Saturday, August 04, 2007

Secure Wireless

This looks pretty good - especially if you manage a wireless access point that you give users anonymous access to.

A secure Wireless LAN hotspot for anonymous users

As ubiquitous and convenient as Wireless LAN Hotspots are, it is probably the single most dangerous technology to the mobile computer user. The two biggest issues with Hotspots is that you have no idea if you’re connecting to a legitimate Access Point or if you’re connecting to a hacker’s fake Access Point and everything you send and receive is transmitted in clear text with no encryption.Hotspots face the classic
convenience and usability versus security tradeoff and 999 out of 1000 times the Hotspot will choose convenience and usability.I have seen hotspots that use WPA-PSK (Wi-Fi Protected mode using Pre-Shared Key) to offer some level of privacy, but that’s only private against people who don’t have access to the PSK.

But there is actually a better and easier way to set up a secure Wireless LAN hotspot for an anonymous user using a single generic and common username and password that anyone can remember. An interesting property of PKI is that it allows us to do a secure key exchange without any usernames or passwords so long as one side has a trusted digital certificate. This concept is used millions of times a day by ordinary users anytime someone goes to an SSL-secured webpage and the secure authentication channel is set up before the user enters a username and password. The same general concept could be applied to the Wireless LAN world with a slight twist in the implementation.

An interesting feature of Wireless LAN security using 802.1x and PEAP mode is that it is possible to log in with the same anonymous guest account with a publicly known password for any number of people and still provide each user with a secure point-to-point link-layer encryption.

To implement this solution, we can do this with any typical Wireless LAN Access Point and a RADIUS server (how to set one up). So long as the connection between the Access Point and RADIUS server is secure or there is a sufficiently complex RADIUS secret, each wireless client has complete privacy. In this case since it’s such a simple implementation, the RADIUS server could be embedded in to the Access Point itself which means you don’t even have to worry about the RADIUS secret strength. The RADIUS server does however need a publicly trusted Digital Certificate (how-to guide here) which you can purchase for $20 at places like and there’s literally zero difference between that and the $200 Certificates from other Certificate Authorities.

A RADIUS server is typically connected to a backend user directory such as Microsoft Active Directory, Novell, or LDAP but this particular application doesn’t require that since we only need a single user account. We can set up a local user in the RADIUS server named “guest” with the password also set to “guest” which is extremely generic and easy to remember. That means when the user connects to this secured Hotspot, they will have to do an initial 802.1x/PEAP setup where they enter in the username and password. Since the credentials are so easy to remember, it’s possible to do a quick-and-dirty setup guide for Windows and Mac with no complicated keys to remember or personalized user credentials. Fortunately, the guest credentials and the entire setup process can be saved for future use and the fact that it’s so generic means that it can be applied consistently on a very large scale.

George Ou

Labels: ,