coffee shop wireless providers) both
use central RADIUS servers to manage their client accounts and control
access.  Methinks if the average coffee shop denizen can handle it, so
can the GUM (great unwashed masses).

I don't need accounts. I don't want accounts. I only want different
key for each session, and this is ONLY motivated by protecting guests,
that is our custommers, from being sniffed at. Are you unable to
answer me on my terms?

.