AES encrypted passwords

Brian Candler b.candler at
Sat Oct 1 10:34:23 CEST 2016

On 30/09/2016 14:57, Stefan Winter wrote:
> No CA checks means all your passwords are up for grabbing for everyone
> with a glimpse on Enterprise Wi-Fi.
What he said.

It's interesting to note that the "home" version of WPA, with a single 
pre-shared key (PSK), provides strong mutual authentication as standard. 
If a rogue access point is set up but has the wrong pre-shared key, the 
client simply won't be able to connect. Job done.

Unfortunately, "enterprise" WPA is a lot murkier. The two most commonly 
implemented versions are:

* EAP-TLS: each side proves its identity to the other with a certificate
* PEAPv0 with MSCHAPv2 - the AP [actually RADIUS server] proves its 
identity with a certificate, and the client with username/password

In both cases, if the client doesn't validate the certificate presented 
by the AP/RADIUS server then they could be connecting to a rogue access 
point, and all their traffic intercepted. In the PEAP case they will 
also be giving away their login credentials!

Since there's no way to bind an SSID to a certificate directly, you have 
to manually *configure* every client to know which certificate DN(s) the 
AP should expect when connecting to that SSID. If you don't do that, 
then you're vulnerable to trivial attacks from rogue access points.

(Maybe it's safer to use a different password for wireless access than 
for the rest of your enterprise services to mitigate the problem? But if 
you're going to do that, you could just go the EAP-TLS route anyway. And 
it doesn't obviate the need for checking the AP certificate to prevent 
traffic interception)

There *is* a protocol which gives strong mutual authentication using a 
password and without the need for certificates: EPA-EKE (RFC 6124). 
However it's relatively new and I've not seen it deployed. Also it 
doesn't seem to be supported by FreeRADIUS at least according to



P.S. Nice paper here:

More information about the Freeradius-Users mailing list