On Sun, 2020-03-01 at 17:23 +0200, Jouni Malinen wrote: > On Sun, Mar 01, 2020 at 09:16:40AM +0000, Peer, Ilan wrote: > > I cannot really guarantee that such a thing would be adequately > > implemented > > by stations. As the anti-clogging token indexing is based on the station > > address > > I can extend comeback_token_hash() to concatenate the authentication > > algorithm > > ID with the address, to allow concurrent support for SAE and PASN. What do > > you think? > > The more I try to understand how comeback cookie mechanism in > P802.11az/D2.0 is supposed to work, the more I start to think that it > should really be designed differently.. This is similar to the SAE > anti-clogging token design and that design is known to not really > provide much protection since it does not require any significant > calculation need on the attacker side. Yep. That's the main reason why I wanted to share the implementation. > With that in mind, I'm not sure I > have a good answer on how the current design should be implemented since > I hope the current design changes before the implementation was this > would be added.. Anyway, if we do need to move ahead with the current > design, it would likely be a good idea to make the tokens distinct from > the ones used in SAE. > I'll take this path unless the specification changes to address your concerns. Regards, Ilan. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
