Search Linux Wireless

RE: Mac80211 : Wpa rekeying issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> >
> >         Hi,
> >
> > I'm not a WPA expert and security expert,
> >
> > Could you explain why the patch sent by Alexander Wetzel break the
> security properties of this code?
> >
> > The Alexander's patch is in attachment.
> >
> > Thanks for your help.
> 
> It simply disables the replay attack detection :) You could receive the
> same (encrypted) packet twice and not throw away the second one.
> The author of the patch never said that this patch is a "fix", it is rather
> a debug step to understand what happens.
> 
> PTK rekeying is a problem from the spec point of view. In Intel, we did
> inquiries and in the end we understood that what we should really do
> whenever we get to a situation where we need to rekey the PTK is to
> disconnect and reconnect. Only weird configuration allow to change the PTK
> more frequently than after X packet (don't remember what X is bu something
> like 2^32 which is big enough to hold the connection for days...).
> 
> IIRC, Intel devices don't have problems in Tx while we rekey because we
> give the key material along with the packet itself, so that we can't get to
> a situation where we have old PN and new key. The Atheros devices separate
> the key material and the Tx packet (which is a perfectly valid design
> decision), but this introduce the possibility to use the old PN with a new
> key meaning that the recipient could decrypt the packet after the new key
> has been installed, but it would also update the PN to be high and discard
> all the next packets that will come with a new (low) PN.
> So essentially, this is a bug in the TX'ing side. Fixing it requires to hit
> the performance which is not something people are willing to do, when the
> bug is really in the spec.
> That's what I remember, but I may be wrong.
> 
Thanks for your answer.
Do you know if we can have the same issue with ATH10K chipset?


--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux