802.1X
Today I set up a 802.1X server (part of Wi-Fi Protected Access)-specifically EAP-PEAP1 with MSCHAPv2 inner authentication-to assure security of the wireless network at my house. This is the same setup that Waterview and now UTD use for their wireless networks: a user submits a username and password, and the network accepts him by issuing him a set of encryption keys.
This is a tremendous improvement over the old system that UTD used: a shared WEP key. That means that if I know the single campuswide key, I could be in a classroom and view and save the raw Internet traffic of everyone in my vicinity-what web sites they visit, what data they submit in unsecured web forms, and what instant messages they are sending.
The protections built into this system are rather amazing, and although definitely overkill for my needs, they were desperately needed at UTD. Unlike regular Ethernet, which uses the "carrier sense multiple access" scheme that allows any user to snoop on any other user in the same collision domain, and unlike the aforedescribed dumb shared WEP key scheme, 802.1X issues each authorized client a unique unicast encryption key, and a group key for broadcast/multicast packets. This means no more snooping on anyone: each client sees ONLY traffic destined specifically to him, or unprivileged broadcast traffic. 802.1X can even be configured to renegotiate the group key with all remaining clients each time a client disconnects or gets otherwise deauthorized-now that's good design!
My wpa_supplicant on Linux already carries on smooth conversations with the access point. All that's left is to figure out why Windows refuses to trust my self-generated Certificate Authority for the purposes of wireless access point integrity.
If you want to know how this new system at UTD impacts you: within the next few days you will most likely be receiving an email from me addressed to all ECS students at UTD. If you use Linux, just go to the LUG's "Campus wireless" page.
As usual, thanks to Graham for his valuable and timely knowledge and assistance.
1 Your task: casually work "EAP-PEAP" (pronounced "eep-peep") into an unrelated conversation.
This is a tremendous improvement over the old system that UTD used: a shared WEP key. That means that if I know the single campuswide key, I could be in a classroom and view and save the raw Internet traffic of everyone in my vicinity-what web sites they visit, what data they submit in unsecured web forms, and what instant messages they are sending.
The protections built into this system are rather amazing, and although definitely overkill for my needs, they were desperately needed at UTD. Unlike regular Ethernet, which uses the "carrier sense multiple access" scheme that allows any user to snoop on any other user in the same collision domain, and unlike the aforedescribed dumb shared WEP key scheme, 802.1X issues each authorized client a unique unicast encryption key, and a group key for broadcast/multicast packets. This means no more snooping on anyone: each client sees ONLY traffic destined specifically to him, or unprivileged broadcast traffic. 802.1X can even be configured to renegotiate the group key with all remaining clients each time a client disconnects or gets otherwise deauthorized-now that's good design!
My wpa_supplicant on Linux already carries on smooth conversations with the access point. All that's left is to figure out why Windows refuses to trust my self-generated Certificate Authority for the purposes of wireless access point integrity.
If you want to know how this new system at UTD impacts you: within the next few days you will most likely be receiving an email from me addressed to all ECS students at UTD. If you use Linux, just go to the LUG's "Campus wireless" page.
As usual, thanks to Graham for his valuable and timely knowledge and assistance.
1 Your task: casually work "EAP-PEAP" (pronounced "eep-peep") into an unrelated conversation.