Today Slashdot cites a blog-post by Chester Wisniewski from Sophos Security Research about a proposal by Chester on how to make public, unencrypted WiFi-Hotspots more secure. With the release of Firesheep, it has become the task of clicking a button to steal authentication-cookies from unencrypted, captured network-traffic. Public, unencrypted WiFi-Hotspots are by definition the most vulnerable playground for that.
Chester proposes to use WPA/WPA2-PSK with a universal, non-secret password; for example “free”. He points out that an encrypted WiFi-network everyone knows the password for is better than a completely unencrypted network:
What is the value of a password if it is a “well-known secret?” WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another’s traffic even when sharing access on the same access point.
This is a golden opportunity for a high-profile provider of free WiFi to step up and show us how easy it is.
Join my movement to provide a safer internet for everyone by making sure you provide secure wireless access.
The argument is well-intended which however does not protect it from being completely false and misguiding due to a lack of understanding how WPA/WPA2-PSK works. The proposal boils down to security theatre where means are provided to make people feel safer while in fact they are not.
Chester argues that even if the password used for WPA/WPA2-PSK is known to all parties, WPA would “negotiate unique encryption key“, so one “cannot spy one another’s traffic“; this is only half-true. As I pointed out in The Twilight Of Wi-Fi Protected Access, the PSK-mode (“pre shared key”) of WPA/WPA2 is seriously flawed as it trades the one most important thing about secure communication – authenticity - to gain simplicity. In case of WPA/WPA2-PSK, authenticity is only provided through a single password that everbody uses. We can therefor only tell apart those that know the password from those that do not know the password. The identity of any party within such a network can’t be proven any further than that as everbody uses the same key to do so: The Pairwise Master Key, which derived from the password
As the Pairwise Master Key is not authentic to exactly one party, all session keys derived from it also can’t be. Therefor all traffic protected by the session keys can’t be authentic. However, there is no point in encryption in we do not know who we are encrypting to. In a WiFi-network protected by WPA/WPA2-PSK, every user who knows the password can pretend to be anyone (including the Access-Point) and inject, modify or drop any traffic owned by anyone else. The only promise that WPA/WPA2-PSK can make is to protect users within the network from those outside. The line of defense is drawn by knowledge of the password; beyond that, there is no security between users.
The proposal made by Chester is based on a false understanding about how WPA/WPA2-PSK works and what promises it can make. The intention to make the users of public WiFi-hotspots more secure creates the feeling of being more secure (“We do that for security. Therefor it makes us more secure.“). In that sense, Chester’s proposal is not only misled but dangerous.
One may argue that “some” security is better than no security. This however is as true as the hedge on the lawn in front of the bank adds to your money’s security and the people telling you “Of course your money is secure in our bank! Didn’t you see the hedge on the lawn outside?“
To underline my point, here are two ways on how to spy on any user within such a network:
- Eve wants to spy on the network which Alice is connected to. The network is protected by WPA/WPA2-PSK and Alice already has a unique session key to encrypt and authenticate her traffic. Eve is locked out.
- Eve knows that the network is named “Starbucks” and that the password is “FreeStarbucksWifi”. She can therefor compute the Pairwise Master Key just as anyone else can.
- Eve sends a control message to Alice’s laptop that seems to come from Starbucks’ Access-Point. The control message tells the story that Alice’s session key has timed out and needs to be re-negotiated. Eve also sends such a message to the Access-Point, allegedly coming from Alice’s laptop. As such control messages are (by design) not authenticated, one or even both parties will most certainly believe in it and start re-negotiating a new session key. (This step is optional if Eve just waits long enough)
- The Access-Point sends a unique number to Alice which is used during key-negotiation. As the message is unencrypted, Eve can read that number too.
- Alice’s creates her own unique number, takes the Pairwise Master Key, both unique numbers (and other elements) and computes a new, unique key. Alice sends her unique number to the Access-Point and signs the message with the new key. As the message is only signed but not encrypted, Eve can also read the number picked by Alice.
- The Access-Point derives a key just as Alice did and checks if Alice picked the correct key to sign her message. If so, Alice must have had the correct Pairwise Master Key and is therefor authentic (a member of the club who know the password). The Access-Point sends a signed confirmation-message to Alice. Alice checks the sign and now knows that the Access-Point uses the correct Pairwise Master Key and therefor is also authentic.
- Alice and the Access-Point now resume network-traffic as normal.
- As Eve knows both unique numbers and the Pairwise Master Key, she can now compute the session key just as Alice and the Access-Point did and can use it to decrypt Alice’s traffic.
- Eve starts looking out for Alice’s cookies. Alice doesnt notice that her traffic is being decrypted although the network has a password…
Man in the middle:
- Mallory sends Alice the control-message to start a new key-negotiation. She also floods Alice with packets that resemble the first phase of the key-negotiation (the unique number that should come from the Access-Point).
- Alice has started the key-negotiation and expects the Access-Point to send a new unique number. She receives such a message from Mallory before the real Access-Point can respond.
- Alice picks Mallory’s number and uses the Pairwise Master Key to derive a new session key. Alice sends her unique number to the Access-Point. Mallory can also see that message.
- The Access-Point takes Alice’s number, his own unique number and the Pairwise Master Key and checks if Alice correctly signed her message. As Alice used Mallory’s number, her session key differs from the one now computed by the Access-Point. As the sign is therefor incorrect, the Access-Point drops the connection to the unauthentic party.
- Mallory receives Alice’s message and completes the key-negotiation. As she knows the Pairwise Master Key, she can successfully sign her messages. From Alice’s point of view, all messages coming from Mallory are authentic.
- Mallory has now taken over the connection from the real Access-Point. She uses her legimate key to decrypt Alice’s traffic and passes it on to the real Access-Point. She starts looking out for Alice’s cookies while Alice doesnt notice that here traffic is being decrypted although the network has a password…
In the end, I again quote from Chester’s proposal:
Join my movement to provide a safer internet for everyone by making sure you provide secure wireless access. If you care enough to provide networking to your friends, neighbors, or customers, help them enjoy it securely.
Join the movement. Do not provide WiFi protected by WPA/WPA2-PSK to your friends, neighbors, or customers. They can’t be trusted, they can’t trust you and they can’t trust each other. For all men are evil and will always act according to the wickedness of their spirits whenever the chance…