Re: Role specification unneccessary in dpp_auth_init?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Mar 14, 2019 at 03:30:58PM -0600, Steve Johnson wrote:
> In the "conf=" argument to dpp_auth_init, both role and key management are specified, eg. "conf=sta-dpp" or "conf=ap-dpp".
> 
> The parsing and population of the dpp_configuration structure is identical for "conf=sta-" and "conf=ap-", the only difference is that only one of two dpp_configuration structures is populated: conf_sta or conf_ap.
> 
> When a configuration request is received from the enrollee, the requested role is examined and the configuration selected for constructing the response is either conf_sta or conf_ap. One of those two will be null. If the requested role matches the role specifed in dpp_auth_init, the operation succeeds, otherwise it fails with "No configuration available for Enrollee".

Yes, this is done by design..

> It seems that dpp_auth_init should only need "conf=dpp", "conf=psk", etc, and a single configuration should be created to support both ap and sta (enrollee) roles.
> 
> As it is, the configurator must know in advance the role of the enrollee at the time it receives its bootstrap information. It seems more intuitive to just have the configurator determine this from the role specified in the configuration request. 

It would be possible to implement this in that manner and it may seem
more intuitive, but that would be a significant security vulnerability
for many DPP use cases. Station devices must not be allowed to get
credentials that would allow them to act as the APs in the network. For
example, security of DPP AKM network in a hotspot type of environment
would be compromised if that were allowed since any guest could pretend
to be a valid AP.

For a use case where all devices are trusted, it may make more sense to
allow automatic selection based on what the Enrollee requests and I
don't think I would be against such option being added (i.e., allow
conf=dpp in addition to conf=ap-dpp and conf=sta-dpp), but that needs to
come with clear documentation pointing out the security concerns for
many use cases. That said, I'm not sure I'd really want to enable
provisioning of AP credentials without explicit user selection even if I
were to more or less trust the device (say, when adding an IoT device to
a home network).

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux